From owner-freebsd-security@freebsd.org Fri Dec 11 12:28:55 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 804394AEB92 for ; Fri, 11 Dec 2020 12:28:55 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from host64.shmhost.net (host64.shmhost.net [213.239.241.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4CsqpG4Vkzz3lyZ for ; Fri, 11 Dec 2020 12:28:54 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from [IPv6:2003:cd:8727:c9fc:7166:6e44:d963:974] (p200300cd8727c9fc71666e44d9630974.dip0.t-ipconnect.de [IPv6:2003:cd:8727:c9fc:7166:6e44:d963:974]) by host64.shmhost.net (Postfix) with ESMTPSA id 4Csqp71HNGzP2TB; Fri, 11 Dec 2020 13:28:47 +0100 (CET) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Franco Fichtner Mime-Version: 1.0 (1.0) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Date: Fri, 11 Dec 2020 13:28:43 +0100 Message-Id: <612054DD-F857-455F-AF49-695A910A0D81@lastsummer.de> References: <202012111219.0BBCJYSf000629@higson.cam.lispworks.com> Cc: freebsd-security@freebsd.org In-Reply-To: <202012111219.0BBCJYSf000629@higson.cam.lispworks.com> To: Martin Simmons X-Mailer: iPhone Mail (18B92) X-Virus-Scanned: clamav-milter 0.102.4 at host64.shmhost.net X-Virus-Status: Clean X-Rspamd-Queue-Id: 4CsqpG4Vkzz3lyZ X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of franco@lastsummer.de has no SPF policy when checking 213.239.241.64) smtp.mailfrom=franco@lastsummer.de X-Spamd-Result: default: False [2.36 / 15.00]; RCVD_TLS_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; NEURAL_SPAM_SHORT(0.96)[0.965]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[lastsummer.de]; ARC_NA(0.00)[]; AUTH_NA(1.00)[]; SPAMHAUS_ZRD(0.00)[213.239.241.64:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[213.239.241.64:from]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:213.239.192.0/18, country:DE]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2020 12:28:55 -0000 > On 11. Dec 2020, at 13:20, Martin Simmons wrote: >=20 > =EF=BB=BF >>=20 >>>>>> On Fri, 11 Dec 2020 12:44:17 +0100, Franco Fichtner said: >>=20 >>>> On 11. Dec 2020, at 12:38 PM, Martin Simmons wro= te: >>>=20 >>>>>>>> On Thu, 10 Dec 2020 22:46:28 -0800, John-Mark Gurney said: >>>>=20 >>>> What are peoples thoughts on how to address the support mismatch betwee= n >>>> FreeBSD and OpenSSL? And how to address it? >>>=20 >>> Maybe it would help a little if the packages on pkg.FreeBSD.org all used= the >>> pkg version of OpenSSL? Currently, it looks like you have build your ow= n >>> ports if you want that. >>=20 >> This pretty much breaks LibreSSL ports usage for binary package consumers= . >=20 > I'm talking about the binary packages from pkg.FreeBSD.org. Don't they al= ways > use the base OpenSSL at the moment? Yes, and if it would be built against ports OpenSSL you can no longer build a= gainst LibreSSL locally. In OPNsense we do build against ports OpenSSL for upgrade ease, but we also o= ffer a second set of packages for LibreSSL. For the normal FreeBSD user defaulting packages against OpenSSL from ports w= ould be severely limiting their capability to deviate from this with one-off= builds and most cannot or will not run their own poudriere batch. Effectively, using the second tier crypto to emulate the first tier crypto w= ould trash the second tier for everyone else. Cheers, Franco=