On Aug 24 21:18, Bernard Spil wrote:
Today new vulnerabilities with (3)DES and BlowFish were made public and
I believe we'll see release of another paper which is OpenSSL 1.1
related with the release of OpenSSL 1.1.0. I have no knowledge if the
paper/report contained vulnerabilities that have postponed the release
of 1.1.0 but I think that is likely. That would mean that these
vulnerabilities have been solved pre-release.
As far as I know x25519 is still a Draft RFC so unlikely to appear in
browsers for a while. I can see LibreSSL adding this as well, whether
in the draft version or in the final. This they did with
ChaCha20/Poly1305 as well (draft in 2.3, release in 2.4). The LibreSSL
devs would have closed the request if they didn't intend to support it
https://github.com/libressl-portable/portable/issues/114
I don't think that FreeBSD will be making LibreSSL the
libssl/libcrypto provider any time soon. The support timelines for
LibreSSL (<1.5 years) are just too short for the FreeBSD release
support (>3 years). OpenSSL is speeding up the release cycle as well
but at least we can rely on RedHat to backport changes to older
versions.
LibreSSL in base is a bit more than playing, it is becoming the
default in HardenedBSD very soon and very likely in TrueOS (AKA
PC-BSD) as of 11.0 RELEASE. Both HardenedBSD and TrueOS have a
different attitude towards updating things in the base system as they
do not serve as upstream to other projects/products that require
longer support timelines. Come see my talk at EuroBSDCon, it will
contain LibreSSL in base things.
Cheers,
Bernard.
Thanks for that reply. That answers things quite nicely. I believe
x25519 is currently in chrome:
https://www.ssllabs.com/ssltest/viewClient.html?name=Chrome&version=51&platform=Win%207&key=126
It has x25519 listed as an Elliptic curve near the bottom. So for that
reason I am interested in enabling it as I like to do things bleeding
edge! I will probably stick with security/libressl-devel for the
foreseeable future though I think and at least wait and see what people
make of OpenSSL 1.1 after a few months if only for the fact it's a bit
of a pain to switch back again by recompiling everything.
--
Matt
_______________________________________________
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"