From owner-freebsd-security@FreeBSD.ORG  Wed Jun 11 13:56:57 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 36FD33F3
 for <freebsd-security@freebsd.org>; Wed, 11 Jun 2014 13:56:57 +0000 (UTC)
Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz
 [IPv6:2001:718:1e03:801::4])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id BC2EA2A65
 for <freebsd-security@freebsd.org>; Wed, 11 Jun 2014 13:56:56 +0000 (UTC)
Received: from kgw.obluda.cz ([194.108.204.138])
 by smtp1.ms.mff.cuni.cz (8.14.5/8.14.5) with ESMTP id s5BDupul062008
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=OK);
 Wed, 11 Jun 2014 15:56:54 +0200 (CEST) (envelope-from dan@obluda.cz)
Message-ID: <53986023.7050203@obluda.cz>
Date: Wed, 11 Jun 2014 15:56:51 +0200
From: Dan Lukes <dan@obluda.cz>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26
MIME-Version: 1.0
To: Ben Laurie <ben@links.org>
Subject: Re: OpenSSL end of life
References: <CAG5KPzyYzcu0qF9m2Fjgh7tTC=RrSMpxzHiDX5zD8_U_aB8k2A@mail.gmail.com>
 <5398482C.7020406@obluda.cz>
 <CAG5KPzxQm1ayF=p5pAsttHvxoAOFvNTvxhe6AS-auX27mxdywg@mail.gmail.com>
In-Reply-To: <CAG5KPzxQm1ayF=p5pAsttHvxoAOFvNTvxhe6AS-auX27mxdywg@mail.gmail.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-security <freebsd-security@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jun 2014 13:56:57 -0000

On 06/11/14 15:00, Ben Laurie:
>> What about ongoing FreeBSD 9.3 release ? According tradition, it's EOL
>> should occur two years past release. But what we will do if embedded version
>> of OpenSSL become unsupported just this winter ?
>
> I don't know - for a start, just because the OpenSSL team don't
> support it, that doesn't mean others can't backport fixes.

Sorry, I missed this. Yes, it's solution as well.

I'm familiar with it. I'm backporting newest FreeBSD's SA and EN into 
FreeBSD 8.3-R despite it's declared EOL.

But such approach has big "marketing" drawback. If there are published 
announcements like OpenSSL version a.b.c is obsolete, unsupported, 
unsafe and dangerous, then it's hard to offer a system based on it, 
despite promises that YOURS particular incarnation of openssl a.b.c is 
patched and safe.

But yes, it's solution.


Dan