From owner-freebsd-ports@freebsd.org Wed Aug 24 19:36:06 2016 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D6252BC5287 for ; Wed, 24 Aug 2016 19:36:06 +0000 (UTC) (envelope-from fbsd@xtaz.co.uk) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id BE9941875 for ; Wed, 24 Aug 2016 19:36:06 +0000 (UTC) (envelope-from fbsd@xtaz.co.uk) Received: by mailman.ysv.freebsd.org (Postfix) id B9F58BC5286; Wed, 24 Aug 2016 19:36:06 +0000 (UTC) Delivered-To: ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B9A0CBC5285 for ; Wed, 24 Aug 2016 19:36:06 +0000 (UTC) (envelope-from fbsd@xtaz.co.uk) Received: from mail.xtaz.uk (tao.xtaz.uk [IPv6:2001:8b0:fe33::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 80DB41873; Wed, 24 Aug 2016 19:36:06 +0000 (UTC) (envelope-from fbsd@xtaz.co.uk) Received: by mail.xtaz.uk (Postfix, from userid 1001) id F04B3209AF52; Wed, 24 Aug 2016 20:36:03 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=xtaz.co.uk; s=mail; t=1472067364; x=1473881764; bh=n6p4X11KtHOd+KPW8r8z1IvT5TamheLlnPBMpElxi5w=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=S3MNzjhCwFpWsAMYROkn4UvdPzRdDc1SHavkzEYwK5YFWqU7YwkLL+nO+Nw35NwAP WX6Dq9aCquKr9mcFGqeCauLZoYWS7gNwd48b7V38Z0aeO8n0RK7IFKVBKCksgwKFtT /CwYyX+FSDPCdH2gpVIc1vbbXHCv8oSWTOFhpWKJdBzukLO5B6to29cBvA4LosbkJn 9H/ZN5pLRQHxb0/c8KCvnfsNmTZhndLilXDfdy5o1l/UccnglnzmJcWwubogTlaZPh JzJ2x1XtZcwHHP2JaN7lVW4fO0UWlDjeH/9Qbv/DlZ+5X6n84bzlmBNzi245DyKoYY lYrycCFhpsKfA== Date: Wed, 24 Aug 2016 20:36:03 +0100 From: Matt Smith To: Bernard Spil Cc: Mathieu Arnold , ports@freebsd.org Subject: Re: Upcoming OpenSSL 1.1.0 release Message-ID: <20160824193603.GA16568@xtaz.uk> Mail-Followup-To: Matt Smith , Bernard Spil , Mathieu Arnold , ports@freebsd.org References: <6d35459045985929d061f3c6cca85efe@imap.brnrd.eu> <0E328A9485C47045F93C19AB@atuin.in.mat.cc> <20160823124201.GB48814@xtaz.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.6.1 (2016-04-27) X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2016 19:36:06 -0000 On Aug 24 21:18, Bernard Spil wrote: >Today new vulnerabilities with (3)DES and BlowFish were made public and >I believe we'll see release of another paper which is OpenSSL 1.1 >related with the release of OpenSSL 1.1.0. I have no knowledge if the >paper/report contained vulnerabilities that have postponed the release >of 1.1.0 but I think that is likely. That would mean that these >vulnerabilities have been solved pre-release. > >As far as I know x25519 is still a Draft RFC so unlikely to appear in >browsers for a while. I can see LibreSSL adding this as well, whether >in the draft version or in the final. This they did with >ChaCha20/Poly1305 as well (draft in 2.3, release in 2.4). The LibreSSL >devs would have closed the request if they didn't intend to support it >https://github.com/libressl-portable/portable/issues/114 > >I don't think that FreeBSD will be making LibreSSL the >libssl/libcrypto provider any time soon. The support timelines for >LibreSSL (<1.5 years) are just too short for the FreeBSD release >support (>3 years). OpenSSL is speeding up the release cycle as well >but at least we can rely on RedHat to backport changes to older >versions. > >LibreSSL in base is a bit more than playing, it is becoming the >default in HardenedBSD very soon and very likely in TrueOS (AKA >PC-BSD) as of 11.0 RELEASE. Both HardenedBSD and TrueOS have a >different attitude towards updating things in the base system as they >do not serve as upstream to other projects/products that require >longer support timelines. Come see my talk at EuroBSDCon, it will >contain LibreSSL in base things. > >Cheers, > >Bernard. Thanks for that reply. That answers things quite nicely. I believe x25519 is currently in chrome: https://www.ssllabs.com/ssltest/viewClient.html?name=Chrome&version=51&platform=Win%207&key=126 It has x25519 listed as an Elliptic curve near the bottom. So for that reason I am interested in enabling it as I like to do things bleeding edge! I will probably stick with security/libressl-devel for the foreseeable future though I think and at least wait and see what people make of OpenSSL 1.1 after a few months if only for the fact it's a bit of a pain to switch back again by recompiling everything. -- Matt