From owner-freebsd-ports@freebsd.org Wed Aug 24 19:27:42 2016 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 49A77BC50C1 for ; Wed, 24 Aug 2016 19:27:42 +0000 (UTC) (envelope-from brnrd@FreeBSD.org) Received: from mailman.ysv.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 2F4221482 for ; Wed, 24 Aug 2016 19:27:42 +0000 (UTC) (envelope-from brnrd@FreeBSD.org) Received: by mailman.ysv.freebsd.org (Postfix) id 2B436BC50C0; Wed, 24 Aug 2016 19:27:42 +0000 (UTC) Delivered-To: ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 28AFFBC50BF for ; Wed, 24 Aug 2016 19:27:42 +0000 (UTC) (envelope-from brnrd@FreeBSD.org) Received: from smtp01.qsp.nl (smtp01.qsp.nl [193.254.214.162]) by mx1.freebsd.org (Postfix) with ESMTP id 9C4B41481; Wed, 24 Aug 2016 19:27:41 +0000 (UTC) (envelope-from brnrd@FreeBSD.org) Received: from smtp01.qsp.nl (localhost [127.0.0.1]) by smtp01.qsp.nl (Postfix) with ESMTP id 6A3612A0D54; Wed, 24 Aug 2016 21:18:15 +0200 (CEST) Received: from mail.brnrd.eu (unknown [193.164.217.85]) by smtp01.qsp.nl (Postfix) with ESMTP; Wed, 24 Aug 2016 21:18:15 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=brnrd.eu; h=date:from:to:subject:message-id; s=default; bh=xKbAeFfaRwItygiNCx0JA8id1fOHK179DNgZq4xF3R8=; b=P1BwtN7m1d0tf4EWGpCpsf0PD/i9tLlZQnpLgdLAg4ls4e2klc7x0Zub0IjsyiSUIvvTxr82hC4KHIDb2hfIkv4mHIe5vqvhGHn2bs2JOKKfwgJRL7ucpUWgWMtQAdHDnf0jq4BxkxkuVAiozafq4bVZbWAlcQo53KyIuImAp2WouRzOxQQaP18GDO7m4OBm/3H5mPR0T7+GxNhM9Bf8n9WTqR/txCY+F6C4npei7CmmZLPYTQkoTGdR08+3z7GJKSm8hpvKDQYTe8tdYqzFykOJMjpI3+qRIqIeuQF+BcH/3AdSYJS5+6q0o6sHqJANUp9zxGESyDgSueA2X4akEg== Received: by bachfreund.nl (OpenSMTPD) with ESMTPSA id a87c895e TLS version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO; Wed, 24 Aug 2016 21:18:14 +0200 (CEST) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Wed, 24 Aug 2016 21:18:14 +0200 From: Bernard Spil To: Matt Smith , Mathieu Arnold , Bernard Spil , ports@freebsd.org Subject: Re: Upcoming OpenSSL 1.1.0 release In-Reply-To: <20160823124201.GB48814@xtaz.uk> References: <6d35459045985929d061f3c6cca85efe@imap.brnrd.eu> <0E328A9485C47045F93C19AB@atuin.in.mat.cc> <20160823124201.GB48814@xtaz.uk> Message-ID: X-Sender: brnrd@FreeBSD.org User-Agent: Roundcube Webmail/1.2.0 X-SMTP-Virus-Scanned: clamav at smtp01 X-Spam-Status: No, score=1.7 required=5.0 tests=DKIM_SIGNED, HK_RANDOM_ENVFROM, HK_RANDOM_FROM,T_DKIM_INVALID,UNPARSEABLE_RELAY autolearn=disabled version=3.4.1 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on svfilter04.qsp.nl X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2016 19:27:42 -0000 On 2016-08-23 14:42, Matt Smith wrote: > On Aug 22 20:39, Mathieu Arnold wrote: >> ports-committers is a *NEVER POST DIRECTLY TO* list, so, moving it to >> ports@ where this belongs a lot more. >> >> +--On 22 août 2016 20:30:15 +0200 Bernard Spil >> wrote: >> | Curious to know how we should procede with the upgrade of the >> OpenSSL >> | port to 1.1.0! >> >> All ports need to work with it, I'm sure software like BIND9 do not >> build >> with it. >> >> -- Mathieu Arnold > > Going slightly off-topic, I'm curious what the opinion is around this > and LibreSSL. My understanding is that LibreSSL was forked from OpenSSL > 1.0.1 and they have not backported newer stuff from OpenSSL. I also > believe OpenSSL now has several full time paid developers working on it > and that the 1.1 release has some significant changes under the hood? > > I've been using LibreSSL for a while so that I can get chacha20 support > but OpenSSL 1.1 will not only have chacha20, but will also have x25519 > support as well. This along with what I said above is making me think > it > might be better to go back to OpenSSL. > > I just wondered what people in the know think about the current > situation with these two things. Plus are there any roadmaps for the > future of FreeBSD regarding the defaults. Is the project ever going to > look at making LibreSSL the default port, or will that be kept as > OpenSSL for many years to come? I know Bernard has been looking into > that and playing around with LibreSSL in base etc. Just curious what > the > official policy is going to be on that. Hi Matt, Today new vulnerabilities with (3)DES and BlowFish were made public and I believe we'll see release of another paper which is OpenSSL 1.1 related with the release of OpenSSL 1.1.0. I have no knowledge if the paper/report contained vulnerabilities that have postponed the release of 1.1.0 but I think that is likely. That would mean that these vulnerabilities have been solved pre-release. As far as I know x25519 is still a Draft RFC so unlikely to appear in browsers for a while. I can see LibreSSL adding this as well, whether in the draft version or in the final. This they did with ChaCha20/Poly1305 as well (draft in 2.3, release in 2.4). The LibreSSL devs would have closed the request if they didn't intend to support it https://github.com/libressl-portable/portable/issues/114 I don't think that FreeBSD will be making LibreSSL the libssl/libcrypto provider any time soon. The support timelines for LibreSSL (<1.5 years) are just too short for the FreeBSD release support (>3 years). OpenSSL is speeding up the release cycle as well but at least we can rely on RedHat to backport changes to older versions. LibreSSL in base is a bit more than playing, it is becoming the default in HardenedBSD very soon and very likely in TrueOS (AKA PC-BSD) as of 11.0 RELEASE. Both HardenedBSD and TrueOS have a different attitude towards updating things in the base system as they do not serve as upstream to other projects/products that require longer support timelines. Come see my talk at EuroBSDCon, it will contain LibreSSL in base things. Cheers, Bernard.