From owner-freebsd-security@FreeBSD.ORG Wed Jun 11 23:21:10 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7DB01761; Wed, 11 Jun 2014 23:21:10 +0000 (UTC) Received: from mail-yh0-x22b.google.com (mail-yh0-x22b.google.com [IPv6:2607:f8b0:4002:c01::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 32E4422ED; Wed, 11 Jun 2014 23:21:10 +0000 (UTC) Received: by mail-yh0-f43.google.com with SMTP id a41so379630yho.2 for ; Wed, 11 Jun 2014 16:21:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=u9RGWzlKLiqUi2jS7zbaPW3j+hK8STnQUAAq7waCZLM=; b=orv6SqsTP8LZSKCQ87U2GvWnBZ28SAm68GgPnsjXWX4hmJYUtjI+GTE+c9FFfDOKpz rjN+eIGESpozgwZmpHv69dcDIS38NFn8BaVyCEBkeOGxVOq1NzpZNIL6GS11CzzMAhLQ SiR3ZZ7FAC1UXcl6cRRuVzJt+g9TkAZWjUzq2mwtJpE3IRwOXqy9NAj8Oj6rpAoZFHQS mE4REwp/it0pQptjytJRnmp1xMT4LQNAfaXElJUySJt9bMDzRPmC3Hi3dFgrpHCAbyWS MpgpC43ivfG+rqUWLXLVyTtmSExluNDbylTm2Ge/LHDfXh/TqDl4lstC9C/1ohi6sRda DEOA== MIME-Version: 1.0 X-Received: by 10.236.39.103 with SMTP id c67mr7625852yhb.139.1402528869203; Wed, 11 Jun 2014 16:21:09 -0700 (PDT) Received: by 10.170.154.136 with HTTP; Wed, 11 Jun 2014 16:21:09 -0700 (PDT) In-Reply-To: <539860DE.9080609@FreeBSD.org> References: <5398482C.7020406@obluda.cz> <539859BC.2050303@obluda.cz> <539860DE.9080609@FreeBSD.org> Date: Wed, 11 Jun 2014 16:21:09 -0700 Message-ID: Subject: Re: OpenSSL end of life From: "Constantine A. Murenin" To: Jonathan Anderson Content-Type: text/plain; charset=UTF-8 Cc: Dan Lukes , freebsd-security , Ben Laurie X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2014 23:21:10 -0000 On 11 June 2014 06:59, Jonathan Anderson wrote: > Dan Lukes wrote: >> 9.3 can be patched during it's lifetime, but 9.3-pX and 9.3-pY needs to be >> binary compatible. >> >> If it is not compatible, then it's no 9.3 anymore. >> >>> One modification I'd be prepared to contemplate is that 1.0.1 (for >>> example) is supported for some known period of time, even if it should >>> be EOL according to the versioning scheme. The question is: how long? >>> Sounds like you'd want 2 years. >> >> Almost acceptable for me. >> >> I wish to save 2year lifetime period for FreeBSD. > > > Once we officially move to the 5-year branch lifetime, even a 2-year OpenSSL > lifetime becomes problematic. It seems to me that the only solution is to > remove the ABI promise on OpenSSL: move the base system's libcrypt.so into > /usr/lib/private. Installed packages would have to depend on (up-to-date) > OpenSSL from the ports tree, where 2 years might be long enough to do the > EOL dance. > > The problem with this approach is that pkg itself is a package and it needs > to verify signatures to bootstrap itself before installing any OpenSSL > package. Perhaps we can come up with a minimal API (ideally one function) > whose ABI we can continue to support even as we change libcrypt versions > under the hood. BTW, this crypto bootstrapping problem has already been addressed by OpenBSD earlier this year through the development of a lightweight one-algorithm-fits-all signature utility called signify(1). http://mdoc.su/o/signify.1 http://bxr.su/o/usr.bin/signify/signify.c http://www.tedunangst.com/flak/post/signify http://bsd.slashdot.org/story/14/01/19/0124202/openbsd-moving-towards-signed-packages-based-on-d-j-bernstein-crypto C.