Date: Sun, 29 Jul 2018 10:59:11 -0500 From: Benjamin Kaduk <kaduk@mit.edu> To: Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au> Cc: "PRAKASH RAI (prakrai)" <prakrai@cisco.com>, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: TLSv1.3 support in freeBSD 11.X Message-ID: <20180729155908.GA79679@kduck.kaduk.org> In-Reply-To: <81dc7784-62d2-37e8-95f0-1f49215d4a58@heuristicsystems.com.au> References: <2ECA83EC-B156-43DF-AFDD-407BDFF74DAA@contoso.com> <81dc7784-62d2-37e8-95f0-1f49215d4a58@heuristicsystems.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Dewayne, (Full disclosure: I am currently the IETF Area Director responsible for the TLS working group, and as such the TLS 1.3 spec itself; I am also an OpenSSL committer.) On Sun, Jul 29, 2018 at 09:59:29AM +1000, Dewayne Geraghty wrote: > > On 26/07/2018 9:45 PM, PRAKASH RAI (prakrai) via freebsd-security wrote: > > Hi All, > > > > I was going through the https://wiki.freebsd.org/OpenSSL and found that openssl 1.1.1 support is planned for freeBSD 12. > > As TLSv1.3 is based on openssl 1.1.1, does it mean that freeBSD 11.X would not be having support for TLSv1.3? > > > > Basically I would like to understand if I can build openssl 1.1.1 (which is having support for TLSv1.3) with FreeBSD 11.2 without any issue and enable TLSv1.3 support? > > > > Regards, > > Prakash > > > Prakash, > You're very ambitious ;) TLSv1.3 is very different from 1.2 and > others. Additional ciphers are "nice", but the session controls are > quite different and will take a while for applications to settle into. While I don't dispute that this is an amibitous goal, I do dispute that the changes in TLS 1.3 are merely "nice"; there are real improvements to performance, privacy, and security that can be compelling points to drive work for adoption, in some cases. We should let Prakesh make their own decision based on the facts. > Quite a few applications are not yet at openssl 1.1.0, so surprise > yourself and try something like: > for interests in security www; do find /usr/ports/$interests/ -name > Makefile|xargs grep openssl-devel|grep BROKEN; done > > And you should also note that the ports are only built on lowest > supported FreeBSD (#1), and on the 11 stream, that seems to be FreeBSD The officially published *packages* are built on the oldest supported release from a branch; anyone can build the ports on the version they are running (and, of course, build software outside the Ports Collection entirely). > 11.1Release; so we should really work in unison to migrate to openssl > 1.1.1 :) Drawn your own conclusions about what ports have been tested > on 11.2Release > > FYI perhaps consider libressl which has some additional/useful ciphers, > might be worth a look if the ciphers are your driver. I'm not sure that I'd echo that advice -- openssl has made some pretty substantial architectural improvements in the 1.1.x series, with a well-designed state machine, unified extension handling, and the (W)PACKET_ APIs for handling network data (and of course the prospect of TLS 1.3 support). While I'm happy to see that libressl has adopted the CBB/CBS APIs from boringssl (to be frank, not using an API of that sort for network data would be pretty hard to justify, in this day and age), it seems to still be organically evolving the openssl 1.0.1 state machine it inherited, and I am unaware of motion for TLS 1.3 support therein. I also don't think that ciphers would be a motivation for OpenSSL 1.1.1 over 1.1.0 -- the only non-TLS 1.3 ciphers that are new across that version jump appear to be the ARIA ciphers, which are not exactly widely used. -Ben
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180729155908.GA79679>