From owner-freebsd-security@freebsd.org Fri Dec 11 09:14:05 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id F3CF64A9784 for ; Fri, 11 Dec 2020 09:14:05 +0000 (UTC) (envelope-from rs@bytecamp.net) Received: from mxout01.bytecamp.net (mxout01.bytecamp.net [212.204.60.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4CslTT063nz3HyT for ; Fri, 11 Dec 2020 09:14:04 +0000 (UTC) (envelope-from rs@bytecamp.net) Received: by mxout01.bytecamp.net (Postfix, from userid 1001) id 42AE580DAC; Fri, 11 Dec 2020 10:14:02 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=bytecamp.net; h=subject:to:references:from:message-id:date:mime-version:in-reply-to:content-type:content-transfer-encoding; s=20140709; bh=1lGdIGty7+fKwFGwLf26KidXrlI=; b=SAox4strlyD1RNN7jTWJtHvRGceKJyD4epCQyFk5l7jxPROgyKK0cgSqhBIhkEF/5BQphK211ddysL/3G0Io9Pr+y76UEpvcxJCqEMG1dkLNLoh2Lsv1bheWXBMwsUHr2cV9obKg1geokITSEV+K0lqyv6KU/kUK7FKITpvjiAc= Received: from mail.bytecamp.net (mail.bytecamp.net [212.204.60.9]) by mxout01.bytecamp.net (Postfix) with ESMTP id 0BFCE80DA7 for ; Fri, 11 Dec 2020 10:14:02 +0100 (CET) Received: (qmail 34021 invoked from network); 11 Dec 2020 10:14:01 +0100 Received: from unknown (HELO ?192.168.3.59?) (rs%bytecamp.net@80.84.212.123) by mail.bytecamp.net with ESMTPS (DHE-RSA-AES128-SHA encrypted); 11 Dec 2020 10:14:01 +0100 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl To: freebsd-security@freebsd.org References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> From: Robert Schulze Organization: bytecamp GmbH Message-ID: <72f2110e-8f1b-76ca-4dd8-2d7283b951d6@bytecamp.net> Date: Fri, 11 Dec 2020 10:14:01 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <20201211064628.GM31099@funkthat.com> Content-Type: text/plain; charset=utf-8 Content-Language: de-DE Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4CslTT063nz3HyT X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=bytecamp.net header.s=20140709 header.b=SAox4str; dmarc=none; spf=pass (mx1.freebsd.org: domain of rs@bytecamp.net designates 212.204.60.217 as permitted sender) smtp.mailfrom=rs@bytecamp.net X-Spamd-Result: default: False [-1.45 / 15.00]; R_SPF_ALLOW(-0.20)[+ip4:212.204.60.0/24]; TO_DN_NONE(0.00)[]; HAS_ORG_HEADER(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; DKIM_TRACE(0.00)[bytecamp.net:+]; NEURAL_HAM_SHORT(-0.85)[-0.846]; RCVD_IN_DNSWL_LOW(-0.10)[212.204.60.217:from]; RCVD_TLS_LAST(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[212.204.60.217:from]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; MID_RHS_MATCH_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[bytecamp.net:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[bytecamp.net:s=20140709]; FROM_HAS_DN(0.00)[]; ASN(0.00)[asn:12693, ipnet:212.204.32.0/19, country:DE]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[bytecamp.net]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[212.204.60.217:from:127.0.2.255]; NEURAL_SPAM_LONG(1.00)[1.000]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2020 09:14:06 -0000 Hi, Am 11.12.20 um 07:46 schrieb John-Mark Gurney: > > Assuming 13 releases w/ OpenSSL, we'll be even in a worse situation > than we are now. OpenSSL 3.0.0 has no support commitment announced > yet, and sticking with 1.1.1 for 13 will put us even in a worse > situation than we are today. > > What are peoples thoughts on how to address the support mismatch between > FreeBSD and OpenSSL? And how to address it? > > IMO, FreeBSD does need to do something, and staying w/ OpenSSL does > not look like a viable option. > you may install a current OpenSSL via ports if you like to. I don't see any OpenSSL fork to be more reliable than its predecessor but there has been done much work in the portstree to enable the system administrator to switch. There is not much left (if anything) to be done in FreeBSD itself regarding the standard crypto library. regards, Robert Schulze