From owner-freebsd-current@freebsd.org Mon Jul 11 18:02:35 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 82CB5B92C35 for ; Mon, 11 Jul 2016 18:02:35 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 3704714A5; Mon, 11 Jul 2016 18:02:35 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Subject: Re: GOST in OPENSSL_BASE To: Slawa Olhovchenkov , FreeBSD Current References: <20160710133019.GD20831@zxy.spb.ru> From: Jung-uk Kim Message-ID: <3b266620-75aa-4935-28b3-0f29484f3876@FreeBSD.org> Date: Mon, 11 Jul 2016 14:02:28 -0400 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: <20160710133019.GD20831@zxy.spb.ru> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="O54dH76gA4SANvDfdEQhvvgB2eBO0Pio6" X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2016 18:02:35 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --O54dH76gA4SANvDfdEQhvvgB2eBO0Pio6 Content-Type: multipart/mixed; boundary="PK2LLS3ALCEeJKGduwpuNTgMGMe7taV51" From: Jung-uk Kim To: Slawa Olhovchenkov , FreeBSD Current Message-ID: <3b266620-75aa-4935-28b3-0f29484f3876@FreeBSD.org> Subject: Re: GOST in OPENSSL_BASE References: <20160710133019.GD20831@zxy.spb.ru> In-Reply-To: <20160710133019.GD20831@zxy.spb.ru> --PK2LLS3ALCEeJKGduwpuNTgMGMe7taV51 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 07/10/16 09:30 AM, Slawa Olhovchenkov wrote: > I am surprised lack of support GOST in openssl-base. > Can be this enabled before 11.0 released? It works for me, I think. The following change was all I need to enable the engine: --- /etc/ssl/openssl.cnf.orig +++ /etc/ssl/openssl.cnf @@ -13,6 +13,21 @@ #oid_file =3D $ENV::HOME/.oid oid_section =3D new_oids +# GOST +openssl_conf =3D openssl_def + +[openssl_def] +engines =3D engine_section + +[engine_section] +gost =3D gost_section + +[gost_section] +engine_id =3D gost +dynamic_path =3D /usr/lib/engines/libgost.so +default_algorithms =3D ALL +CRYPT_PARAMS =3D id-Gost28147-89-CryptoPro-A-ParamSet + # To use this configuration file with the "-extfile" option of the # "openssl x509" utility, name here the section containing the # X.509v3 extensions to use: Please see the README file for more info: https://svnweb.freebsd.org/base/head/crypto/openssl/engines/ccgost/README= =2Egost?revision=3D238405&view=3Dco Jung-uk Kim --PK2LLS3ALCEeJKGduwpuNTgMGMe7taV51-- --O54dH76gA4SANvDfdEQhvvgB2eBO0Pio6 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXg986AAoJEHyflib82/FG/JoH/RKcqV+g9umlip1SEtj+z00d QUvW5JRRDYu6IS+OqKCeALyfIo/1K2c9GQp9+7QCRVJUQE4eEh+6JmKD8t67HQee xtNTwLmsuQQZCVfnLqtzjw8NOZmyb53sYSrt7vIgkZk9nv2by0prOFM0ZDOhT1DI Zh8REgYQOHxM++fsTsq7H2ahMey/71ZGxqlgw7NAvYpe3jtAksvcOFfGg93O24D9 jVvcWzXir2a81AAldxNnuLBvVYVbVaA5RcJ5dvLY+7NegMxL+Tnaqztzd1IJr0K8 6wqN6tF/ilFnrjTihfvqam89//nmfP2QEatyEdnHu+5SywbMtNjRgoy9i6KMtw0= =RVV+ -----END PGP SIGNATURE----- --O54dH76gA4SANvDfdEQhvvgB2eBO0Pio6--