Date: Mon, 11 Jul 2016 22:48:00 -0700 From: Kevin Oberman <rkoberman@gmail.com> To: Andrey Chernov <ache@freebsd.org> Cc: Slawa Olhovchenkov <slw@zxy.spb.ru>, Jung-uk Kim <jkim@freebsd.org>, freebsd-security@freebsd.org, FreeBSD Current <freebsd-current@freebsd.org> Subject: Re: GOST in OPENSSL_BASE Message-ID: <CAN6yY1sOrL42ssbfGUKz8%2BaY0VvKPDHPx2S0ZRNpmmgdB0V8Tg@mail.gmail.com> In-Reply-To: <c0bb5ae3-fee6-d40c-86bd-988c843d757b@freebsd.org> References: <20160710133019.GD20831@zxy.spb.ru> <f35c1806-c06d-0d46-1c8a-58a56adef9a7@freebsd.org> <a4f0585d-cc99-e44a-7f59-0dd23e3c969f@FreeBSD.org> <20160711184122.GP46309@zxy.spb.ru> <98f27660-47ff-d212-8c50-9e6e1cd52e0b@freebsd.org> <c0bb5ae3-fee6-d40c-86bd-988c843d757b@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jul 11, 2016 at 3:51 PM, Andrey Chernov <ache@freebsd.org> wrote: > On 12.07.2016 1:44, Andrey Chernov wrote: > > On 11.07.2016 21:41, Slawa Olhovchenkov wrote: > >> On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote: > >> > >>> On 07/10/16 10:10 AM, Andrey Chernov wrote: > >>>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote: > >>>>> I am surprised lack of support GOST in openssl-base. > >>>>> Can be this enabled before 11.0 released? > >>>> > >>>> AFAIK openssl maintainers says something like they can't support this > >>>> code and it will become rotten shortly with new changes, so they drop > it. > >>> > >>> [OpenSSL-maintainer-for-the-base hat on] > >>> > >>> GOST is supported on FreeBSD 10.x and 11.x. We will not drop it on > >>> these branches unless secteam explicitly ask us to do so. However, we > >>> *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch. > >>> > >>> [OpenSSL-maintainer-for-the-base hat off] > >>> > >>> Jung-uk Kim > >>> > >> > >> Thanks! > >> > >> May be need file PR for dns/bind910? > >> > >> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile > >> .include <bsd.port.pre.mk> > >> > >> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && > ${SSL_DEFAULT} == base > >> BROKEN= OpenSSL from the base system does not support GOST, add \ > >> DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and > rebuild everything \ > >> that needs SSL. > >> .endif > >> > > > > I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC > > don't use GOST, so I vote for removing GOST option from there. > > > > I need to note that RFC exists, proposing GOST (old version) for DNSSEC: > https://tools.ietf.org/html/rfc5933 > but nobody really use it. In case people are not aware of it, Russian law now requires ALL encrypted traffic must either be accessible by the FSB or that the private keys must be available to the FSB. I have always assumed that GOST has a hidden vulnerability/backdoor that the FSB is already using, but this makes it mandatory. Putin gave the FSB 2 weeks to implement the law, which is clearly impossible, but I suspect that there will be a huge effort to pick all low-hanging fruit. As a result, I suspect no one outside of Russia will touch GOST. (Not that they do now, either.) I'd hate to see its support required for any protocol except in Russia as someone will be silly enough to use it. (It's not possible because it requires the 6 month storage of all Internet data and voice communications which will require the immediate installation of massive amounts of storage, not to mention the floor space, cooling, and power to support those disks.) -- Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkoberman@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1sOrL42ssbfGUKz8%2BaY0VvKPDHPx2S0ZRNpmmgdB0V8Tg>