From owner-freebsd-security@freebsd.org  Mon Jul 18 16:39:47 2016
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id AB574B9C6CF;
 Mon, 18 Jul 2016 16:39:47 +0000 (UTC)
 (envelope-from jkim@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 by mx1.freebsd.org (Postfix) with ESMTP id 2599312E4;
 Mon, 18 Jul 2016 16:39:47 +0000 (UTC)
 (envelope-from jkim@FreeBSD.org)
Subject: Re: GOST in OPENSSL_BASE
To: Mathieu Arnold <mat@FreeBSD.org>, Slawa Olhovchenkov <slw@zxy.spb.ru>
References: <20160710133019.GD20831@zxy.spb.ru>
 <f35c1806-c06d-0d46-1c8a-58a56adef9a7@freebsd.org>
 <a4f0585d-cc99-e44a-7f59-0dd23e3c969f@FreeBSD.org>
 <20160711184122.GP46309@zxy.spb.ru>
 <f7bb30d6-6c22-4e21-ff8f-a25480ac0278@FreeBSD.org>
 <20160711195600.GQ46309@zxy.spb.ru>
 <EA5762479033C3438AC67624@ogg.in.absolight.net>
Cc: Andrey Chernov <ache@freebsd.org>,
 FreeBSD-current <freebsd-current@FreeBSD.org>,
 freebsd-security <freebsd-security@freebsd.org>
From: Jung-uk Kim <jkim@FreeBSD.org>
Message-ID: <9d8ac537-45bb-066a-956b-3f7c7e11bcb7@FreeBSD.org>
Date: Mon, 18 Jul 2016 12:39:46 -0400
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101
 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <EA5762479033C3438AC67624@ogg.in.absolight.net>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="b8VoWTsTS6XsRNfiMhkO8hUnxmmIiwMpu"
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jul 2016 16:39:47 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--b8VoWTsTS6XsRNfiMhkO8hUnxmmIiwMpu
Content-Type: multipart/mixed; boundary="FEUMhQl0agtAMbvoFX6wDwNgDF1W264ir"
From: Jung-uk Kim <jkim@FreeBSD.org>
To: Mathieu Arnold <mat@FreeBSD.org>, Slawa Olhovchenkov <slw@zxy.spb.ru>
Cc: Andrey Chernov <ache@freebsd.org>,
 FreeBSD-current <freebsd-current@FreeBSD.org>,
 freebsd-security <freebsd-security@freebsd.org>
Message-ID: <9d8ac537-45bb-066a-956b-3f7c7e11bcb7@FreeBSD.org>
Subject: Re: GOST in OPENSSL_BASE
References: <20160710133019.GD20831@zxy.spb.ru>
 <f35c1806-c06d-0d46-1c8a-58a56adef9a7@freebsd.org>
 <a4f0585d-cc99-e44a-7f59-0dd23e3c969f@FreeBSD.org>
 <20160711184122.GP46309@zxy.spb.ru>
 <f7bb30d6-6c22-4e21-ff8f-a25480ac0278@FreeBSD.org>
 <20160711195600.GQ46309@zxy.spb.ru>
 <EA5762479033C3438AC67624@ogg.in.absolight.net>
In-Reply-To: <EA5762479033C3438AC67624@ogg.in.absolight.net>

--FEUMhQl0agtAMbvoFX6wDwNgDF1W264ir
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On 07/18/16 08:12 AM, Mathieu Arnold wrote:
> Hi,
>=20
> +--On 11 juillet 2016 22:56:00 +0300 Slawa Olhovchenkov <slw@zxy.spb.ru=
>
> wrote:
> | On Mon, Jul 11, 2016 at 03:00:39PM -0400, Jung-uk Kim wrote:
> |> > .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) &&
> |> > ${SSL_DEFAULT} =3D=3D base BROKEN=3D OpenSSL from the base system =
does not
> |> > support GOST, add \ DEFAULT_VERSIONS+=3Dssl=3Dopenssl to your
> |> >         /etc/make.conf and rebuild everything \ that needs SSL.
> |> > .endif
> |>=20
> |> FreeBSD 9.3 is still supported but GOST is not available there.  It
> |=20
> | Thanks for clarifications.
> |=20
> |> seems the ports maintainer didn't want to break it on 9.3 (CC added)=
=2E
> |> Version check may be needed there.
> |=20
> | Thanks!
>=20
>=20
> The idea is that you can't have mixed openssl usage.  If you link half =
your
> ports with openssl from base, and half with openssl from ports, you are=

> going to have dragons attacks, and core dumps.  Also, if you are using
> openssl from ports, you cannot use GSSAPI from base, for the same reaso=
ns.

Exactly.  That's why we should *allow* using base OpenSSL for 10.x and
later because many packages are already linked against base OpenSSL by
default.

Jung-uk Kim


--FEUMhQl0agtAMbvoFX6wDwNgDF1W264ir--

--b8VoWTsTS6XsRNfiMhkO8hUnxmmIiwMpu
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJXjQZSAAoJEHyflib82/FGOQYIAJ9c4NZv6GvfymMAbRHSP076
62/uMzSaIIztBq6KTxyxsCPLQ97OkRqjUW5FoenmiLLysOwMRnozt4MvjC1za7SO
rrhh4dS8TxrV664wSsAiVYtmzG/FnuxcTwBt9/bKZJsnrbPFQYOXmdPY76/qgFGs
FzwiISxyqpZD7VKpjOT9PsLcGMn4OnEQQ5IIOQW9j6sHPl0Rpri4lefWNj3GLFgC
f4KYgfmvS/LSVJDH5O595BmB4OBN+6A74olJs5n88w2h4WBaofw2ZPfVLHGSzwwB
ghwjhBmCE5ca5KUK9PPn5ghJZrYbHHH1X2U4OwV4GPaJpXeRxcdXurI4HZp3YNU=
=jqJW
-----END PGP SIGNATURE-----

--b8VoWTsTS6XsRNfiMhkO8hUnxmmIiwMpu--