Upcoming OpenSSL 1.1.0 release
Bernard Spil
brnrd at FreeBSD.org
Wed Aug 24 19:27:42 UTC 2016
On 2016-08-23 14:42, Matt Smith wrote:
> On Aug 22 20:39, Mathieu Arnold wrote:
>> ports-committers is a *NEVER POST DIRECTLY TO* list, so, moving it to
>> ports@ where this belongs a lot more.
>>
>> +--On 22 août 2016 20:30:15 +0200 Bernard Spil <brnrd at FreeBSD.org>
>> wrote:
>> | Curious to know how we should procede with the upgrade of the
>> OpenSSL
>> | port to 1.1.0!
>>
>> All ports need to work with it, I'm sure software like BIND9 do not
>> build
>> with it.
>>
>> -- Mathieu Arnold
>
> Going slightly off-topic, I'm curious what the opinion is around this
> and LibreSSL. My understanding is that LibreSSL was forked from OpenSSL
> 1.0.1 and they have not backported newer stuff from OpenSSL. I also
> believe OpenSSL now has several full time paid developers working on it
> and that the 1.1 release has some significant changes under the hood?
>
> I've been using LibreSSL for a while so that I can get chacha20 support
> but OpenSSL 1.1 will not only have chacha20, but will also have x25519
> support as well. This along with what I said above is making me think
> it
> might be better to go back to OpenSSL.
>
> I just wondered what people in the know think about the current
> situation with these two things. Plus are there any roadmaps for the
> future of FreeBSD regarding the defaults. Is the project ever going to
> look at making LibreSSL the default port, or will that be kept as
> OpenSSL for many years to come? I know Bernard has been looking into
> that and playing around with LibreSSL in base etc. Just curious what
> the
> official policy is going to be on that.
Hi Matt,
Today new vulnerabilities with (3)DES and BlowFish were made public and
I believe we'll see release of another paper which is OpenSSL 1.1
related with the release of OpenSSL 1.1.0. I have no knowledge if the
paper/report contained vulnerabilities that have postponed the release
of 1.1.0 but I think that is likely. That would mean that these
vulnerabilities have been solved pre-release.
As far as I know x25519 is still a Draft RFC so unlikely to appear in
browsers for a while. I can see LibreSSL adding this as well, whether in
the draft version or in the final. This they did with ChaCha20/Poly1305
as well (draft in 2.3, release in 2.4). The LibreSSL devs would have
closed the request if they didn't intend to support it
https://github.com/libressl-portable/portable/issues/114
I don't think that FreeBSD will be making LibreSSL the libssl/libcrypto
provider any time soon. The support timelines for LibreSSL (<1.5 years)
are just too short for the FreeBSD release support (>3 years). OpenSSL
is speeding up the release cycle as well but at least we can rely on
RedHat to backport changes to older versions.
LibreSSL in base is a bit more than playing, it is becoming the default
in HardenedBSD very soon and very likely in TrueOS (AKA PC-BSD) as of
11.0 RELEASE. Both HardenedBSD and TrueOS have a different attitude
towards updating things in the base system as they do not serve as
upstream to other projects/products that require longer support
timelines. Come see my talk at EuroBSDCon, it will contain LibreSSL in
base things.
Cheers,
Bernard.
More information about the freebsd-ports
mailing list