From owner-freebsd-security@freebsd.org Sat Oct 28 02:26:17 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 83E20E585EF; Sat, 28 Oct 2017 02:26:17 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 026B98456F; Sat, 28 Oct 2017 02:26:16 +0000 (UTC) (envelope-from kaduk@mit.edu) X-AuditID: 1209190e-651ff70000007a39-ef-59f3eac0500f Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 1B.04.31289.0CAE3F95; Fri, 27 Oct 2017 22:26:09 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v9S2Q3wl031486; Fri, 27 Oct 2017 22:26:05 -0400 Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v9S2PvpY019877 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 27 Oct 2017 22:25:59 -0400 Date: Fri, 27 Oct 2017 21:25:57 -0500 From: Benjamin Kaduk To: Ben Laurie Cc: Poul-Henning Kamp , Eric McCorkle , "freebsd-security@freebsd.org security" , "freebsd-arch@freebsd.org" , "freebsd-hackers@freebsd.org" Subject: Re: Crypto overhaul Message-ID: <20171028022557.GE96685@kduck.kaduk.org> References: <13959.1509132270@critter.freebsd.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.8.3 (2017-05-23) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrIKsWRmVeSWpSXmKPExsUixG6nonvw1edIg0XX+S0Wzea0+Db9L4vF 7OnTmCy2b/7HaNGz6QmbxYdv/A5sHjM+zWfx2Nw0h83j3o4JTB6f9k9mC2CJ4rJJSc3JLEst 0rdL4Mq423GQreCzcMWJny/ZGxibBboYOTkkBEwkTk9Yy9TFyMUhJLCYSeLwtMWsEM5GRok5 r99AOVeZJJovH2ICaWERUJX4230UzGYTUJN4vLeZFcQWEZCT+H37CwtIA7PABiaJp4uugRUJ C8hIHDx7CczmBdp38dtbFoipPxglHuw/zAyREJQ4OfMJC4jNLKAlcePfS6AGDiBbWmL5Pw6Q MKdAoMTyTyvBlokKKEvM27eKbQKjwCwk3bOQdM9C6F7AyLyKUTYlt0o3NzEzpzg1Wbc4OTEv L7VI11gvN7NELzWldBMjKMQ5Jfl2ME5q8D7EKMDBqMTDK5H7OVKINbGsuDL3EKMkB5OSKO++ 858ihfiS8lMqMxKLM+KLSnNSiw8xSnAwK4nwXsgHKudNSaysSi3Kh0lJc7AoifNuC9oVKSSQ nliSmp2aWpBaBJOV4eBQkuA99xKoUbAoNT21Ii0zpwQhzcTBCTKcB2j4c5Aa3uKCxNzizHSI /ClGS45NN+/+YeLY8P0BkHw283UDsxBLXn5eqpQ47weQBgGQhozSPLiZoJQlkb2/5hWjONCL wrzCwAQmxANMd3BTXwEtZAJa2KT6AWRhSSJCSqqB8VjLFD9boZ7dM0W8cnjqRbse1BbEHlHN L163r+6yMltgdFiTbMW2RMmM2P/e92d2ZXz781tlm3Xw5ivij2ysThh01+5ZYmr7Lv2Cbuiu TQn35+wIDFee9UCoRPT4X6++ZdrvuRj/TvH56cE3va1PTOKtttnUP4+/KJ4UDdu4htElMMow 9U+QEktxRqKhFnNRcSIAIRI7gTQDAAA= X-Mailman-Approved-At: Sat, 28 Oct 2017 03:08:14 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Oct 2017 02:26:17 -0000 On Fri, Oct 27, 2017 at 09:20:13PM +0100, Ben Laurie wrote: > On 27 October 2017 at 20:24, Poul-Henning Kamp wrote: > > -------- > > In message > > , Ben Laurie writes: > > > >>OpenSSL includes (and is used for) lots of crypto that is not used in > >>SSL - since BearSSL targets SSL/TLS only, it can't, presumably, be > >>used to replace all uses of OpenSSL. > > > > Which implicitly raises the question if we really need all the > > boatloads of crap OpenSSL drags in, or if we would be in a better > > position with something simpler and saner ? > > Indeed it does. Perhaps worth noting that since it was staffed, > OpenSSL has removed a fair amount of crap, BTW. Full disclosure: I am an OpenSSL committer (but not a member of the management committee). It is true that a lot of crap has been removed recently, and the test suite has gotten more robust (not the least due to the addition of a large portion of the BoringSSL test suite). But we're still constrained by a heavy burden of API/ABI stability in major release branches (compounded by a promise to make the next release branch 1.1.1, with TLS 1.3 support, so ABI-breaking changes are currently on indefinite hold). That, combined with an existing public API that grew quite organically and without a great deal of thought, still makes for a system that is hard to maintain well. But I think the main issue with OpenSSL in base that was leading to thoughts about replacing it is the mismatch between FreeBSD release branch support lifecycles and OpenSSL release branch support lifecycles. That is, we (FreeBSD) would be stuck supporting an OpenSSL version that is EOL upstream, which is not a great position to be in. On the other hand, upstream OpenSSL is taking ABI compatibility more seriously, so it might be reasonable to (e.g.) upgrade from 1.1.0 to 1.1.1 within a FreeBSD stable branch than it would (not) have been to upgrade from 1.0.1 to 1.0.2. That might make the support lifecycle concerns go away. > Anyway, to answer that question will presumably require someone to > either try it, or figure out what is actually needed, crypto-wise. Indeed, and I do not think I can volunteer. -Ben P.S., when Chris H mentioned "an alternative with a long history of reliability, safety, and a great deal of scrutiny by seasoned developers, and security engineers", I couldn't really tell what that alternative was supposed to be.