Date: Fri, 11 Dec 2020 13:57:10 +0100 From: Franco Fichtner <franco@lastsummer.de> To: Tomasz CEDRO <tomek@cedro.info> Cc: Martin Simmons <martin@lispworks.com>, freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Message-ID: <6E2E0169-F2E8-4562-85BA-42FC28B07F35@lastsummer.de> In-Reply-To: <CAM8r67B6bp6KJH20u-NfwwZEYW6GDH%2BWwRTJqiCjVoWgQQBJOg@mail.gmail.com> References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> <202012111138.0BBBc2Eq006002@higson.cam.lispworks.com> <2AF24633-7E9F-4B92-8E99-6A81CD9D3AF8@lastsummer.de> <CAM8r67B6bp6KJH20u-NfwwZEYW6GDH%2BWwRTJqiCjVoWgQQBJOg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 11. Dec 2020, at 1:36 PM, Tomasz CEDRO <tomek@cedro.info> wrote: >=20 > On Fri, Dec 11, 2020 at 12:44 PM Franco Fichtner wrote: >>> On 11. Dec 2020, at 12:38 PM, Martin Simmons <martin@lispworks.com> = wrote: >>>>>>>> On Thu, 10 Dec 2020 22:46:28 -0800, John-Mark Gurney said: >>>> What are peoples thoughts on how to address the support mismatch = between >>>> FreeBSD and OpenSSL? And how to address it? >>> Maybe it would help a little if the packages on pkg.FreeBSD.org all = used the >>> pkg version of OpenSSL? Currently, it looks like you have build = your own >>> ports if you want that. >>=20 >> This pretty much breaks LibreSSL ports usage for binary package = consumers. >=20 > Why not switch to LibreSSL as default? :-) Good question. LibreSSL lacks engine and PSK support. TLS 1.3 was tailing behind. = Missing CMS also was a large issue for those who needed it. Someone with more = in- depth knowledge can probably name more. The other issue with LibreSSL in general is that third party support is = mostly ok, but some high profile cases have had issues with it for years: = HAProxy, OpenVPN, StrongSwan just to name a few. Having ports contributors and = committers chase these unthankful quests is probably not worth the overall effort. It works pretty well as a ports crypto replacement, but for the reasons = listed above it is probably not going to happen on a default scale. Also, LibreSSL in base was a failed experiment in HardenedBSD. Its = release cycle and support policy is tailored neatly around OpenBSD releases and the = attempt to break ABI compatibility in packages while you retrofit a new version = into a minor release can fail pretty spectacularly. I'm not being skeptical. I helped improve overall LibreSSL support in = the ports tree since 2015. The LibreSSL team is doing a great job all things = considered. This is simply the current reality of keeping LibreSSL in ports a steady alternative. Cheers, Franco
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6E2E0169-F2E8-4562-85BA-42FC28B07F35>