Date: Thu, 20 Apr 2023 15:14:27 +0200 (CEST) From: Joerg Pulz <Joerg.Pulz@frm2.tum.de> To: freebsd-arch <freebsd-arch@freebsd.org> Subject: Re: OpenSSL in the FreeBSD base system / FreeBSD 14 Message-ID: <nycvar.OFS.7.77.840.2304201411080.78141@unqrf.nqzva.sez2.ghz.qr> In-Reply-To: <CAPyFy2Afao5tnujFtwiF6avdkqAXRGDOTSq-JSCkHvvbfUvhaA@mail.gmail.com> References: <CAPyFy2Afao5tnujFtwiF6avdkqAXRGDOTSq-JSCkHvvbfUvhaA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --3469798045-263270738-1681996467=:78141 Content-Type: text/plain; charset=US-ASCII; format=flowed On Wed, 19 Apr 2023, Ed Maste wrote: > There have been a few discussions on this topic in different venues, > but we should consolidate the discussion on a public mailing list. > This email represents a summary of the issues and the current state; > we?ll discuss next steps in follow-up mail. > > FreeBSD 14 is coming soon, and one outstanding task is dealing with > OpenSSL in the base system. The base system currently has OpenSSL > 1.1.1, and it will be EOL as of 2023-09-11. > > There are two related issues: > > - The base system needs to migrate from OpenSSL 1.1.1. > - The ports collection currently makes use of OpenSSL provided by the > base system by default, with some exceptions. > > Changing the base system OpenSSL into a privatelib would decouple > these two, so that the base system and ports can migrate to OpenSSL 3 > (or even to other implementations) on their own schedules. We have a > number of privatelibs today, like libevent, that are used by the base > system but not by ports. All OpenSSL-using ports will need > security/openssl (or another openssl port). > > A related issue is base system libraries that depend on OpenSSL would > also need to be made private. This includes gssapi, heimdal, and > libfetch. > > This leaves the actual task of updating OpenSSL in the base system, > which is complicated because we use bespoke build infrastructure in > crypto/openssl/ rather than the upstream build bits. For better or > worse this is the typical case for all of our contrib software, but > OpenSSL is particularly tricky as it makes use of a large number of > generated files, and those files are generated using Perl and perhaps > other tools that are not available in the FreeBSD base system. Porting > this to the base system is not insurmountable, but requires a fairly > large amount of tedious work. > > This should serve as a snapshot of where we are today and a starting > point for discussion; we?ll formulate a list of specific tasks in a > follow-up. Would the OpenSSL privatelib change mean that it's no longer possible to build and link base software against libs from ports given that those libs are linked to OpenSSL from ports then? e.g. link base Sendmail (with OpenSSL privatelib) with libsasl from security/cyrus-sasl2 and libldap from net/openldap26-client which are then linked with libssl an libcrypto from security/openssl or link base Heimdal (with OpenSSL privatelib) with libldap from net/openldap26-client which is then linked with libssl an libcrypto from security/openssl Both examples above are maybe not common but in use by myself since "ages". If such setups will no longer work with OpenSSL privatelib and updating OpenSSL in base is such a complicated, heavy and time consuming task, one could ask - why use OpenSSL instead of one other SSL implementation in base at all? This is not a rant against OpenSSL but if any other implementation provides the same as OpenSSL for base with a compatible license and an easier update path for the long term why not switch completely? If it's then private in base (and of no use outside) anyway nobody outside base should care what it is. Joerg -- The beginning is the most important part of the work. -Plato --3469798045-263270738-1681996467=:78141 Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: BASE64 Content-Description: S/MIME Cryptographic Signature Content-Disposition: attachment; filename=smime.p7s MIIUKAYJKoZIhvcNAQcCoIIUGTCCFBUCAQExDzANBglghkgBZQMEAgEFADAL BgkqhkiG9w0BBwGgghE7MIIFrDCCBJSgAwIBAgIHG2O60B4sPTANBgkqhkiG 9w0BAQsFADCBlTELMAkGA1UEBhMCREUxRTBDBgNVBAoTPFZlcmVpbiB6dXIg Rm9lcmRlcnVuZyBlaW5lcyBEZXV0c2NoZW4gRm9yc2NodW5nc25ldHplcyBl LiBWLjEQMA4GA1UECxMHREZOLVBLSTEtMCsGA1UEAxMkREZOLVZlcmVpbiBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAyMB4XDTE2MDUyNDExMzg0MFoXDTMx MDIyMjIzNTk1OVowgY0xCzAJBgNVBAYTAkRFMUUwQwYDVQQKDDxWZXJlaW4g enVyIEZvZXJkZXJ1bmcgZWluZXMgRGV1dHNjaGVuIEZvcnNjaHVuZ3NuZXR6 ZXMgZS4gVi4xEDAOBgNVBAsMB0RGTi1QS0kxJTAjBgNVBAMMHERGTi1WZXJl aW4gR2xvYmFsIElzc3VpbmcgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQCdO3kcR94fhsvGadcQnjnX2aIw23IcBX8pX0to8a0Z1kzhaxux C3+hq+B7i4vYLc5uiDoQ7lflHn8EUTbrunBtY6C+li5A4dGDTGY9HGRp5Zuk rXKuaDlRh3nMF9OuL11jcUs5eutCp5eQaQW/kP+kQHC9A+e/nhiIH5+ZiE0O R41IX2WZENLZKkntwbktHZ8SyxXTP38eVC86rpNXp354ytVK4hrl7UF9U1/I syr1ijCs7RcFJD+2oAsH/U0amgNSoDac3iSHZeTn+seWcyQUzdDoG2ieGFmu dn730Qp4PIdLsDfPU8o6OBDzy0dtjGQ9PFpFSrrKgHy48+enTEzNAgMBAAGj ggIFMIICATASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjAp BgNVHSAEIjAgMA0GCysGAQQBga0hgiweMA8GDSsGAQQBga0hgiwBAQQwHQYD VR0OBBYEFGs6mIv58lOJ2uCtsjIeCR/oqjt0MB8GA1UdIwQYMBaAFJPj2DIm 2tXxSqWRSuDqS+KiDM/hMIGPBgNVHR8EgYcwgYQwQKA+oDyGOmh0dHA6Ly9j ZHAxLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtZzItY2EvcHViL2NybC9jYWNy bC5jcmwwQKA+oDyGOmh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvZ2xvYmFsLXJv b3QtZzItY2EvcHViL2NybC9jYWNybC5jcmwwgd0GCCsGAQUFBwEBBIHQMIHN MDMGCCsGAQUFBzABhidodHRwOi8vb2NzcC5wY2EuZGZuLmRlL09DU1AtU2Vy dmVyL09DU1AwSgYIKwYBBQUHMAKGPmh0dHA6Ly9jZHAxLnBjYS5kZm4uZGUv Z2xvYmFsLXJvb3QtZzItY2EvcHViL2NhY2VydC9jYWNlcnQuY3J0MEoGCCsG AQUFBzAChj5odHRwOi8vY2RwMi5wY2EuZGZuLmRlL2dsb2JhbC1yb290LWcy LWNhL3B1Yi9jYWNlcnQvY2FjZXJ0LmNydDANBgkqhkiG9w0BAQsFAAOCAQEA gXhFpE6kfw5V8Amxaj54zGg1qRzzlZ4/8/jfazh3iSyNta0+x/KUzaAGrrrM qLGtMwi2JIZiNkx4blDw1W5gjU9SMUOXRnXwYuRuZlHBQjFnUOVJ5zkey5/K hkjeCBT/FUsrZpugOJ8Azv2n69F/Vy3ITF/cEBGXPpYEAlyEqCk5bJT8EJIG e57u2Ea0G7UDDDjZ3LCpP3EGC7IDBzPCjUhjJSU8entXbveKBTjvuKCuL/Tb B9VbhBjBqbhLzmyQGoLkuT36d/HSHzMCv1PndvncJiVBby+mG/qkE5D6fH7Z C2Bd7L/KQaBh+xFJKdioLXUV2EoY6hbvVTQiGhONBjCCBRIwggP6oAMCAQIC CQDjC9X4ryXZgTANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzAp BgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAd BgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVs ZVNlYyBHbG9iYWxSb290IENsYXNzIDIwHhcNMTYwMjIyMTMzODIyWhcNMzEw MjIyMjM1OTU5WjCBlTELMAkGA1UEBhMCREUxRTBDBgNVBAoTPFZlcmVpbiB6 dXIgRm9lcmRlcnVuZyBlaW5lcyBEZXV0c2NoZW4gRm9yc2NodW5nc25ldHpl cyBlLiBWLjEQMA4GA1UECxMHREZOLVBLSTEtMCsGA1UEAxMkREZOLVZlcmVp biBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAyMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAy2DX/2ahQc3S+oeXinOrmU3qZzlaoWCARxVOjJWy 5c/O01dLjc74VmwVVXYH6kb9yANFYz5w1KtUgLEjnL43KKkJ/wVdGA/EmJk3 syD2ZngXh8KdDsxKMucWna4OjSl5BwAgVNwVX0qW13i2NNPBdLWd6b/Ad03q vVkH4FovbDylANw1vWUNj38ybfJaaktiAe6sODRZRTZJBdp4ymptW8CBaxHM 0jyoi/hxGso74oDdFrRneos26k6RKT2zUVytqAy+nTTj0Q0Xg3XEOR6wlAsS 8dVpjiX0uD0rv8COwx47pb9VEKsqrheXXjPOyPP0CQfjAoYxRmsBxRAMEcdZ 6QIDAQABo4IBdDCCAXAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBST49gy JtrV8UqlkUrg6kviogzP4TAfBgNVHSMEGDAWgBS/WSA2AHmgoCJrjNXyYdK4 LMuCSjASBgNVHRMBAf8ECDAGAQH/AgECMDMGA1UdIAQsMCowDwYNKwYBBAGB rSGCLAEBBDANBgsrBgEEAYGtIYIsHjAIBgZngQwBAgIwTAYDVR0fBEUwQzBB oD+gPYY7aHR0cDovL3BraTAzMzYudGVsZXNlYy5kZS9ybC9UZWxlU2VjX0ds b2JhbFJvb3RfQ2xhc3NfMi5jcmwwgYYGCCsGAQUFBwEBBHoweDAsBggrBgEF BQcwAYYgaHR0cDovL29jc3AwMzM2LnRlbGVzZWMuZGUvb2NzcHIwSAYIKwYB BQUHMAKGPGh0dHA6Ly9wa2kwMzM2LnRlbGVzZWMuZGUvY3J0L1RlbGVTZWNf R2xvYmFsUm9vdF9DbGFzc18yLmNlcjANBgkqhkiG9w0BAQsFAAOCAQEAhwv/ PgKbZchWLdY7mpiLcU/auimqIflGLvWypA+uETh5OLMOdLp2XZ7oGIKWYttM M+jd+WrfMr0sTEdgVX/ndGu0LIPYeWu2t01QC2YHte2zl63q7n8w5pn9IuJy TT6EW+75z5nqf9dSOS6smABEfmk7v3Xu0As7Gs3l9w8ibEeE9qVHoP3QGjR9 rdI9d7Pu9NdN/8Po5ZJPWT6QRxBKsIVYwG9/+K7tCEKeHtTfFC5Nj7yelMPn 7fYY+DxJ5yaopzbYLN4izYuC2Nl44lUSozuHRLYRC9UMUq9pjA8G39CiU4tX mHvP/Qck9Py9w/1KkgKXG/K3ts9lihqitXIZOTCCBnEwggVZoAMCAQICDCMa UN4einMCRUHbtTANBgkqhkiG9w0BAQsFADCBjTELMAkGA1UEBhMCREUxRTBD BgNVBAoMPFZlcmVpbiB6dXIgRm9lcmRlcnVuZyBlaW5lcyBEZXV0c2NoZW4g Rm9yc2NodW5nc25ldHplcyBlLiBWLjEQMA4GA1UECwwHREZOLVBLSTElMCMG A1UEAwwcREZOLVZlcmVpbiBHbG9iYWwgSXNzdWluZyBDQTAeFw0yMDA2MzAw NTUzMjBaFw0yMzA2MzAwNTUzMjBaMIHrMQswCQYDVQQGEwJERTEPMA0GA1UE CAwGQmF5ZXJuMREwDwYDVQQHDAhNdWVuY2hlbjEpMCcGA1UECgwgVGVjaG5p c2NoZSBVbml2ZXJzaXRhZXQgTXVlbmNoZW4xQTA/BgNVBAsMOEZvcnNjaHVu Z3MtTmV1dHJvbmVucXVlbGxlIEhlaW56IE1haWVyLUxlaWJuaXR6IChGUk0g SUkpMQ4wDAYDVQQLDAViSVRUUzETMBEGA1UEAwwKSm9lcmcgUHVsejElMCMG CSqGSIb3DQEJARYWSm9lcmcuUHVsekBmcm0yLnR1bS5kZTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAN1rXukpQBGvzfx1S+9NthDG5SGTdVSx cgiOpZ7i90iMn6edz1LHHCwKzPRk9DtbC3XsB+frkxxUGavAjhWnX0tp/oV+ zgwsF6G0pa2iedw0aMqqakHRo/2i0/x3l7o23hTL48Tmeq3KXPyKKsTZqOGP YidIfyUILqyhizYwpKY1dpRVpYj92M7ULbNCghMw8uKtEXMz9cwG0ZxyPh0Z 2ipItdFBQO7rZr3iS2xpgCm1at3tJ9NX4MyXc7I6mLI4JW3hUSCTZp/smtMg ztk4MzMoKKqGsWICK8C9V3hEhM8rFxJnf2z8FOMs74jpYspOLslI+mY5OlZS tL0MRvtlItMCAwEAAaOCAm8wggJrMD4GA1UdIAQ3MDUwDwYNKwYBBAGBrSGC LAEBBDAQBg4rBgEEAYGtIYIsAQEEBzAQBg4rBgEEAYGtIYIsAgEEBzAJBgNV HRMEAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYI KwYBBQUHAwQwHQYDVR0OBBYEFJTuHcZtF06pQ9pQdYSDZXYytRFVMB8GA1Ud IwQYMBaAFGs6mIv58lOJ2uCtsjIeCR/oqjt0MEEGA1UdEQQ6MDiBFkpvZXJn LlB1bHpAZnJtMi50dW0uZGWBHkpvZXJnLlB1bHpAZnJtMi50dS1tdWVuY2hl bi5kZTCBjQYDVR0fBIGFMIGCMD+gPaA7hjlodHRwOi8vY2RwMS5wY2EuZGZu LmRlL2Rmbi1jYS1nbG9iYWwtZzIvcHViL2NybC9jYWNybC5jcmwwP6A9oDuG OWh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvZGZuLWNhLWdsb2JhbC1nMi9wdWIv Y3JsL2NhY3JsLmNybDCB2wYIKwYBBQUHAQEEgc4wgcswMwYIKwYBBQUHMAGG J2h0dHA6Ly9vY3NwLnBjYS5kZm4uZGUvT0NTUC1TZXJ2ZXIvT0NTUDBJBggr BgEFBQcwAoY9aHR0cDovL2NkcDEucGNhLmRmbi5kZS9kZm4tY2EtZ2xvYmFs LWcyL3B1Yi9jYWNlcnQvY2FjZXJ0LmNydDBJBggrBgEFBQcwAoY9aHR0cDov L2NkcDIucGNhLmRmbi5kZS9kZm4tY2EtZ2xvYmFsLWcyL3B1Yi9jYWNlcnQv Y2FjZXJ0LmNydDANBgkqhkiG9w0BAQsFAAOCAQEAMakvj2oaj3AZR4Y7NrOt tDX/9/CF+w4bYT3U37cex1lQ7QVn/1zfeicAjwhCHN8ujFFjXT6eVvG0wUZi ofGM9bvBQTlbj6NuZ0mpQwJ1henC28W10nKDZdFZGBIkLlRy4MtHr4c95+b/ Xmp795t1hwsutxUxgbzW1UwzVzmw2QveMIbeXvibxNXBDsBTkwTi3444+LVI ot43ccvunvz9WM9RicWKfO5eK3dTpJVsUYexcljGwOJlRet971cevOxqq5Z9 lH6+8yQL4IOAXvu7zMl+qUZE1/4mPpiNlsJxbpTqsWbHYumI9PqZo3vxUVjw moEqkg96xTj0lDJwzkmzMjGCArEwggKtAgEBMIGeMIGNMQswCQYDVQQGEwJE RTFFMEMGA1UECgw8VmVyZWluIHp1ciBGb2VyZGVydW5nIGVpbmVzIERldXRz Y2hlbiBGb3JzY2h1bmdzbmV0emVzIGUuIFYuMRAwDgYDVQQLDAdERk4tUEtJ MSUwIwYDVQQDDBxERk4tVmVyZWluIEdsb2JhbCBJc3N1aW5nIENBAgwjGlDe HopzAkVB27UwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqG SIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjMwNDIwMTMxNDI3WjAvBgkqhkiG 9w0BCQQxIgQg34CgL3T3N5MVWrIBIXQzWtTpkjDGwqtgU6RDVgUozXAweQYJ KoZIhvcNAQkPMWwwajALBglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCG SAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcN AwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAE ggEAoM7XPJqAwq79G5fafd/9hKzVtVUthsJNcnOeZAx2UaZHR03ROlOEmxsU PYLTPQwTESbWceTyIn+JXSTuVrFOHiO8Ih6oMduBMnFFjV+H8rwKWvQ5OYKf PEBgbE0J1NtCZBySjPANOYNLCWsMtsNaQkFX/lD36ct1PTX3ZkT1bzQOFSo/ MT2si0J5A/Acz0y2Wk/7kdre4RZ764d89+7M2BMYF30p59bcbTjUGapxUH+5 V1XmlzEKPyCJjOLgNVUpApBh0rIHfKol2wpvyNx55PJm3BoXUgxTt1V10vX4 ZR1/KxF3evnvw0HnAbT3i1O/zXMqc+v5KKo/Q6N2enJNXA== --3469798045-263270738-1681996467=:78141--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?nycvar.OFS.7.77.840.2304201411080.78141>