Date: Tue, 12 Jul 2016 12:16:02 +0300 From: Andrey Chernov <ache@freebsd.org> To: Kevin Oberman <rkoberman@gmail.com> Cc: Slawa Olhovchenkov <slw@zxy.spb.ru>, Jung-uk Kim <jkim@freebsd.org>, freebsd-security@freebsd.org, FreeBSD Current <freebsd-current@freebsd.org> Subject: Re: GOST in OPENSSL_BASE Message-ID: <673ea9f5-e5e5-91e0-5bd1-2119c2f7b493@freebsd.org> In-Reply-To: <CAN6yY1sOrL42ssbfGUKz8%2BaY0VvKPDHPx2S0ZRNpmmgdB0V8Tg@mail.gmail.com> References: <20160710133019.GD20831@zxy.spb.ru> <f35c1806-c06d-0d46-1c8a-58a56adef9a7@freebsd.org> <a4f0585d-cc99-e44a-7f59-0dd23e3c969f@FreeBSD.org> <20160711184122.GP46309@zxy.spb.ru> <98f27660-47ff-d212-8c50-9e6e1cd52e0b@freebsd.org> <c0bb5ae3-fee6-d40c-86bd-988c843d757b@freebsd.org> <CAN6yY1sOrL42ssbfGUKz8%2BaY0VvKPDHPx2S0ZRNpmmgdB0V8Tg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12.07.2016 8:48, Kevin Oberman wrote: > >> May be need file PR for dns/bind910? > >> > >> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile > >> .include <bsd.port.pre.mk <http://bsd.port.pre.mk>>; > >> > >> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && > ${SSL_DEFAULT} == base > >> BROKEN= OpenSSL from the base system does not support GOST, add \ > >> DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and > rebuild everything \ > >> that needs SSL. > >> .endif > >> > > > > I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC > > don't use GOST, so I vote for removing GOST option from there. > > > > I need to note that RFC exists, proposing GOST (old version) for DNSSEC: > https://tools.ietf.org/html/rfc5933 > but nobody really use it. > > In case people are not aware of it, Russian law now requires ALL > encrypted traffic must either be accessible by the FSB or that the > private keys must be available to the FSB. It is not quite so. All traffic must be available for 6 months and they express intention to ask big companies for their private keys, but later is not required by the law (not yet...) > I have always assumed that > GOST has a hidden vulnerability/backdoor that the FSB is already using, I already answer this question elsewhere in this thread with the reference. > but this makes it mandatory. Putin gave the FSB 2 weeks to implement the > law, which is clearly impossible, but I suspect that there will be a > huge effort to pick all low-hanging fruit. As a result, I suspect no one > outside of Russia will touch GOST. (Not that they do now, either.) I'd > hate to see its support required for any protocol except in Russia as > someone will be silly enough to use it. I already explain required GOST usage pattern in this thread.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?673ea9f5-e5e5-91e0-5bd1-2119c2f7b493>