From owner-freebsd-security@FreeBSD.ORG  Wed May  2 23:28:23 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 985B9106566B
	for <freebsd-security@freebsd.org>;
	Wed,  2 May 2012 23:28:23 +0000 (UTC)
	(envelope-from gpalmer@freebsd.org)
Received: from noop.in-addr.com (mail.in-addr.com [IPv6:2001:470:8:162::1])
	by mx1.freebsd.org (Postfix) with ESMTP id 6294C8FC12
	for <freebsd-security@freebsd.org>;
	Wed,  2 May 2012 23:28:23 +0000 (UTC)
Received: from gjp by noop.in-addr.com with local (Exim 4.77 (FreeBSD))
	(envelope-from <gpalmer@freebsd.org>)
	id 1SPixb-000HE3-Dw; Wed, 02 May 2012 19:27:51 -0400
Date: Wed, 2 May 2012 19:27:51 -0400
From: Gary Palmer <gpalmer@freebsd.org>
To: Matt Dawson <matt@chronos.org.uk>
Message-ID: <20120502232751.GB50127@in-addr.com>
References: <CA+QLa9Asg0GkKKihhXLwpwOGz1T3u+JWhqo66L0M1denkeBq_Q@mail.gmail.com>
	<201205022201.50506.matt@chronos.org.uk>
	<op.wdpb2rip34t2sn@tech304>
	<201205022345.27904.matt@chronos.org.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <201205022345.27904.matt@chronos.org.uk>
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: gpalmer@freebsd.org
X-SA-Exim-Scanned: No (on noop.in-addr.com); SAEximRunCond expanded to false
Cc: freebsd-security@freebsd.org
Subject: Re: OpenSSL and Heimdal
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 May 2012 23:28:23 -0000

On Wed, May 02, 2012 at 11:45:27PM +0100, Matt Dawson wrote:
> On Wednesday 02 May 2012 23:14:41 Mark Felder wrote:
> > Why go out of your way and use mod_gnutls?
> 
> Because it supports TLSv1.[1|2], which was the PP's question, whereas 
> OpenSSL doesn't and doesn't show any signs of doing so in the near 
> future:
> 
> https://www.openssl.org/support/funding/wishlist.html
> 
> Note well the "If and when."
> 
> IE might be the only client with support for those protocols right now 
> but somebody has to lead the way on the server side or you end up with 
> a mutual apathy loop (AKA positive can't be arsed feedback loop).

Their website is out of date.  This is from CHANGES in OpenSSL 1.01a:

  Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1:

      o TLS/DTLS heartbeat support.
      o SCTP support.
      o RFC 5705 TLS key material exporter.
      o RFC 5764 DTLS-SRTP negotiation.
      o Next Protocol Negotiation.
      o PSS signatures in certificates, requests and CRLs.
      o Support for password based recipient info for CMS.
      o Support TLS v1.2 and TLS v1.1.
      o Preliminary FIPS capability for unvalidated 2.0 FIPS module.
      o SRP support.

Note the 3rd last bullet point.

Regards,

Gary