From owner-freebsd-arch@freebsd.org  Sat Jan  9 11:11:45 2021
Return-Path: <owner-freebsd-arch@freebsd.org>
Delivered-To: freebsd-arch@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id EA9BB4D1044
 for <freebsd-arch@mailman.nyi.freebsd.org>;
 Sat,  9 Jan 2021 11:11:45 +0000 (UTC)
 (envelope-from SRS0=8det=GM=quip.cz=000.fbsd@elsa.codelab.cz)
Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4DCcjs0kn2z4qH5;
 Sat,  9 Jan 2021 11:11:44 +0000 (UTC)
 (envelope-from SRS0=8det=GM=quip.cz=000.fbsd@elsa.codelab.cz)
Received: from elsa.codelab.cz (localhost [127.0.0.1])
 by elsa.codelab.cz (Postfix) with ESMTP id 49F0B28422;
 Sat,  9 Jan 2021 12:11:37 +0100 (CET)
Received: from illbsd.quip.test (ip-94-113-69-69.net.upcbroadband.cz
 [94.113.69.69])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by elsa.codelab.cz (Postfix) with ESMTPSA id 7452628416;
 Sat,  9 Jan 2021 12:11:34 +0100 (CET)
Subject: Re: Should we enable KERN_TLS on amd64 for FreeBSD 13?
To: John Baldwin <jhb@FreeBSD.org>, Andrew Gallatin <gallatin@cs.duke.edu>,
 freebsd-arch@FreeBSD.org, Rick Macklem <rmacklem@uoguelph.ca>,
 Allan Jude <allanjude@freebsd.org>
References: <8eff83e5-49bc-d410-626e-603c03877b80@cs.duke.edu>
 <20210108214446.GJ31099@funkthat.com>
 <4fe4a57c-8c43-a677-4872-d0671104c414@FreeBSD.org>
 <20210109022409.GL31099@funkthat.com>
From: Miroslav Lachman <000.fbsd@quip.cz>
Message-ID: <c794ff66-ff63-ee89-b461-b796f3de0365@quip.cz>
Date: Sat, 9 Jan 2021 12:11:33 +0100
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101
 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <20210109022409.GL31099@funkthat.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4DCcjs0kn2z4qH5
X-Spamd-Bar: /
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=none (mx1.freebsd.org: domain of
 SRS0=8det=GM=quip.cz=000.fbsd@elsa.codelab.cz has no SPF policy when checking
 94.124.105.4) smtp.mailfrom=SRS0=8det=GM=quip.cz=000.fbsd@elsa.codelab.cz
X-Spamd-Result: default: False [-0.80 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[];
 TO_DN_SOME(0.00)[]; RCPT_COUNT_FIVE(0.00)[5];
 RCVD_COUNT_THREE(0.00)[3]; NEURAL_HAM_SHORT(-1.00)[-1.000];
 FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=8det=GM=quip.cz=000.fbsd@elsa.codelab.cz];
 RECEIVED_SPAMHAUS_PBL(0.00)[94.113.69.69:received];
 MIME_TRACE(0.00)[0:+]; SUBJECT_ENDS_QUESTION(1.00)[];
 RBL_DBL_DONT_QUERY_IPS(0.00)[94.124.105.4:from];
 FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=8det=GM=quip.cz=000.fbsd@elsa.codelab.cz];
 MID_RHS_MATCH_FROM(0.00)[];
 ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ];
 R_DKIM_NA(0.00)[]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[];
 NEURAL_HAM_LONG(-1.00)[-0.997]; MIME_GOOD(-0.10)[text/plain];
 RCVD_TLS_LAST(0.00)[]; AUTH_NA(1.00)[];
 DMARC_NA(0.00)[quip.cz];
 SPAMHAUS_ZRD(0.00)[94.124.105.4:from:127.0.2.255];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; R_SPF_NA(0.00)[no SPF record];
 MAILMAN_DEST(0.00)[freebsd-arch]
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch/>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Jan 2021 11:11:46 -0000

On 09/01/2021 03:24, John-Mark Gurney wrote:
> John Baldwin wrote this message on Fri, Jan 08, 2021 at 17:03 -0800:

[...]

> Considering that 1.1.1 support will end long before the support time of
> 13-current ends, that's only two+ years of work to merge supported
> patches, then we're on our own anyways..
> 
>> Personally, it would make my life a bit happier as a developer using
>> KTLS for it to at least be in GENERIC by default, but that's a pretty
>> narrow use case. :)
> 
> I forget about the OpenSSL status in ports, do all ports that use
> OpenSSL use ports OpenSSL?  I guess not, because git-lite didn't
> install OpenSSL, but supports https...
> 
> If none(almost none) of the FreeBSD software (or ports) uses it by
> default, then my vote changes to 3, which is to not enable it.

AFAIK all ports uses base OpenSSL.
I have a question for a long time - what is the benefit to have ports 
build with base OpenSSL instead of ports OpenSSL? For example for 
FreeBSD 11.4 it causes many ports unbuildable because base OpenSSL is 
1.0 but many ports need 1.1.1.
I was using PC-BSD on desktop where all ports were built with LibreSSL, 
then I switched ports in out poudriere builder for servers to use 
OpenSSL from ports because we needed newer version (newer features). 
Everything works fine on 25+ machines on FreeBSD 11.4 with OpenSSL 1.1.1 
from ports.
So why ports are not built with OpenSSL from ports by default? Can it 
cause some problems in some edge cases?

Kind regards
Miroslav Lachman