Re: Upcoming OpenSSL 1.1.0 release

Wed, 24 Aug 2016 12:36:42 -0700 

On Aug 24 21:18, Bernard Spil wrote:
Today new vulnerabilities with (3)DES and BlowFish were made public and I believe we'll see release of another paper which is OpenSSL 1.1 related with the release of OpenSSL 1.1.0. I have no knowledge if the paper/report contained vulnerabilities that have postponed the release of 1.1.0 but I think that is likely. That would mean that these vulnerabilities have been solved pre-release. 


As far as I know x25519 is still a Draft RFC so unlikely to appear in 
browsers for a while. I can see LibreSSL adding this as well, whether 
in the draft version or in the final. This they did with 
ChaCha20/Poly1305 as well (draft in 2.3, release in 2.4). The LibreSSL 
devs would have closed the request if they didn't intend to support it 
https://github.com/libressl-portable/portable/issues/114



I don't think that FreeBSD will be making LibreSSL the 
libssl/libcrypto provider any time soon. The support timelines for 
LibreSSL (<1.5 years) are just too short for the FreeBSD release 
support (>3 years). OpenSSL is speeding up the release cycle as well 
but at least we can rely on RedHat to backport changes to older 
versions.



LibreSSL in base is a bit more than playing, it is becoming the 
default in HardenedBSD very soon and very likely in TrueOS (AKA 
PC-BSD) as of 11.0 RELEASE. Both HardenedBSD and TrueOS have a 
different attitude towards updating things in the base system as they 
do not serve as upstream to other projects/products that require 
longer support timelines. Come see my talk at EuroBSDCon, it will 
contain LibreSSL in base things.


Cheers,

Bernard.



Thanks for that reply. That answers things quite nicely. I believe 
x25519 is currently in chrome:


https://www.ssllabs.com/ssltest/viewClient.html?name=Chrome&version=51&platform=Win%207&key=126


It has x25519 listed as an Elliptic curve near the bottom. So for that 
reason I am interested in enabling it as I like to do things bleeding 
edge! I will probably stick with security/libressl-devel for the 
foreseeable future though I think and at least wait and see what people 
make of OpenSSL 1.1 after a few months if only for the fact it's a bit 
of a pain to switch back again by recompiling everything.


--
Matt
_______________________________________________
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"






















					Reply via email to