From owner-freebsd-security@freebsd.org Sun Dec 13 22:16:22 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BC2CD4C545E for ; Sun, 13 Dec 2020 22:16:22 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CvJl964LXz3FRH for ; Sun, 13 Dec 2020 22:16:21 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-qk1-x72c.google.com with SMTP id u5so1047219qkf.0 for ; Sun, 13 Dec 2020 14:16:21 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=1GglO1UBJtF1cxH+FdAJ4LMF0Xm99cKoReuNm5X9ay0=; b=LelX5WXFTepBG50b2vbpd1xzvt1glpb5TsfH/3aYOzNFpGRPtIqpX8mVKe21/qJQrH qlw6U8WeGuVjwA6/wVzKPFc6lO5AIjjIWF+RjL2mDW2+mPyTrHVBdnBzlbQ40Qe5l0Nh c2avu/Zh9dPUXx6JTg8cThUyNJwaBGkcuorKSIBlgae5dlJHLI0zYfo8qpsWqpVGqXnT gux4t3talHY/lwlM85FZObrYvjkYQUlZxK9oKAGLszKGof4Wr+qgWtcNxCzr1pltMPzJ oq6R5NLE+fBS9d4QAud/Hv4WtGiaBPOPkMWs3lNcsK8q+q6+88Dm3sQ5Ho6F1iNN315J l5Zg== X-Gm-Message-State: AOAM532YZgKUx49Dgr3QLbcnn5eCQ5d8fDUpeNRWs2Dg3VFbY+9P2iWi k/m1eIcB7fgIxWpXKmMxTBdo X-Google-Smtp-Source: ABdhPJwYYQkOa5HuUSsord1Om8bVC3B4uSUz405LAzHaYAHlzcQLrGYa21FbHRcIC53IUl2OfW/QKQ== X-Received: by 2002:a37:4c16:: with SMTP id z22mr9578350qka.22.1607897780723; Sun, 13 Dec 2020 14:16:20 -0800 (PST) Received: from gmail.com ([2607:fc50:0:7900:0:dead:beef:cafe]) by smtp.gmail.com with ESMTPSA id v4sm13520360qth.16.2020.12.13.14.16.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 13 Dec 2020 14:16:20 -0800 (PST) Date: Sun, 13 Dec 2020 14:16:18 -0800 From: Gordon Tetlow To: John Long Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Message-ID: References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> <813a04a4-e07a-9608-40a5-cc8e339351eb@FreeBSD.org> <20201213005708.GU31099@funkthat.com> <20201213020727.GP64351@kduck.mit.edu> <20201213121208.54f8a8ed@inbox.lv> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20201213121208.54f8a8ed@inbox.lv> X-Rspamd-Queue-Id: 4CvJl964LXz3FRH X-Spamd-Bar: --- X-Spamd-Result: default: False [-4.00 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[tetlows.org:s=google]; FREEFALL_USER(0.00)[gordon]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::72c:from:127.0.2.255]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[tetlows.org:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::72c:from]; NEURAL_HAM_SHORT(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[tetlows.org,quarantine]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::72c:from]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Dec 2020 22:16:22 -0000 On Sun, Dec 13, 2020 at 12:12:08PM +0000, John Long via freebsd-security wrote: > Hi Guys, > > What about adopting OpenBSD's libressl? I was expecting it to take a > long time to be compatible but from my uneducated point of view it > looks like they did an incredible job. I think everything on OpenBSD > uses it. > > I was running OpenBSD until I put FreeBSD 12.2 on a new box, so I > haven't been looking at for a year or so. > > Does anybody know if this is a viable option? Can we just link against > libressl or is it (much) more involved than that? As was mentioned elsewhere, LibreSSL isn't a great fit due to their very limited support lifespan of a given release. Once a stable release is made, that branch is only given 1 year of support. This doesn't mesh well with FreeBSD's 5 year support lifespan of a given branch. Gordon