From owner-freebsd-security@freebsd.org Mon Jul 11 19:00:45 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3E3F9B92273; Mon, 11 Jul 2016 19:00:45 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id A648D1F5A; Mon, 11 Jul 2016 19:00:44 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Subject: Re: GOST in OPENSSL_BASE To: Slawa Olhovchenkov References: <20160710133019.GD20831@zxy.spb.ru> <20160711184122.GP46309@zxy.spb.ru> Cc: Andrey Chernov , Mathieu Arnold , FreeBSD-current , freebsd-security From: Jung-uk Kim Message-ID: Date: Mon, 11 Jul 2016 15:00:39 -0400 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: <20160711184122.GP46309@zxy.spb.ru> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="lltlppxNlMO90TBfKxss3RoASxqmhXSxg" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2016 19:00:45 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --lltlppxNlMO90TBfKxss3RoASxqmhXSxg Content-Type: multipart/mixed; boundary="FG8GOdFswa7RWPDvlkjjOQbh245VwOePp" From: Jung-uk Kim To: Slawa Olhovchenkov Cc: Andrey Chernov , Mathieu Arnold , FreeBSD-current , freebsd-security Message-ID: Subject: Re: GOST in OPENSSL_BASE References: <20160710133019.GD20831@zxy.spb.ru> <20160711184122.GP46309@zxy.spb.ru> In-Reply-To: <20160711184122.GP46309@zxy.spb.ru> --FG8GOdFswa7RWPDvlkjjOQbh245VwOePp Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 07/11/16 02:41 PM, Slawa Olhovchenkov wrote: > On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote: >=20 >> On 07/10/16 10:10 AM, Andrey Chernov wrote: >>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote: >>>> I am surprised lack of support GOST in openssl-base. >>>> Can be this enabled before 11.0 released? >>> >>> AFAIK openssl maintainers says something like they can't support this= >>> code and it will become rotten shortly with new changes, so they drop= it. >> >> [OpenSSL-maintainer-for-the-base hat on] >> >> GOST is supported on FreeBSD 10.x and 11.x. We will not drop it on >> these branches unless secteam explicitly ask us to do so. However, we= >> *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch. >> >> [OpenSSL-maintainer-for-the-base hat off] >> >> Jung-uk Kim >> >=20 > Thanks! >=20 > May be need file PR for dns/bind910? >=20 > # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile > .include >=20 > .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && ${SSL_DE= FAULT} =3D=3D base > BROKEN=3D OpenSSL from the base system does not support GOST, add \ > DEFAULT_VERSIONS+=3Dssl=3Dopenssl to your /etc/make.conf and re= build everything \ > that needs SSL. > .endif FreeBSD 9.3 is still supported but GOST is not available there. It seems the ports maintainer didn't want to break it on 9.3 (CC added). Version check may be needed there. Jung-uk Kim --FG8GOdFswa7RWPDvlkjjOQbh245VwOePp-- --lltlppxNlMO90TBfKxss3RoASxqmhXSxg Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXg+zYAAoJEHyflib82/FGqUcH/3BZje39Cz/9CWG8hDkE21w6 +o5lBJadM+rM0+7zCpfcCZ5FGJ/+IqGW/HWIjS1HyfkUrCouMU7dkYBEm1S/Lgfh lZge8AjUi1hgnwyUsJpEAtsCmH4d+t+IVZuJIjuLCv3qqsXsgughq1ql55yxJDx4 woFyFo/5VXgZeapNcXPyVpdV8EXcSGiqgUIH/qIXcjOFeZgtfN8GnPCXFAe2zYZQ r+rNJpgQ8plZtSTYJeMCEo40qcqxGO4uFwIbhBVODjvt79PH0ZuKQeosSRo0AN7I 6bStkQAjSH73En9mJaQ/mAMroiOH7XpNpWVt2iuirO72bgWCgeUlsTKr+8eH7vU= =g93h -----END PGP SIGNATURE----- --lltlppxNlMO90TBfKxss3RoASxqmhXSxg--