GOST in OPENSSL_BASE
Andrey Chernov
ache at freebsd.org
Mon Jul 11 22:45:04 UTC 2016
On 11.07.2016 21:41, Slawa Olhovchenkov wrote:
> On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote:
>
>> On 07/10/16 10:10 AM, Andrey Chernov wrote:
>>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
>>>> I am surprised lack of support GOST in openssl-base.
>>>> Can be this enabled before 11.0 released?
>>>
>>> AFAIK openssl maintainers says something like they can't support this
>>> code and it will become rotten shortly with new changes, so they drop it.
>>
>> [OpenSSL-maintainer-for-the-base hat on]
>>
>> GOST is supported on FreeBSD 10.x and 11.x. We will not drop it on
>> these branches unless secteam explicitly ask us to do so. However, we
>> *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch.
>>
>> [OpenSSL-maintainer-for-the-base hat off]
>>
>> Jung-uk Kim
>>
>
> Thanks!
>
> May be need file PR for dns/bind910?
>
> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile
> .include <bsd.port.pre.mk>
>
> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && ${SSL_DEFAULT} == base
> BROKEN= OpenSSL from the base system does not support GOST, add \
> DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and rebuild everything \
> that needs SSL.
> .endif
>
I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC
don't use GOST, so I vote for removing GOST option from there.
More information about the freebsd-current
mailing list