From owner-freebsd-security@freebsd.org  Fri Dec 11 12:57:12 2020
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id D90C94AF3D9
 for <freebsd-security@mailman.nyi.freebsd.org>;
 Fri, 11 Dec 2020 12:57:12 +0000 (UTC)
 (envelope-from franco@lastsummer.de)
Received: from host64.shmhost.net (host64.shmhost.net [213.239.241.64])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4CsrQw13R0z3pVS
 for <freebsd-security@freebsd.org>; Fri, 11 Dec 2020 12:57:11 +0000 (UTC)
 (envelope-from franco@lastsummer.de)
Received: from p200300cd8727c9fca4b593819ba8e1d5.dip0.t-ipconnect.de
 (p200300cd8727c9fca4b593819ba8e1d5.dip0.t-ipconnect.de
 [IPv6:2003:cd:8727:c9fc:a4b5:9381:9ba8:e1d5])
 by host64.shmhost.net (Postfix) with ESMTPSA id 4CsrQt3jBMzP2P8;
 Fri, 11 Dec 2020 13:57:10 +0100 (CET)
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl
From: Franco Fichtner <franco@lastsummer.de>
In-Reply-To: <CAM8r67B6bp6KJH20u-NfwwZEYW6GDH+WwRTJqiCjVoWgQQBJOg@mail.gmail.com>
Date: Fri, 11 Dec 2020 13:57:10 +0100
Cc: Martin Simmons <martin@lispworks.com>,
 freebsd-security@freebsd.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <6E2E0169-F2E8-4562-85BA-42FC28B07F35@lastsummer.de>
References: <20201209230300.03251CA1@freefall.freebsd.org>
 <20201211064628.GM31099@funkthat.com>
 <202012111138.0BBBc2Eq006002@higson.cam.lispworks.com>
 <2AF24633-7E9F-4B92-8E99-6A81CD9D3AF8@lastsummer.de>
 <CAM8r67B6bp6KJH20u-NfwwZEYW6GDH+WwRTJqiCjVoWgQQBJOg@mail.gmail.com>
To: Tomasz CEDRO <tomek@cedro.info>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
X-Virus-Scanned: clamav-milter 0.102.4 at host64.shmhost.net
X-Virus-Status: Clean
X-Rspamd-Queue-Id: 4CsrQw13R0z3pVS
X-Spamd-Bar: ++
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=none (mx1.freebsd.org: domain of franco@lastsummer.de has no SPF policy
 when checking 213.239.241.64) smtp.mailfrom=franco@lastsummer.de
X-Spamd-Result: default: False [2.38 / 15.00]; RCVD_TLS_ALL(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[];
 RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[];
 FROM_HAS_DN(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 DMARC_NA(0.00)[lastsummer.de]; ARC_NA(0.00)[]; AUTH_NA(1.00)[];
 NEURAL_SPAM_SHORT(0.98)[0.979];
 SPAMHAUS_ZRD(0.00)[213.239.241.64:from:127.0.2.255];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 RBL_DBL_DONT_QUERY_IPS(0.00)[213.239.241.64:from];
 NEURAL_SPAM_LONG(1.00)[1.000];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000];
 R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:24940, ipnet:213.239.192.0/18, country:DE];
 RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security]
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2020 12:57:12 -0000


> On 11. Dec 2020, at 1:36 PM, Tomasz CEDRO <tomek@cedro.info> wrote:
>=20
> On Fri, Dec 11, 2020 at 12:44 PM Franco Fichtner wrote:
>>> On 11. Dec 2020, at 12:38 PM, Martin Simmons <martin@lispworks.com> =
wrote:
>>>>>>>> On Thu, 10 Dec 2020 22:46:28 -0800, John-Mark Gurney said:
>>>> What are peoples thoughts on how to address the support mismatch =
between
>>>> FreeBSD and OpenSSL?  And how to address it?
>>> Maybe it would help a little if the packages on pkg.FreeBSD.org all =
used the
>>> pkg version of OpenSSL?  Currently, it looks like you have build =
your own
>>> ports if you want that.
>>=20
>> This pretty much breaks LibreSSL ports usage for binary package =
consumers.
>=20
> Why not switch to LibreSSL as default? :-)

Good question.

LibreSSL lacks engine and PSK support. TLS 1.3 was tailing behind.  =
Missing
CMS also was a large issue for those who needed it.  Someone with more =
in-
depth knowledge can probably name more.

The other issue with LibreSSL in general is that third party support is =
mostly
ok, but some high profile cases have had issues with it for years: =
HAProxy,
OpenVPN, StrongSwan just to name a few.  Having ports contributors and =
committers
chase these unthankful quests is probably not worth the overall effort.

It works pretty well as a ports crypto replacement, but for the reasons =
listed
above it is probably not going to happen on a default scale.

Also, LibreSSL in base was a failed experiment in HardenedBSD.  Its =
release cycle
and support policy is tailored neatly around OpenBSD releases and the =
attempt
to break ABI compatibility in packages while you retrofit a new version =
into
a minor release can fail pretty spectacularly.

I'm not being skeptical. I helped improve overall LibreSSL support in =
the ports
tree since 2015.   The LibreSSL team is doing a great job all things =
considered.

This is simply the current reality of keeping LibreSSL in ports a steady
alternative.


Cheers,
Franco