From owner-freebsd-security@freebsd.org Fri Dec 11 06:46:31 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3C3DB47D555 for ; Fri, 11 Dec 2020 06:46:31 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CshCB1JPvz4scf for ; Fri, 11 Dec 2020 06:46:29 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id 0BB6kSWL078472 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Thu, 10 Dec 2020 22:46:28 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id 0BB6kSMB078471 for freebsd-security@freebsd.org; Thu, 10 Dec 2020 22:46:28 -0800 (PST) (envelope-from jmg) Date: Thu, 10 Dec 2020 22:46:28 -0800 From: John-Mark Gurney To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Message-ID: <20201211064628.GM31099@funkthat.com> Mail-Followup-To: freebsd-security@freebsd.org References: <20201209230300.03251CA1@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20201209230300.03251CA1@freefall.freebsd.org> X-Operating-System: FreeBSD 11.3-STABLE amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Thu, 10 Dec 2020 22:46:28 -0800 (PST) X-Rspamd-Queue-Id: 4CshCB1JPvz4scf X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of jmg@gold.funkthat.com has no SPF policy when checking 208.87.223.18) smtp.mailfrom=jmg@gold.funkthat.com X-Spamd-Result: default: False [2.20 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[jmg]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[208.87.223.18:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[208.87.223.18:from:127.0.2.255]; DMARC_NA(0.00)[funkthat.com]; NEURAL_SPAM_SHORT(1.00)[1.000]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_SPF_NA(0.00)[no SPF record]; FORGED_SENDER(0.30)[jmg@funkthat.com,jmg@gold.funkthat.com]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:32354, ipnet:208.87.216.0/21, country:US]; FROM_NEQ_ENVFROM(0.00)[jmg@funkthat.com,jmg@gold.funkthat.com]; MAILMAN_DEST(0.00)[freebsd-security]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2020 06:46:31 -0000 FreeBSD Security Advisories wrote this message on Wed, Dec 09, 2020 at 23:03 +0000: > versions included in FreeBSD 12.x. This vulnerability is also known to > affect OpenSSL versions included in FreeBSD 11.4. However, the OpenSSL > project is only giving patches for that version to premium support contract > holders. The FreeBSD project does not have access to these patches and > recommends FreeBSD 11.4 users to either upgrade to FreeBSD 12.x or leverage > up to date versions of OpenSSL in the ports/pkg system. The FreeBSD Project > may update this advisory to include FreeBSD 11.4 should patches become > publicly available. FreeBSD needs to reevaluate the continued reliance on OpenSSL for our crypto/TLS library. 1.0.2 which is in 11-stable has not had support for almost a year, and 11 is going to have almost another year of support during which time if there's another vuln, we'll again be leaving the users in a bad place. I have not heard if OpenSSL has bother to address the breakage of /dev/crypto that also recently came up, but it does appear that they are no longer a good fit for FreeBSD. Even as it stands, FreeBSD has committed to supporting 12 for close to a year longer than OpenSSL has for 1.1.1 meaning we will be in the same situation we are w/ 11 in a few years. Assuming 13 releases w/ OpenSSL, we'll be even in a worse situation than we are now. OpenSSL 3.0.0 has no support commitment announced yet, and sticking with 1.1.1 for 13 will put us even in a worse situation than we are today. What are peoples thoughts on how to address the support mismatch between FreeBSD and OpenSSL? And how to address it? IMO, FreeBSD does need to do something, and staying w/ OpenSSL does not look like a viable option. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."