From owner-freebsd-hackers@freebsd.org Fri Oct 27 12:39:09 2017 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D6764E43E67 for ; Fri, 27 Oct 2017 12:39:09 +0000 (UTC) (envelope-from swall@redcom.com) Received: from smtp1.redcom.com (smtp1.redcom.com [192.86.3.143]) by mx1.freebsd.org (Postfix) with ESMTP id A8A1D63A96 for ; Fri, 27 Oct 2017 12:39:09 +0000 (UTC) (envelope-from swall@redcom.com) Received: from localhost (localhost [127.0.0.1]) by smtp1.redcom.com (Postfix) with ESMTP id B04B9A043 for ; Fri, 27 Oct 2017 08:39:08 -0400 (EDT) X-Virus-Scanned: amavisd-new at redcom.com Received: from smtp1.redcom.com ([127.0.0.1]) by localhost (smtp1.redcom.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hg+CO1T8EzLs for ; Fri, 27 Oct 2017 08:39:06 -0400 (EDT) Received: from pie.redcom.com (pie [192.168.33.15]) by smtp1.redcom.com (Postfix) with ESMTP id 44EBCA014 for ; Fri, 27 Oct 2017 08:39:06 -0400 (EDT) Received: from exch-02.redcom.com (exch-02.redcom.com [192.168.32.9]) by pie.redcom.com (8.11.7p1+Sun/8.10.2) with ESMTP id v9RCcml01417 for ; Fri, 27 Oct 2017 08:39:06 -0400 (EDT) Received: from exch-02.redcom.com (fd00::ccaa:c259:22f8:6f4b) by exch-02.redcom.com (fd00::ccaa:c259:22f8:6f4b) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Fri, 27 Oct 2017 08:38:48 -0400 Received: from exch-02.redcom.com ([fe80::ccaa:c259:22f8:6f4b]) by exch-02.redcom.com ([fe80::ccaa:c259:22f8:6f4b%12]) with mapi id 15.00.1178.000; Fri, 27 Oct 2017 08:38:48 -0400 From: "Wall, Stephen" To: "freebsd-hackers@freebsd.org" Subject: RE: Crypto overhaul Thread-Topic: RE: Crypto overhaul Thread-Index: AdNPHatXl0NSYB7UT+qMHMXV6x96Qg== Date: Fri, 27 Oct 2017 12:38:47 +0000 Message-ID: <51e5e3f85b6445ed85faf770773118bb@exch-02.redcom.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [192.168.84.20] MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Oct 2017 12:39:09 -0000 Be aware that moving away from a crypto library that has a FIPS-approved cr= ypto core will have a significant impact on commercial users of FreeBSD who= do business with U.S. government (and likely some other governments and co= rporate sectors as well). BoringSSL is persuing/has persued FIPS validatio= n, but they offer this warning on their web page: Although BoringSSL is an open source project, it is not intended for genera= l use, as OpenSSL is. We don't recommend that third parties depend upon it.= Doing so is likely to be frustrating because there are no guarantees of AP= I or ABI stability. BearSSL, being a new, small project, is highly unlikely to pursue FIPS cert= ification. LibreSSL has deliberately stripped anything FIPS related out of= their fork, and the project has stated multiple times that it will not com= e back. I am not opposing a change (indeed, consolidating the various crypto source= s in FreeBSD to single (FIPS-possible) library would be a good thing) , I j= ust prefer (strongly) that FIPS not be pushed out of the picture. -spw