From owner-freebsd-current@freebsd.org Tue Jul 12 08:47:48 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F3F3AB93C8B; Tue, 12 Jul 2016 08:47:47 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: from mail-io0-x22f.google.com (mail-io0-x22f.google.com [IPv6:2607:f8b0:4001:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BA96619A7; Tue, 12 Jul 2016 08:47:47 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: by mail-io0-x22f.google.com with SMTP id q83so10412046iod.1; Tue, 12 Jul 2016 01:47:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=UVtyEroMJS0aCWU+5MKmTBk+gRrsy3nVidyQixqxYuM=; b=Ge1O85jBnqIu5tFgM8cKZIHva/vcFZVTzmBUa6Tyk5oeBot7bWFL85gubJKRvIOhCs trmvojfeRURumuB3LLJ3VEHd8HZk66n8RuuxGerj2ZG58q0KI3sWIaOltZg7h9ROakWE LYSUe7lUJYywfiXnA40yemO7gwOjVdkLdoGPoQhqOX0K5SO5FpABYZ0CHaegW1fyvMWT GbUr1cmeqInpCWafW+ndPMn7Wl56iMYtWNfOnl/+0BdqVipnqPkU/kPFJ73R6JyQpfn4 pmAoDS9JHPA7A74XPSsYm+nTzxNaNpWZcHsoy5/MBzhjOW8RclLbf2g9C1mu7+dwDmVo qu1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=UVtyEroMJS0aCWU+5MKmTBk+gRrsy3nVidyQixqxYuM=; b=H4nhLER4cMc3FY2Sk/uozqpUlxQUu1JdbuXZUdwjMEja1ckG43v9JM/xapaWQRpP6n HsmPOmRmlIEZ1fdcCgyzYOtX6Xgig9u12uPYYhoVu9Xw96x6IjxDjouxWWSGzwVBgqIk wSI3YYscCGHdo3HSp5ccOQZAoaxkXpScgf0Zxf+3jc892X5RKE6eAOtgC0eSdeQ3Iz7R D3e+u8Dbj5aFD87fGcvfqqN0i8qx9D2s6zrhYEKOD0sgpDHr8dPstlqOSwIzU4FIAzpN ZoGhP8SlW9Yl51fVwZBIc4hvF+DtSgB8Hs0XZt/0gC2N2l0oCPvJ3g0ORwKSvbFXpnHl yoSA== X-Gm-Message-State: ALyK8tLBQTwmZK7KNoCJQtfTikp/DPyCK4+1lDihmluXj7Ob8ktUnzOPG2UV6LoSx/WowSjmYjXEU8Vl5OdTvg== X-Received: by 10.107.129.164 with SMTP id l36mr848409ioi.179.1468302481507; Mon, 11 Jul 2016 22:48:01 -0700 (PDT) MIME-Version: 1.0 Sender: kob6558@gmail.com Received: by 10.79.78.213 with HTTP; Mon, 11 Jul 2016 22:48:00 -0700 (PDT) In-Reply-To: References: <20160710133019.GD20831@zxy.spb.ru> <20160711184122.GP46309@zxy.spb.ru> <98f27660-47ff-d212-8c50-9e6e1cd52e0b@freebsd.org> From: Kevin Oberman Date: Mon, 11 Jul 2016 22:48:00 -0700 X-Google-Sender-Auth: _rk6aaJOoZMec805HjRSGpf952U Message-ID: Subject: Re: GOST in OPENSSL_BASE To: Andrey Chernov Cc: Slawa Olhovchenkov , Jung-uk Kim , freebsd-security@freebsd.org, FreeBSD Current Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 08:47:48 -0000 On Mon, Jul 11, 2016 at 3:51 PM, Andrey Chernov wrote: > On 12.07.2016 1:44, Andrey Chernov wrote: > > On 11.07.2016 21:41, Slawa Olhovchenkov wrote: > >> On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote: > >> > >>> On 07/10/16 10:10 AM, Andrey Chernov wrote: > >>>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote: > >>>>> I am surprised lack of support GOST in openssl-base. > >>>>> Can be this enabled before 11.0 released? > >>>> > >>>> AFAIK openssl maintainers says something like they can't support this > >>>> code and it will become rotten shortly with new changes, so they drop > it. > >>> > >>> [OpenSSL-maintainer-for-the-base hat on] > >>> > >>> GOST is supported on FreeBSD 10.x and 11.x. We will not drop it on > >>> these branches unless secteam explicitly ask us to do so. However, we > >>> *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch. > >>> > >>> [OpenSSL-maintainer-for-the-base hat off] > >>> > >>> Jung-uk Kim > >>> > >> > >> Thanks! > >> > >> May be need file PR for dns/bind910? > >> > >> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile > >> .include > >> > >> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && > ${SSL_DEFAULT} == base > >> BROKEN= OpenSSL from the base system does not support GOST, add \ > >> DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and > rebuild everything \ > >> that needs SSL. > >> .endif > >> > > > > I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC > > don't use GOST, so I vote for removing GOST option from there. > > > > I need to note that RFC exists, proposing GOST (old version) for DNSSEC: > https://tools.ietf.org/html/rfc5933 > but nobody really use it. In case people are not aware of it, Russian law now requires ALL encrypted traffic must either be accessible by the FSB or that the private keys must be available to the FSB. I have always assumed that GOST has a hidden vulnerability/backdoor that the FSB is already using, but this makes it mandatory. Putin gave the FSB 2 weeks to implement the law, which is clearly impossible, but I suspect that there will be a huge effort to pick all low-hanging fruit. As a result, I suspect no one outside of Russia will touch GOST. (Not that they do now, either.) I'd hate to see its support required for any protocol except in Russia as someone will be silly enough to use it. (It's not possible because it requires the 6 month storage of all Internet data and voice communications which will require the immediate installation of massive amounts of storage, not to mention the floor space, cooling, and power to support those disks.) -- Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkoberman@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683