On 2016-08-23 14:42, Matt Smith wrote:
On Aug 22 20:39, Mathieu Arnold wrote:
ports-committers is a *NEVER POST DIRECTLY TO* list, so, moving it to
ports@ where this belongs a lot more.
+--On 22 août 2016 20:30:15 +0200 Bernard Spil <br...@freebsd.org>
wrote:
| Curious to know how we should procede with the upgrade of the
OpenSSL
| port to 1.1.0!
All ports need to work with it, I'm sure software like BIND9 do not
build
with it.
-- Mathieu Arnold
Going slightly off-topic, I'm curious what the opinion is around this
and LibreSSL. My understanding is that LibreSSL was forked from OpenSSL
1.0.1 and they have not backported newer stuff from OpenSSL. I also
believe OpenSSL now has several full time paid developers working on it
and that the 1.1 release has some significant changes under the hood?
I've been using LibreSSL for a while so that I can get chacha20 support
but OpenSSL 1.1 will not only have chacha20, but will also have x25519
support as well. This along with what I said above is making me think
it
might be better to go back to OpenSSL.
I just wondered what people in the know think about the current
situation with these two things. Plus are there any roadmaps for the
future of FreeBSD regarding the defaults. Is the project ever going to
look at making LibreSSL the default port, or will that be kept as
OpenSSL for many years to come? I know Bernard has been looking into
that and playing around with LibreSSL in base etc. Just curious what
the
official policy is going to be on that.
Hi Matt,
Today new vulnerabilities with (3)DES and BlowFish were made public and
I believe we'll see release of another paper which is OpenSSL 1.1
related with the release of OpenSSL 1.1.0. I have no knowledge if the
paper/report contained vulnerabilities that have postponed the release
of 1.1.0 but I think that is likely. That would mean that these
vulnerabilities have been solved pre-release.
As far as I know x25519 is still a Draft RFC so unlikely to appear in
browsers for a while. I can see LibreSSL adding this as well, whether in
the draft version or in the final. This they did with ChaCha20/Poly1305
as well (draft in 2.3, release in 2.4). The LibreSSL devs would have
closed the request if they didn't intend to support it
https://github.com/libressl-portable/portable/issues/114
I don't think that FreeBSD will be making LibreSSL the libssl/libcrypto
provider any time soon. The support timelines for LibreSSL (<1.5 years)
are just too short for the FreeBSD release support (>3 years). OpenSSL
is speeding up the release cycle as well but at least we can rely on
RedHat to backport changes to older versions.
LibreSSL in base is a bit more than playing, it is becoming the default
in HardenedBSD very soon and very likely in TrueOS (AKA PC-BSD) as of
11.0 RELEASE. Both HardenedBSD and TrueOS have a different attitude
towards updating things in the base system as they do not serve as
upstream to other projects/products that require longer support
timelines. Come see my talk at EuroBSDCon, it will contain LibreSSL in
base things.
Cheers,
Bernard.
_______________________________________________
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
