From owner-freebsd-security@freebsd.org  Mon Jul 11 19:00:45 2016
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3E3F9B92273;
 Mon, 11 Jul 2016 19:00:45 +0000 (UTC)
 (envelope-from jkim@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 by mx1.freebsd.org (Postfix) with ESMTP id A648D1F5A;
 Mon, 11 Jul 2016 19:00:44 +0000 (UTC)
 (envelope-from jkim@FreeBSD.org)
Subject: Re: GOST in OPENSSL_BASE
To: Slawa Olhovchenkov <slw@zxy.spb.ru>
References: <20160710133019.GD20831@zxy.spb.ru>
 <f35c1806-c06d-0d46-1c8a-58a56adef9a7@freebsd.org>
 <a4f0585d-cc99-e44a-7f59-0dd23e3c969f@FreeBSD.org>
 <20160711184122.GP46309@zxy.spb.ru>
Cc: Andrey Chernov <ache@freebsd.org>, Mathieu Arnold <mat@FreeBSD.org>,
 FreeBSD-current <freebsd-current@FreeBSD.org>,
 freebsd-security <freebsd-security@freebsd.org>
From: Jung-uk Kim <jkim@FreeBSD.org>
Message-ID: <f7bb30d6-6c22-4e21-ff8f-a25480ac0278@FreeBSD.org>
Date: Mon, 11 Jul 2016 15:00:39 -0400
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101
 Thunderbird/45.1.1
MIME-Version: 1.0
In-Reply-To: <20160711184122.GP46309@zxy.spb.ru>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="lltlppxNlMO90TBfKxss3RoASxqmhXSxg"
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jul 2016 19:00:45 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--lltlppxNlMO90TBfKxss3RoASxqmhXSxg
Content-Type: multipart/mixed; boundary="FG8GOdFswa7RWPDvlkjjOQbh245VwOePp"
From: Jung-uk Kim <jkim@FreeBSD.org>
To: Slawa Olhovchenkov <slw@zxy.spb.ru>
Cc: Andrey Chernov <ache@freebsd.org>, Mathieu Arnold <mat@FreeBSD.org>,
 FreeBSD-current <freebsd-current@FreeBSD.org>,
 freebsd-security <freebsd-security@freebsd.org>
Message-ID: <f7bb30d6-6c22-4e21-ff8f-a25480ac0278@FreeBSD.org>
Subject: Re: GOST in OPENSSL_BASE
References: <20160710133019.GD20831@zxy.spb.ru>
 <f35c1806-c06d-0d46-1c8a-58a56adef9a7@freebsd.org>
 <a4f0585d-cc99-e44a-7f59-0dd23e3c969f@FreeBSD.org>
 <20160711184122.GP46309@zxy.spb.ru>
In-Reply-To: <20160711184122.GP46309@zxy.spb.ru>

--FG8GOdFswa7RWPDvlkjjOQbh245VwOePp
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On 07/11/16 02:41 PM, Slawa Olhovchenkov wrote:
> On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote:
>=20
>> On 07/10/16 10:10 AM, Andrey Chernov wrote:
>>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
>>>> I am surprised lack of support GOST in openssl-base.
>>>> Can be this enabled before 11.0 released?
>>>
>>> AFAIK openssl maintainers says something like they can't support this=

>>> code and it will become rotten shortly with new changes, so they drop=
 it.
>>
>> [OpenSSL-maintainer-for-the-base hat on]
>>
>> GOST is supported on FreeBSD 10.x and 11.x.  We will not drop it on
>> these branches unless secteam explicitly ask us to do so.  However, we=

>> *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch.
>>
>> [OpenSSL-maintainer-for-the-base hat off]
>>
>> Jung-uk Kim
>>
>=20
> Thanks!
>=20
> May be need file PR for dns/bind910?
>=20
> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile
> .include <bsd.port.pre.mk>
>=20
> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && ${SSL_DE=
FAULT} =3D=3D base
> BROKEN=3D OpenSSL from the base system does not support GOST, add \
>         DEFAULT_VERSIONS+=3Dssl=3Dopenssl to your /etc/make.conf and re=
build everything \
>         that needs SSL.
> .endif

FreeBSD 9.3 is still supported but GOST is not available there.  It
seems the ports maintainer didn't want to break it on 9.3 (CC added).
Version check may be needed there.

Jung-uk Kim


--FG8GOdFswa7RWPDvlkjjOQbh245VwOePp--

--lltlppxNlMO90TBfKxss3RoASxqmhXSxg
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJXg+zYAAoJEHyflib82/FGqUcH/3BZje39Cz/9CWG8hDkE21w6
+o5lBJadM+rM0+7zCpfcCZ5FGJ/+IqGW/HWIjS1HyfkUrCouMU7dkYBEm1S/Lgfh
lZge8AjUi1hgnwyUsJpEAtsCmH4d+t+IVZuJIjuLCv3qqsXsgughq1ql55yxJDx4
woFyFo/5VXgZeapNcXPyVpdV8EXcSGiqgUIH/qIXcjOFeZgtfN8GnPCXFAe2zYZQ
r+rNJpgQ8plZtSTYJeMCEo40qcqxGO4uFwIbhBVODjvt79PH0ZuKQeosSRo0AN7I
6bStkQAjSH73En9mJaQ/mAMroiOH7XpNpWVt2iuirO72bgWCgeUlsTKr+8eH7vU=
=g93h
-----END PGP SIGNATURE-----

--lltlppxNlMO90TBfKxss3RoASxqmhXSxg--