From owner-freebsd-security@freebsd.org Sun Dec 13 12:12:17 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 83AC04B79EF for ; Sun, 13 Dec 2020 12:12:17 +0000 (UTC) (envelope-from codeblue@inbox.lv) Received: from shark4.inbox.lv (shark4.inbox.lv [194.152.32.84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Cv3L84X7Kz3m4w for ; Sun, 13 Dec 2020 12:12:16 +0000 (UTC) (envelope-from codeblue@inbox.lv) Received: from shark4.inbox.lv (localhost [127.0.0.1]) by shark4-out.inbox.lv (Postfix) with ESMTP id 5209C68EEC for ; Sun, 13 Dec 2020 14:12:13 +0200 (EET) Received: from localhost (localhost [127.0.0.1]) by shark4-in.inbox.lv (Postfix) with ESMTP id 47CE568EC5 for ; Sun, 13 Dec 2020 14:12:13 +0200 (EET) Received: from shark4.inbox.lv ([127.0.0.1]) by localhost (shark4.inbox.lv [127.0.0.1]) (spamfilter, port 35) with ESMTP id A7UPj1b67xoK for ; Sun, 13 Dec 2020 14:12:13 +0200 (EET) Received: from mail.inbox.lv (pop1 [127.0.0.1]) by shark4-in.inbox.lv (Postfix) with ESMTP id E8A1368E8F for ; Sun, 13 Dec 2020 14:12:12 +0200 (EET) Received: from localhost (unknown [185.186.250.14]) (Authenticated sender: codeblue@inbox.lv) by mail.inbox.lv (Postfix) with ESMTPA id ACA523E60F02 for ; Sun, 13 Dec 2020 14:12:12 +0200 (EET) Date: Sun, 13 Dec 2020 12:12:08 +0000 From: John Long To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Message-ID: <20201213121208.54f8a8ed@inbox.lv> In-Reply-To: <20201213020727.GP64351@kduck.mit.edu> References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> <813a04a4-e07a-9608-40a5-cc8e339351eb@FreeBSD.org> <20201213005708.GU31099@funkthat.com> <20201213020727.GP64351@kduck.mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Virus-Scanned: OK X-ESPOL: AJqEQ2V/7XRHu8S+K4Zt5Ovj2q/TW1sruDn7xrsu63dZqLLFr60GfRz/B/eRFELmMn8= X-Rspamd-Queue-Id: 4Cv3L84X7Kz3m4w X-Spamd-Bar: ----- X-Spamd-Result: default: False [-5.10 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; RWL_MAILSPIKE_VERYGOOD(0.00)[194.152.32.84:from]; RCVD_COUNT_FIVE(0.00)[6]; R_DKIM_ALLOW(-0.20)[inbox.lv:s=30062014]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:194.152.32.84]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; DWL_DNSWL_LOW(-1.00)[inbox.lv:dkim]; ARC_NA(0.00)[]; DKIM_TRACE(0.00)[inbox.lv:+]; DMARC_POLICY_ALLOW(-0.50)[inbox.lv,quarantine]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:12993, ipnet:194.152.32.0/23, country:LV]; MID_RHS_MATCH_FROM(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security]; RCVD_IN_DNSWL_LOW(-0.10)[194.152.32.84:from] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Dec 2020 12:12:17 -0000 Hi Guys, What about adopting OpenBSD's libressl? I was expecting it to take a long time to be compatible but from my uneducated point of view it looks like they did an incredible job. I think everything on OpenBSD uses it. I was running OpenBSD until I put FreeBSD 12.2 on a new box, so I haven't been looking at for a year or so. Does anybody know if this is a viable option? Can we just link against libressl or is it (much) more involved than that? /jl On Sat, 12 Dec 2020 18:07:27 -0800 Benjamin Kaduk wrote: > On Sat, Dec 12, 2020 at 04:57:08PM -0800, John-Mark Gurney wrote: > > > > If FreeBSD is going to continue to use OpenSSL, better testing > > needs to be done to figure out such breakage earliers, and how to > > not have them go undetected for so long. > > I don't think anyone would argue against increasing test coverage. > The most important question seems to be how to know what should be > getting tested but isn't. Do you have any ideas for where to start > looking? > > Thanks, > > Ben > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org"