From owner-freebsd-security@freebsd.org Thu Aug 2 23:45:41 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2551F1054D29; Thu, 2 Aug 2018 23:45:41 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 53D9F8421B; Thu, 2 Aug 2018 23:45:40 +0000 (UTC) (envelope-from kaduk@mit.edu) X-AuditID: 12074422-887ff7000000681f-63-5b63979bc4e7 Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id 4A.FF.26655.C97936B5; Thu, 2 Aug 2018 19:45:32 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id w72NjQE6006707; Thu, 2 Aug 2018 19:45:27 -0400 Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w72NjJkH013976 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 2 Aug 2018 19:45:22 -0400 Date: Thu, 2 Aug 2018 18:45:19 -0500 From: Benjamin Kaduk To: Eric McCorkle Cc: Warner Losh , FreeBSD Hackers , "freebsd-arch@freebsd.org" , freebsd-current , freebsd-security Subject: Re: Status of OpenSSL 1.1.1 Message-ID: <20180802234519.GD68224@kduck.kaduk.org> References: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.9.1 (2017-09-22) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrOKsWRmVeSWpSXmKPExsUixG6nojtnenK0wd3zxhbfpv9lsZg9fRqT xZw3H5gstm/+x2jRs+kJm8XTrcsZHdg8Puz+yuox49N8Fo97OyYwBTBHcdmkpOZklqUW6dsl cGW8vLyOueASd8WBD6/YGhifcnQxcnJICJhI7F+4gamLkYtDSGAxk8SypiPMEM4GRomdjXOh MleYJD5sPsAO0sIioCLx49NBVhCbDchu6L4M1MHBISKgITF/tyBIPbNAF5PEr0lnWUBqhIFq ui/dB6vhBVp3cHY5xMxDjBL7N/eA1fAKCEqcnPkEzGYW0JHYufUOG0g9s4C0xPJ/HBBheYnm rbPBxnAKOEtM+uMDEhYVUJbY23eIfQKj4Cwkg2YhGTQLYdAsJIMWMLKsYpRNya3SzU3MzClO TdYtTk7My0st0jXVy80s0UtNKd3ECI4DF6UdjBP/eR1iFOBgVOLh1dBIjhZiTSwrrsw9xCjJ waQkystfDhTiS8pPqcxILM6ILyrNSS0Geo+DWUmE920nUI43JbGyKrUoHyYlzcGiJM57vyY8 WkggPbEkNTs1tSC1CCYrw8GhJMG7cRpQo2BRanpqRVpmTglCmomDE2Q4D9BwFZAa3uKCxNzi zHSI/ClGXY4/76dOYhZiycvPS5US5xUCKRIAKcoozYObA0pfEtn7a14xigO9Jcw7DaSKB5j6 4Ca9AlrCBLQk2zERZElJIkJKqoExo2f2n3aLPr2M1OT57Lez/KVzyjUd35uV/b75wlLp3TGt uKQA82sNTP/uv1r+7Mss5ap1dTcjthhHBzo/rth1emmdBnNrzr0+x+nx7+WL1XYUbipimPQr rTU838O3dlE//6QJr4WWvThrk1nl0lN0xHGt3YMpn5hdclg7Lu1aLRd+/NYqzT4lluKMREMt 5qLiRABbGPrYOgMAAA== X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2018 23:45:41 -0000 On Wed, Aug 01, 2018 at 10:05:28AM -0400, Eric McCorkle wrote: > On 08/01/2018 09:02, Warner Losh wrote: > > > > > > On Wed, Aug 1, 2018, 12:31 PM Eric McCorkle > > wrote: > > > > Hi folks, > > > > I'm wondering what's the status of OpenSSL 1.1.1 integration into base? > > More specifically, is there a repo or a branch that's started the > > integration?  I'm aware of the wiki page and the list of port build > > issues, but that seems to be based on replacing the base OpenSSL with a > > port build (similar to the way one replaces it with LibreSSL). > > > > I have some work I'd like to do that's gating on sorting out the > > kernel/loader crypto situation, and I'd very much like to see OpenSSL > > 1.1.1 get merged, so I can start to look into doing that. > > > > > > There are patches to use bear SSL for the loader. OpenSSL is simply too > > large to use due to limits the loader operates under. > > I was going to look into the feasibility of doing something like what > LibreSSL does with portable, where they extract a subset of the full > library designed to be embedded in the kernel, loader, etc. > > I think it ought to be possible to do something like that, but it really > ought to be done in a tree with 1.1.1 integrated. > It wouldn't be terribly easy or effective, IMO. OpenSSL wasn't designed with such modularity in mind. -Ben