From owner-freebsd-security@freebsd.org Sat Dec 12 02:42:17 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C8B6E47C68D for ; Sat, 12 Dec 2020 02:42:17 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-qv1-xf2e.google.com (mail-qv1-xf2e.google.com [IPv6:2607:f8b0:4864:20::f2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CtBkw6jr7z3nV0 for ; Sat, 12 Dec 2020 02:42:16 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-qv1-xf2e.google.com with SMTP id l14so5214761qvh.2 for ; Fri, 11 Dec 2020 18:42:16 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=V/HuPJmtgUpYcSwSU+sNkJP0cnWPaQsJJqnIkNYtSIM=; b=XjTDGpcuVAlLRDO0C8RpxROLXR4jWG08RSLD484xNoRsbj8M5R9JsOgmwweyw/7F9m q1Aam/CVXvR3RRRcdpyqPKDcFAjf9AqMMbMM2jDHGCVt+6r79qZZNQ2x7wOEt6Jvw2pK Vzop7k/9OIw6mISjh5CQB0IsJ/BsQvmmUXH22ujq10RLLNMSj0rNBgfyVWvPOZuAOR46 WjoNbgghhnGgFdY/qo+TsntKRByLnsG82gFFa/NLYqrh7oqpDvEQR9rV5op1sbsPtXm2 ExDLB9Jf1ohjWi9Y+1YAPyGQps4hzTsh2jtZrlVc5v6o+b3zXye9+kpH3vmCJvvB9PYa oBtA== X-Gm-Message-State: AOAM533dCvqncs8YXIlzWzYNk4wrqP6zc0VDFlhGYpu7LgqsKgyffsNp Z7RABt3iMXcPyvStoTX0MdN9crIqcZys X-Google-Smtp-Source: ABdhPJxnCFgNeXkha3xdHMy9UbFtdxQH9YExQNCf7dOEFRDYvSYwAKdoB2YgcHLopr/4kxTF84vbaA== X-Received: by 2002:ad4:43ca:: with SMTP id o10mr19537096qvs.25.1607740935731; Fri, 11 Dec 2020 18:42:15 -0800 (PST) Received: from gmail.com ([2607:fc50:0:7900:0:dead:beef:cafe]) by smtp.gmail.com with ESMTPSA id n2sm9009212qkf.37.2020.12.11.18.42.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 11 Dec 2020 18:42:15 -0800 (PST) Date: Fri, 11 Dec 2020 18:42:13 -0800 From: Gordon Tetlow To: Benjamin Kaduk , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Message-ID: References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> <20201211203818.GL64351@kduck.mit.edu> <20201211223542.GQ31099@funkthat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20201211223542.GQ31099@funkthat.com> X-Rspamd-Queue-Id: 4CtBkw6jr7z3nV0 X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.00 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[tetlows.org:s=google]; FREEFALL_USER(0.00)[gordon]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::f2e:from:127.0.2.255]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[tetlows.org:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::f2e:from]; NEURAL_HAM_SHORT(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[tetlows.org,quarantine]; NEURAL_SPAM_LONG(1.00)[1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::f2e:from]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Dec 2020 02:42:17 -0000 On Fri, Dec 11, 2020 at 02:35:42PM -0800, John-Mark Gurney wrote: > Benjamin Kaduk wrote this message on Fri, Dec 11, 2020 at 12:38 -0800: > > On Thu, Dec 10, 2020 at 10:46:28PM -0800, John-Mark Gurney wrote: > > > FreeBSD Security Advisories wrote this message on Wed, Dec 09, 2020 at 23:03 +0000: > > > > versions included in FreeBSD 12.x. This vulnerability is also known to > > > > affect OpenSSL versions included in FreeBSD 11.4. However, the OpenSSL > > > > project is only giving patches for that version to premium support contract > > > > holders. The FreeBSD project does not have access to these patches and > > > > recommends FreeBSD 11.4 users to either upgrade to FreeBSD 12.x or leverage > > > > up to date versions of OpenSSL in the ports/pkg system. The FreeBSD Project > > > > may update this advisory to include FreeBSD 11.4 should patches become > > > > publicly available. > > > > > > FreeBSD needs to reevaluate the continued reliance on OpenSSL for our > > > crypto/TLS library. 1.0.2 which is in 11-stable has not had support > > > for almost a year, and 11 is going to have almost another year of > > > support during which time if there's another vuln, we'll again be > > > leaving the users in a bad place. > > > > To be blunt: didn't we try reevaluating already, and come up empty? > > Software is not a stand still, just because in the past we didn't find > anything, doesn't mean we won't find something this time. I welcome a reasonable alternative to be put forward, but I'm pretty sure there isn't one. The five year lifespan of our releases pretty much guarantees our crypto toolkit is going to be out of support. This is the reality we have signed up for. LibreSSL - 1 year lifespan of stable branch. BoringSSL - No guarantee of API/ABI stability. Actively tells people not to use it for production use cases. Anything other viable implementations I'm missing? Gordon