From owner-freebsd-security@FreeBSD.ORG Thu May 3 08:32:08 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C93A7106566B for ; Thu, 3 May 2012 08:32:08 +0000 (UTC) (envelope-from matt@chronos.org.uk) Received: from chronos.org.uk (chronos-pt.tunnel.tserv5.lon1.ipv6.he.net [IPv6:2001:470:1f08:12b::2]) by mx1.freebsd.org (Postfix) with ESMTP id 1AD0C8FC15 for ; Thu, 3 May 2012 08:32:07 +0000 (UTC) Received: from workstation1.localnet (workstation1.local.chronos.org.uk [IPv6:2001:470:1f09:12b::20]) (authenticated bits=0) by chronos.org.uk (8.14.5/8.14.5) with ESMTP id q438W4bS041242 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 3 May 2012 09:32:04 +0100 (BST) (envelope-from matt@chronos.org.uk) X-DKIM: OpenDKIM Filter v2.5.2 chronos.org.uk q438W4bS041242 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=chronos.org.uk; s=mail; t=1336033924; bh=aZ1bwGMtZdC65BI47opzhKBz1D0l9UUy4aeOqkU6ypE=; h=From:To:Subject:Date:References:In-Reply-To; b=Hk/wB6JH+dfmT3L5y0K7Ram+vvmp2MaxaYTgdg7ShYg6zkVQUm68A6gC+LtA3pbf6 M0IYlqO+F6MxkAw4reIObZp7U3JOniOMZc8vQ+qHsIwi39SQhNhV6hgr7eu3E0+7hO 0lYH5cBDEXKQts1i1iz3QmCxFs23R5MjdPZ5QMvM= From: Matt Dawson To: freebsd-security@freebsd.org Date: Thu, 3 May 2012 09:32:01 +0100 User-Agent: KMail/1.13.7 (FreeBSD/9.0-RELEASE; KDE/4.7.4; amd64; ; ) References: <201205022345.27904.matt@chronos.org.uk> <20120502232751.GB50127@in-addr.com> In-Reply-To: <20120502232751.GB50127@in-addr.com> X-Face: -a*{KS?gYyH>pt=1?H+(>B2Z'>b6WxX:^O@+VaMV>l\tOh@[x`#&AHSdl`m<-EEhk=1%t9iRthI|; ~8)mN@qxJ}x5l:zhDO( =?iso-8859-1?q?=2Eas=0A?= NeO!\oL7huHfsoF'I5,0G+Yo[G-G"FG,l`QJ$IgwH/[\a]vRH^'=`; cY+*_{Or` MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <201205030932.03361.matt@chronos.org.uk> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (chronos.org.uk [IPv6:2001:470:1f09:12b::1]); Thu, 03 May 2012 09:32:04 +0100 (BST) X-Spam-Status: No, score=-100.0 required=3.0 tests=BAYES_00, DATE_IN_FUTURE_24_48,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,SPF_PASS, T_RP_MATCHES_RCVD,USER_IN_WHITELIST autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on central.local.chronos.org.uk Subject: Re: OpenSSL and Heimdal X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 May 2012 08:32:08 -0000 On Thursday 03 May 2012 00:27:51 Gary Palmer wrote: > Their website is out of date. As its primary public-facing information portal, I'm tempted to say that's an important priority to get right. Yes, volunteer project, etc, but the BSD way of doing things is to choose the tool for the job. All the visible information available at the time said OpenSSL wasn't it. I'm still wondering (and will read the blessed changelog this time) if mod_ssl is at this point since it'll need to expose the new functionality to httpd. > This is from CHANGES in OpenSSL > 1.01a: > > Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1: > > o TLS/DTLS heartbeat support. > o SCTP support. > o RFC 5705 TLS key material exporter. > o RFC 5764 DTLS-SRTP negotiation. > o Next Protocol Negotiation. > o PSS signatures in certificates, requests and CRLs. > o Support for password based recipient info for CMS. > o Support TLS v1.2 and TLS v1.1. > o Preliminary FIPS capability for unvalidated 2.0 FIPS > module. o SRP support. > > Note the 3rd last bullet point. Again, an important piece of news to be hidden in a changelog. Although I made an arse of myself by not knowing that, it could be a little clearer. Thanks for the correction. -- Matt Dawson GW0VNR MTD15-RIPE