From owner-freebsd-security@freebsd.org Fri Dec 11 13:04:00 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3FDEE4AFB26 for ; Fri, 11 Dec 2020 13:04:00 +0000 (UTC) (envelope-from tomek@cedro.info) Received: from mail-ed1-x544.google.com (mail-ed1-x544.google.com [IPv6:2a00:1450:4864:20::544]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CsrZl1tmBz3psX for ; Fri, 11 Dec 2020 13:03:59 +0000 (UTC) (envelope-from tomek@cedro.info) Received: by mail-ed1-x544.google.com with SMTP id cw27so9268701edb.5 for ; Fri, 11 Dec 2020 05:03:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cedro.info; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HWhXVYinBW7j8Y34biKR9kYL1Z0YhLZybfII5Dwm3O4=; b=jnmOWS6FnUUU1j3Qe4ebhwi6kE1FbTUDlp2QSNmYKAsgooLDtq5WgPkY4+Y2mhRuzo e3uVphVvWezIXT3+pw3Dnyq4T+jJ8dVTof9Ehm0GX+L07w/DLkU+l0PdyxNhkcfQbR6N tY9Q8AA/aIf4WQrOkoxxD0ajTFKO/77PmUrxNPPTXccBPptl63Hc/ZPHjlE5o1RBpU/v B5aGQbkhfnT5hNDUiAKnoEq9DhVSwufqvVQlzwpMbAESZ/XFFGAJgU8hQgjdrmLi4M60 Vc4AuVodjPmy1ctaIKeXUe8DoUoNcjGFVOTFHvwvq3Jj5zlE2WRBslMKNj1MBjOyXN91 IaQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HWhXVYinBW7j8Y34biKR9kYL1Z0YhLZybfII5Dwm3O4=; b=dwoYAq94F1CbudFHjxQ5585mQ5ZVLliqUFdTeZ3GDYJ8SqxYYcj/BnIP2+DBG3VfBm ggEgjmOhI1AFO269LWgyawwmJKYzwEFt811Nof4gJ/nDVzbRN4DobspzIE5YwBoZ1h0j XfGS135sGf0Mzvt5C/B/K7kqgLtP4cP5emzmq3fomhzyyqrlZgOOj/ZMQCRqTZZn84vn puGLQdYV4cLc3cQMWnQf/JDj2h/4dwSGrrZ8ltINcWj4iAPkjx7/Xm/+Vz6e6syj5jFA gZVRQG3J5tyIQ8FUwz81GuETcVG+GeQ5mODasm/ctJgj3cyftu/7CSlmUu/KQFj5dGDn rz4A== X-Gm-Message-State: AOAM530DzF4aa0MYQjmhMD5yH/nkhHAw2nZzf1Zuj22WrjBqgEw4in+n wrAtZi93tYMzcWW4z40VkHq16VS8Go4QggJbAAKe8Q== X-Google-Smtp-Source: ABdhPJwYIXVJV7AI6WJvlA7bBdqBkeim4fchZ8/74DwUVWLfNvQjw61LSuUzPWZYVyU5+yFMkjhx/Q32sFcXsn9U+Sk= X-Received: by 2002:a05:6402:1a54:: with SMTP id bf20mr11749227edb.65.1607691838082; Fri, 11 Dec 2020 05:03:58 -0800 (PST) MIME-Version: 1.0 References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> <202012111138.0BBBc2Eq006002@higson.cam.lispworks.com> <2AF24633-7E9F-4B92-8E99-6A81CD9D3AF8@lastsummer.de> <6E2E0169-F2E8-4562-85BA-42FC28B07F35@lastsummer.de> In-Reply-To: <6E2E0169-F2E8-4562-85BA-42FC28B07F35@lastsummer.de> From: Tomasz CEDRO Date: Fri, 11 Dec 2020 14:03:45 +0100 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl To: Franco Fichtner Cc: Martin Simmons , freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4CsrZl1tmBz3psX X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=cedro.info header.s=google header.b=jnmOWS6F; dmarc=none; spf=none (mx1.freebsd.org: domain of tomek@cedro.info has no SPF policy when checking 2a00:1450:4864:20::544) smtp.mailfrom=tomek@cedro.info X-Spamd-Result: default: False [0.61 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[cedro.info:s=google]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; NEURAL_SPAM_SHORT(0.91)[0.911]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[cedro.info]; SPAMHAUS_ZRD(0.00)[2a00:1450:4864:20::544:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[cedro.info:+]; NEURAL_SPAM_LONG(1.00)[1.000]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::544:from]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a00:1450:4864:20::544:from]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security] X-Mailman-Approved-At: Sat, 12 Dec 2020 08:31:04 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2020 13:04:00 -0000 On Fri, Dec 11, 2020 at 1:57 PM Franco Fichtner wrote: > > On 11. Dec 2020, at 1:36 PM, Tomasz CEDRO wrote: > > On Fri, Dec 11, 2020 at 12:44 PM Franco Fichtner wrote: > >>> On 11. Dec 2020, at 12:38 PM, Martin Simmons wrote: > >>>>>>>> On Thu, 10 Dec 2020 22:46:28 -0800, John-Mark Gurney said: > >>>> What are peoples thoughts on how to address the support mismatch between > >>>> FreeBSD and OpenSSL? And how to address it? > >>> Maybe it would help a little if the packages on pkg.FreeBSD.org all used the > >>> pkg version of OpenSSL? Currently, it looks like you have build your own > >>> ports if you want that. > >> This pretty much breaks LibreSSL ports usage for binary package consumers. > > Why not switch to LibreSSL as default? :-) > > Good question. > > LibreSSL lacks engine and PSK support. TLS 1.3 was tailing behind. Missing > CMS also was a large issue for those who needed it. Someone with more in- > depth knowledge can probably name more. > > The other issue with LibreSSL in general is that third party support is mostly > ok, but some high profile cases have had issues with it for years: HAProxy, > OpenVPN, StrongSwan just to name a few. Having ports contributors and committers > chase these unthankful quests is probably not worth the overall effort. > > It works pretty well as a ports crypto replacement, but for the reasons listed > above it is probably not going to happen on a default scale. > > Also, LibreSSL in base was a failed experiment in HardenedBSD. Its release cycle > and support policy is tailored neatly around OpenBSD releases and the attempt > to break ABI compatibility in packages while you retrofit a new version into > a minor release can fail pretty spectacularly. > > I'm not being skeptical. I helped improve overall LibreSSL support in the ports > tree since 2015. The LibreSSL team is doing a great job all things considered. > > This is simply the current reality of keeping LibreSSL in ports a steady > alternative. Thank you Franco! Too many reasons why not to.. looks like no good alternative.. at least for now :-) -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info