From owner-freebsd-security@FreeBSD.ORG Fri May 15 13:41:14 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 194CDAC for ; Fri, 15 May 2015 13:41:14 +0000 (UTC) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E048D1D71 for ; Fri, 15 May 2015 13:41:13 +0000 (UTC) Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id F2F7220996 for ; Fri, 15 May 2015 09:41:12 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute6.internal (MEProxy); Fri, 15 May 2015 09:41:12 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=YHiseUjW3Fw9cNi gO67l6Z5pb9k=; b=obs6kIkHNILMfOTk4VaDW58lvx3t9lxleaffwzAjoKS7TLB lUgiwNC7JJXByrVvCLr5gDNfEKf8OZ3fJSqotu+9/wWAo56zs2hLHo08Eq+81cjq pyViZPv5TNWHmi7sPgRdOIcZfcvrKSmSYPgkC0SFHlSQgpEt4UfqJQeP9Dk8= Received: by web3.nyi.internal (Postfix, from userid 99) id C4AE610649B; Fri, 15 May 2015 09:41:12 -0400 (EDT) Message-Id: <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> X-Sasl-Enc: 0d0TwWe7GvH06G26NDc+e0z7DnG89Vq7EOPxbz2hLn82 1431697272 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-e7ca9928 Subject: Re: Forums.FreeBSD.org - SSL Issue? Date: Fri, 15 May 2015 08:41:12 -0500 In-Reply-To: <5554879D.7060601@obluda.cz> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 May 2015 13:41:14 -0000 On Thu, May 14, 2015, at 06:31, Dan Lukes wrote: > Patrick Proniewski wrote: > >> "Data Transfer Interrupted > >> The connection to forums.freebsd.org has terminated unexpectedly. Some > >> data may have been transferred." > > > > looks like your browser/OS does not support TLS 1.2. > > I'm confused by FreeBSD policy, a lot. > > Base OpenSSL in still supported releases is too old version and doesn't > support TLS 1.2 as well. > > Either TLS 1.0 is so insecure and should not be used, or is secure > enough for FreeBSD. > When the FreeBSD 8.0 (2009) and 9.0 (2012) releases were cut we didn't have these vulnerabilities or problems. In fact, TLS 1.2 existed as a protocol (2008) but OpenSSL didn't even implement it yet (not until 2010)! Thankfully FreeBSD 8 is EoL on June 30, 2015, but we still have to live with FreeBSD 9.3 until Dec 31 2016. That's going to be painful, but we shouldn't kill it off sooner than we have to as a courtesy to our users. FreeBSD needs to change, too. That is not being ignored. In the future FreeBSD's base libraries like OpenSSL hopefully will be private: only the base system knows they exist; no other software will see them. This will mean that every port/package you install requiring OpenSSL will *always* use OpenSSL from ports/packages; no conflict is possible. This also solves the problem of stale software in the base system and allows FreeBSD to do major upgrades of this software in point releases to keep the base system fresh. Last I knew this approach was still being discussed, but it will be a fantastic improvement to the FreeBSD OS model when it happens.