Date: Wed, 24 Aug 2016 21:18:14 +0200 From: Bernard Spil <brnrd@FreeBSD.org> To: Matt Smith <fbsd@xtaz.co.uk>, Mathieu Arnold <mat@freebsd.org>, Bernard Spil <brnrd@freebsd.org>, ports@freebsd.org Subject: Re: Upcoming OpenSSL 1.1.0 release Message-ID: <ba968d48738a1b5f05546993e70abf7d@imap.brnrd.eu> In-Reply-To: <20160823124201.GB48814@xtaz.uk> References: <6d35459045985929d061f3c6cca85efe@imap.brnrd.eu> <0E328A9485C47045F93C19AB@atuin.in.mat.cc> <20160823124201.GB48814@xtaz.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2016-08-23 14:42, Matt Smith wrote: > On Aug 22 20:39, Mathieu Arnold wrote: >> ports-committers is a *NEVER POST DIRECTLY TO* list, so, moving it to >> ports@ where this belongs a lot more. >> >> +--On 22 août 2016 20:30:15 +0200 Bernard Spil <brnrd@FreeBSD.org> >> wrote: >> | Curious to know how we should procede with the upgrade of the >> OpenSSL >> | port to 1.1.0! >> >> All ports need to work with it, I'm sure software like BIND9 do not >> build >> with it. >> >> -- Mathieu Arnold > > Going slightly off-topic, I'm curious what the opinion is around this > and LibreSSL. My understanding is that LibreSSL was forked from OpenSSL > 1.0.1 and they have not backported newer stuff from OpenSSL. I also > believe OpenSSL now has several full time paid developers working on it > and that the 1.1 release has some significant changes under the hood? > > I've been using LibreSSL for a while so that I can get chacha20 support > but OpenSSL 1.1 will not only have chacha20, but will also have x25519 > support as well. This along with what I said above is making me think > it > might be better to go back to OpenSSL. > > I just wondered what people in the know think about the current > situation with these two things. Plus are there any roadmaps for the > future of FreeBSD regarding the defaults. Is the project ever going to > look at making LibreSSL the default port, or will that be kept as > OpenSSL for many years to come? I know Bernard has been looking into > that and playing around with LibreSSL in base etc. Just curious what > the > official policy is going to be on that. Hi Matt, Today new vulnerabilities with (3)DES and BlowFish were made public and I believe we'll see release of another paper which is OpenSSL 1.1 related with the release of OpenSSL 1.1.0. I have no knowledge if the paper/report contained vulnerabilities that have postponed the release of 1.1.0 but I think that is likely. That would mean that these vulnerabilities have been solved pre-release. As far as I know x25519 is still a Draft RFC so unlikely to appear in browsers for a while. I can see LibreSSL adding this as well, whether in the draft version or in the final. This they did with ChaCha20/Poly1305 as well (draft in 2.3, release in 2.4). The LibreSSL devs would have closed the request if they didn't intend to support it https://github.com/libressl-portable/portable/issues/114 I don't think that FreeBSD will be making LibreSSL the libssl/libcrypto provider any time soon. The support timelines for LibreSSL (<1.5 years) are just too short for the FreeBSD release support (>3 years). OpenSSL is speeding up the release cycle as well but at least we can rely on RedHat to backport changes to older versions. LibreSSL in base is a bit more than playing, it is becoming the default in HardenedBSD very soon and very likely in TrueOS (AKA PC-BSD) as of 11.0 RELEASE. Both HardenedBSD and TrueOS have a different attitude towards updating things in the base system as they do not serve as upstream to other projects/products that require longer support timelines. Come see my talk at EuroBSDCon, it will contain LibreSSL in base things. Cheers, Bernard.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ba968d48738a1b5f05546993e70abf7d>