From owner-freebsd-security@freebsd.org  Tue Jul 12 09:16:06 2016
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id CF96BB92C19
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Tue, 12 Jul 2016 09:16:06 +0000 (UTC)
 (envelope-from mailing-machine@vniz.net)
Received: from mail-lf0-f42.google.com (mail-lf0-f42.google.com
 [209.85.215.42])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 5088D16DD
 for <freebsd-security@freebsd.org>; Tue, 12 Jul 2016 09:16:06 +0000 (UTC)
 (envelope-from mailing-machine@vniz.net)
Received: by mail-lf0-f42.google.com with SMTP id f93so7041442lfi.2
 for <freebsd-security@freebsd.org>; Tue, 12 Jul 2016 02:16:06 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:subject:to:references:cc:from:message-id:date
 :user-agent:mime-version:in-reply-to:content-transfer-encoding;
 bh=7mFkpnZ5a93UhuiXrpWQwfdsIA/0kVasU08CbrFi/4w=;
 b=AhfSOFQmgUjy1UyCTpGlz5LGwEXRCRmFD4WetgqAK6i0u8Rx1aMwUXsPaJ8m+voVMr
 AYLokiRUu8epFPzkEXCf34zKXtg7Qp0s1GCZmiRRPCz2UfHb8Yanicc0Sx6JuNbvpB5O
 cm7q6Lo+qxVn3OXMMji3Vp0HoWHHgJ8Wep6m3Q6Xq3mFkchMX+n51kqf3/ym1mRYcSGr
 bUDYagoV5soirXgin1X/cJMnFU3FmFnlu8h8vmo96L7P3gkT0Ig60UZ67By8ksg0mwWd
 vZjbvSbJpFxpnLCB7NHi5hev/KukgMkrXxJB7OxS+gqMWOwJRebv1OO91DUM7owGEeVw
 2VYQ==
X-Gm-Message-State: ALyK8tJ/pVhsiV+oQoRBij3dre9V9BzXwfM8d1uDrBozHnK3fDfhBipFnf6b92XrnOoc8Q==
X-Received: by 10.25.213.198 with SMTP id m189mr464942lfg.130.1468314964409;
 Tue, 12 Jul 2016 02:16:04 -0700 (PDT)
Received: from [192.168.1.2] ([89.169.173.68])
 by smtp.gmail.com with ESMTPSA id o7sm5741847lfg.45.2016.07.12.02.16.03
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Tue, 12 Jul 2016 02:16:03 -0700 (PDT)
Subject: Re: GOST in OPENSSL_BASE
To: Kevin Oberman <rkoberman@gmail.com>
References: <20160710133019.GD20831@zxy.spb.ru>
 <f35c1806-c06d-0d46-1c8a-58a56adef9a7@freebsd.org>
 <a4f0585d-cc99-e44a-7f59-0dd23e3c969f@FreeBSD.org>
 <20160711184122.GP46309@zxy.spb.ru>
 <98f27660-47ff-d212-8c50-9e6e1cd52e0b@freebsd.org>
 <c0bb5ae3-fee6-d40c-86bd-988c843d757b@freebsd.org>
 <CAN6yY1sOrL42ssbfGUKz8+aY0VvKPDHPx2S0ZRNpmmgdB0V8Tg@mail.gmail.com>
Cc: Slawa Olhovchenkov <slw@zxy.spb.ru>, Jung-uk Kim <jkim@freebsd.org>,
 freebsd-security@freebsd.org, FreeBSD Current <freebsd-current@freebsd.org>
From: Andrey Chernov <ache@freebsd.org>
Message-ID: <673ea9f5-e5e5-91e0-5bd1-2119c2f7b493@freebsd.org>
Date: Tue, 12 Jul 2016 12:16:02 +0300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <CAN6yY1sOrL42ssbfGUKz8+aY0VvKPDHPx2S0ZRNpmmgdB0V8Tg@mail.gmail.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2016 09:16:06 -0000

On 12.07.2016 8:48, Kevin Oberman wrote:
>     >> May be need file PR for dns/bind910?
>     >>
>     >> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile
>     >> .include <bsd.port.pre.mk <http://bsd.port.pre.mk>>
>     >>
>     >> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) &&
>     ${SSL_DEFAULT} == base
>     >> BROKEN= OpenSSL from the base system does not support GOST, add \
>     >>         DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and
>     rebuild everything \
>     >>         that needs SSL.
>     >> .endif
>     >>
>     >
>     > I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC
>     > don't use GOST, so I vote for removing GOST option from there.
>     >
> 
>     I need to note that RFC exists, proposing GOST (old version) for DNSSEC:
>     https://tools.ietf.org/html/rfc5933
>     but nobody really use it.
> 
> In case people are not aware of it, Russian law now requires ALL
> encrypted traffic must either be accessible by the FSB or that the
> private keys must be available to the FSB. 

It is not quite so. All traffic must be available for 6 months and they
express intention to ask big companies for their private keys, but later
is not required by the law (not yet...)

> I have always assumed that
> GOST has a hidden vulnerability/backdoor that the FSB is already using,

I already answer this question elsewhere in this thread with the reference.

> but this makes it mandatory. Putin gave the FSB 2 weeks to implement the
> law, which is clearly impossible, but I suspect that there will be a
> huge effort to pick all low-hanging fruit. As a result, I suspect no one
> outside of Russia will touch GOST. (Not that they do now, either.) I'd
> hate to see its support required for any protocol except in Russia as
> someone will be silly enough to use it.

I already explain required GOST usage pattern in this thread.