Date: Fri, 11 Dec 2020 14:03:45 +0100 From: Tomasz CEDRO <tomek@cedro.info> To: Franco Fichtner <franco@lastsummer.de> Cc: Martin Simmons <martin@lispworks.com>, freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Message-ID: <CAM8r67CkuTqesUKUjKJ_piu7EWHSTN7cnWbDiR3q8ifNBNYOYg@mail.gmail.com> In-Reply-To: <6E2E0169-F2E8-4562-85BA-42FC28B07F35@lastsummer.de> References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> <202012111138.0BBBc2Eq006002@higson.cam.lispworks.com> <2AF24633-7E9F-4B92-8E99-6A81CD9D3AF8@lastsummer.de> <CAM8r67B6bp6KJH20u-NfwwZEYW6GDH%2BWwRTJqiCjVoWgQQBJOg@mail.gmail.com> <6E2E0169-F2E8-4562-85BA-42FC28B07F35@lastsummer.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Dec 11, 2020 at 1:57 PM Franco Fichtner wrote: > > On 11. Dec 2020, at 1:36 PM, Tomasz CEDRO wrote: > > On Fri, Dec 11, 2020 at 12:44 PM Franco Fichtner wrote: > >>> On 11. Dec 2020, at 12:38 PM, Martin Simmons wrote: > >>>>>>>> On Thu, 10 Dec 2020 22:46:28 -0800, John-Mark Gurney said: > >>>> What are peoples thoughts on how to address the support mismatch between > >>>> FreeBSD and OpenSSL? And how to address it? > >>> Maybe it would help a little if the packages on pkg.FreeBSD.org all used the > >>> pkg version of OpenSSL? Currently, it looks like you have build your own > >>> ports if you want that. > >> This pretty much breaks LibreSSL ports usage for binary package consumers. > > Why not switch to LibreSSL as default? :-) > > Good question. > > LibreSSL lacks engine and PSK support. TLS 1.3 was tailing behind. Missing > CMS also was a large issue for those who needed it. Someone with more in- > depth knowledge can probably name more. > > The other issue with LibreSSL in general is that third party support is mostly > ok, but some high profile cases have had issues with it for years: HAProxy, > OpenVPN, StrongSwan just to name a few. Having ports contributors and committers > chase these unthankful quests is probably not worth the overall effort. > > It works pretty well as a ports crypto replacement, but for the reasons listed > above it is probably not going to happen on a default scale. > > Also, LibreSSL in base was a failed experiment in HardenedBSD. Its release cycle > and support policy is tailored neatly around OpenBSD releases and the attempt > to break ABI compatibility in packages while you retrofit a new version into > a minor release can fail pretty spectacularly. > > I'm not being skeptical. I helped improve overall LibreSSL support in the ports > tree since 2015. The LibreSSL team is doing a great job all things considered. > > This is simply the current reality of keeping LibreSSL in ports a steady > alternative. Thank you Franco! Too many reasons why not to.. looks like no good alternative.. at least for now :-) -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAM8r67CkuTqesUKUjKJ_piu7EWHSTN7cnWbDiR3q8ifNBNYOYg>