From owner-freebsd-security@FreeBSD.ORG Wed May 2 23:53:03 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 88D0B1065672 for ; Wed, 2 May 2012 23:53:03 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-vb0-f54.google.com (mail-vb0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 0012E8FC08 for ; Wed, 2 May 2012 23:53:02 +0000 (UTC) Received: by vbmv11 with SMTP id v11so1190130vbm.13 for ; Wed, 02 May 2012 16:53:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=/3sLxjHMIOz8XjpbzaP1pD7m8LgS8M17Gwjc045ZaRk=; b=G34cMESFEOlRSFKvEtWvNaXbGSeLArz5yfEqDMYoAfEM7KkBHLBbSiFZfz7T/qiluh 7O9JlGvYTe1+5EXFiSy5h4xm7XO5508rZyy94CL2bPfJDhqkJRSu1GiZykx9RXZjFxRA nlSQB6ToTKdqDBuq35+f1W2DzCElUjARXxbkJWsyymbfR8ONXEl4NDOfqNrQ2UcYltKP AofegMuosh8jDk9fe5taU3VVd0pPdk/kEfdk9fnwbyQ7THPxbBJecaR144q2+u/VAQwM lzR+OIHiTx95HJVm30xjgCoqu3nQvVodUbSPUEEAuc5oDna15qt+4QT7slSizFZq5/9Q 6P5A== MIME-Version: 1.0 Received: by 10.220.218.208 with SMTP id hr16mr18596vcb.49.1336002781583; Wed, 02 May 2012 16:53:01 -0700 (PDT) Received: by 10.52.66.239 with HTTP; Wed, 2 May 2012 16:53:01 -0700 (PDT) In-Reply-To: <20120502232751.GB50127@in-addr.com> References: <201205022201.50506.matt@chronos.org.uk> <201205022345.27904.matt@chronos.org.uk> <20120502232751.GB50127@in-addr.com> Date: Wed, 2 May 2012 19:53:01 -0400 Message-ID: From: Robert Simmons To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: OpenSSL and Heimdal X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 May 2012 23:53:03 -0000 On Wed, May 2, 2012 at 7:27 PM, Gary Palmer wrote: > On Wed, May 02, 2012 at 11:45:27PM +0100, Matt Dawson wrote: >> On Wednesday 02 May 2012 23:14:41 Mark Felder wrote: >> > Why go out of your way and use mod_gnutls? >> >> Because it supports TLSv1.[1|2], which was the PP's question, whereas >> OpenSSL doesn't and doesn't show any signs of doing so in the near >> future: >> >> https://www.openssl.org/support/funding/wishlist.html >> >> Note well the "If and when." >> >> IE might be the only client with support for those protocols right now >> but somebody has to lead the way on the server side or you end up with >> a mutual apathy loop (AKA positive can't be arsed feedback loop). > > Their website is out of date. =A0This is from CHANGES in OpenSSL 1.01a: > > =A0Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1: > > =A0 =A0 =A0o TLS/DTLS heartbeat support. > =A0 =A0 =A0o SCTP support. > =A0 =A0 =A0o RFC 5705 TLS key material exporter. > =A0 =A0 =A0o RFC 5764 DTLS-SRTP negotiation. > =A0 =A0 =A0o Next Protocol Negotiation. > =A0 =A0 =A0o PSS signatures in certificates, requests and CRLs. > =A0 =A0 =A0o Support for password based recipient info for CMS. > =A0 =A0 =A0o Support TLS v1.2 and TLS v1.1. > =A0 =A0 =A0o Preliminary FIPS capability for unvalidated 2.0 FIPS module. > =A0 =A0 =A0o SRP support. > > Note the 3rd last bullet point. Another reason to update the version in FreeBSD to 1.0.1b.