Upcoming OpenSSL 1.1.0 release
Matt Smith
fbsd at xtaz.co.uk
Wed Aug 24 19:36:06 UTC 2016
On Aug 24 21:18, Bernard Spil wrote:
>Today new vulnerabilities with (3)DES and BlowFish were made public and
>I believe we'll see release of another paper which is OpenSSL 1.1
>related with the release of OpenSSL 1.1.0. I have no knowledge if the
>paper/report contained vulnerabilities that have postponed the release
>of 1.1.0 but I think that is likely. That would mean that these
>vulnerabilities have been solved pre-release.
>
>As far as I know x25519 is still a Draft RFC so unlikely to appear in
>browsers for a while. I can see LibreSSL adding this as well, whether
>in the draft version or in the final. This they did with
>ChaCha20/Poly1305 as well (draft in 2.3, release in 2.4). The LibreSSL
>devs would have closed the request if they didn't intend to support it
>https://github.com/libressl-portable/portable/issues/114
>
>I don't think that FreeBSD will be making LibreSSL the
>libssl/libcrypto provider any time soon. The support timelines for
>LibreSSL (<1.5 years) are just too short for the FreeBSD release
>support (>3 years). OpenSSL is speeding up the release cycle as well
>but at least we can rely on RedHat to backport changes to older
>versions.
>
>LibreSSL in base is a bit more than playing, it is becoming the
>default in HardenedBSD very soon and very likely in TrueOS (AKA
>PC-BSD) as of 11.0 RELEASE. Both HardenedBSD and TrueOS have a
>different attitude towards updating things in the base system as they
>do not serve as upstream to other projects/products that require
>longer support timelines. Come see my talk at EuroBSDCon, it will
>contain LibreSSL in base things.
>
>Cheers,
>
>Bernard.
Thanks for that reply. That answers things quite nicely. I believe
x25519 is currently in chrome:
https://www.ssllabs.com/ssltest/viewClient.html?name=Chrome&version=51&platform=Win%207&key=126
It has x25519 listed as an Elliptic curve near the bottom. So for that
reason I am interested in enabling it as I like to do things bleeding
edge! I will probably stick with security/libressl-devel for the
foreseeable future though I think and at least wait and see what people
make of OpenSSL 1.1 after a few months if only for the fact it's a bit
of a pain to switch back again by recompiling everything.
--
Matt
More information about the freebsd-ports
mailing list