Date: Fri, 3 Dec 1999 23:26:04 -0800 (PST) From: Kris Kennaway <kris@hub.freebsd.org> To: current@freebsd.org Subject: Importing OpenSSL Message-ID: <Pine.BSF.4.21.9912032252070.27529-100000@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
I would like to get OpenSSL imported into -current. I currently have the build framework almost ready to go, I'm just running some buildworld tests to make sure it's working properly. OpenSSL would give a number of potential benefits. Some of the coolest ones are: * Precursor to importing OpenSSH and providing secure network connectivity out-of-the-box * Possibility of teaching fetch to talk to https servers (i.e. talk SSL) * Fixing the HUGE SECURITY HOLE in CTM, namely the fact that it provides no authentication of what it's stuffing into your source tree (it only provides integrity). * Integration of cryptography into other parts of the system where it would be useful. There are potential issues which need to be addressed before this can proceed, namely how to best deal with US patent restrictions on e.g. the RSA code. What I'm thinking of is this: * distribution sites within the US carry an "openssl-lite" distribution which has all the RSA code removed, plus anything else which is usage restricted (IDEA?). This absolves them from any legal liability for providing patented source code. International sites carry the full version. * Supposing someone in the US downloads the RSA code from an international site, the RSA code would only be built conditional on USA_RESIDENT == NO. Currently we don't set USA_RESIDENT out of the box (AFAIK) - this would mean that US people have to take explicit action in order to have RSA binary code built. At least this way no-one will accidentally ship a product containing RSA, although I don't know if it's still illegal to just possess (non-RSAREF) RSA source without a license. This has the downside that international folks have to also take explicit action to get RSA built, but it's probably better to be conservative and document the process well. I think it's high time we expanded our cryptographic support beyond the bare minimum of DES - anyone violently disagree? Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.9912032252070.27529-100000>