Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 1 Nov 2016 15:40:51 +0300
From:      Slawa Olhovchenkov <slw@zxy.spb.ru>
To:        Jung-uk Kim <jkim@FreeBSD.org>
Cc:        Mathieu Arnold <mat@FreeBSD.org>, Andrey Chernov <ache@freebsd.org>, FreeBSD-current <freebsd-current@FreeBSD.org>, freebsd-security <freebsd-security@freebsd.org>
Subject:   Re: GOST in OPENSSL_BASE
Message-ID:  <20161101124051.GK57876@zxy.spb.ru>
In-Reply-To: <9d8ac537-45bb-066a-956b-3f7c7e11bcb7@FreeBSD.org>
References:  <20160710133019.GD20831@zxy.spb.ru> <f35c1806-c06d-0d46-1c8a-58a56adef9a7@freebsd.org> <a4f0585d-cc99-e44a-7f59-0dd23e3c969f@FreeBSD.org> <20160711184122.GP46309@zxy.spb.ru> <f7bb30d6-6c22-4e21-ff8f-a25480ac0278@FreeBSD.org> <20160711195600.GQ46309@zxy.spb.ru> <EA5762479033C3438AC67624@ogg.in.absolight.net> <9d8ac537-45bb-066a-956b-3f7c7e11bcb7@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Jul 18, 2016 at 12:39:46PM -0400, Jung-uk Kim wrote:

> On 07/18/16 08:12 AM, Mathieu Arnold wrote:
> > Hi,
> > 
> > +--On 11 juillet 2016 22:56:00 +0300 Slawa Olhovchenkov <slw@zxy.spb.ru>
> > wrote:
> > | On Mon, Jul 11, 2016 at 03:00:39PM -0400, Jung-uk Kim wrote:
> > |> > .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) &&
> > |> > ${SSL_DEFAULT} == base BROKEN= OpenSSL from the base system does not
> > |> > support GOST, add \ DEFAULT_VERSIONS+=ssl=openssl to your
> > |> >         /etc/make.conf and rebuild everything \ that needs SSL.
> > |> > .endif
> > |> 
> > |> FreeBSD 9.3 is still supported but GOST is not available there.  It
> > | 
> > | Thanks for clarifications.
> > | 
> > |> seems the ports maintainer didn't want to break it on 9.3 (CC added).
> > |> Version check may be needed there.
> > | 
> > | Thanks!
> > 
> > 
> > The idea is that you can't have mixed openssl usage.  If you link half your
> > ports with openssl from base, and half with openssl from ports, you are
> > going to have dragons attacks, and core dumps.  Also, if you are using
> > openssl from ports, you cannot use GSSAPI from base, for the same reasons.
> 
> Exactly.  That's why we should *allow* using base OpenSSL for 10.x and
> later because many packages are already linked against base OpenSSL by
> default.

Ports still refuse to GOST from base openssl.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20161101124051.GK57876>