git: eb2d1d5c67 - main - Status/2023Q2/openssl3.adoc: Add report

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Lorenzo Salvadore <salvadore_at_FreeBSD.org>
Date: Sat, 15 Jul 2023 15:00:45 UTC
The branch main has been updated by salvadore:

URL: https://cgit.FreeBSD.org/doc/commit/?id=eb2d1d5c67c738c8804c06b6c42318f77ff133e9

commit eb2d1d5c67c738c8804c06b6c42318f77ff133e9
Author:     Pierre Pronchery <pierre@freebsdfoundation.org>
AuthorDate: 2023-07-15 14:56:04 +0000
Commit:     Lorenzo Salvadore <salvadore@FreeBSD.org>
CommitDate: 2023-07-15 14:56:04 +0000

    Status/2023Q2/openssl3.adoc: Add report
    
    Reviewed by:    carlavilla
    Approved by:    carlavilla (mentor)
    Differential Revision:  https://reviews.freebsd.org/D40974
---
 .../en/status/report-2023-04-2023-06/openssl3.adoc | 38 ++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/website/content/en/status/report-2023-04-2023-06/openssl3.adoc b/website/content/en/status/report-2023-04-2023-06/openssl3.adoc
new file mode 100644
index 0000000000..119ee459c4
--- /dev/null
+++ b/website/content/en/status/report-2023-04-2023-06/openssl3.adoc
@@ -0,0 +1,38 @@
+=== OpenSSL 3 in base
+
+Links: +
+link:https://www.openssl.org/source/[OpenSSL Downloads] URL: link:https://www.openssl.org/source/[] +
+link:https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final/[OpenSSL 3.0 Has Been Released!] URL: link:https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final/[] +
+link:https://www.openssl.org/docs/man3.0/man1/openssl-fipsinstall.html[openssl-fipsinstall] URL: link:https://www.openssl.org/docs/man3.0/man1/openssl-fipsinstall.html[]
+
+Contact: Pierre Pronchery <pierre@freebsdfoundation.org>
+
+Pierre has been tasked with importing OpenSSL 3 into the base system.
+
+OpenSSL is a library for general-purpose cryptography and secure communication.
+It provides an Open Source implementation of the SSL and TLS network protocols, which are widely used in applications such as e-mail, instant messaging, Voice over IP (VoIP), or more prominently the global Web (aka HTTPS).
+Assuming that the Apache and nginx web servers use OpenSSL, their combined market share for web traffic exceeds 50%, cementing the leadership and critical importance of OpenSSL as part of Internet's infrastructure.
+
+Since its initial release in August 2016, the 1.1 branch of OpenSSL has been adopted by most Linux and BSD systems, while remaining supported by the upstream maintainers through a Long Term Support policy.
+However, official support is planned to end in the middle of September this year, and it became urgent and necessary to consider adopting its successor for Long Term Support, the 3.0 branch.
+
+OpenSSL has largely outgrown its ancestor SSLeay, now shipping over half a million single lines of code (SLOC) split in over 2.000 files.
+Perhaps as a consequence, its build system is relatively complex and normally requires Perl, which has been removed from FreeBSD's base system since 5.0-RELEASE.
+Thankfully however, it was possible to import and setup OpenSSL's 3.0.9 release the FreeBSD way, and it is now part of the base system as planned for FreeBSD's 14.0 release.
+
+It is an understatement to mention that OpenSSL 3 is a new major release.
+First, its problematic licensing model has finally been solved, with a complete switch to the Apache License 2.0.
+Then, OpenSSL 3 introduces the concept of provider modules.
+While obsolete cryptographical algorithms have been isolated away into a "legacy" module, it is also possible to restrict the implementation to standards part of link:https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards[FIPS] with the "fips" module.
+The latter can then benefit from a dedicated certification process, and be validated officially (like the 3.0.8 release when writing these lines).
+
+Moreover, the updated library comes with a version bump, as applications using OpenSSL 1.1 need to be recompiled to use 3.0.
+Many API functions have been deprecated and replaced with newer, more generic alternatives, however it is still possible to explicitly request older APIs and have OpenSSL 3 expose them accordingly.
+This possibility has been leveraged in FreeBSD to help with the transition, where a number of libraries and applications have simply been configured to request the OpenSSL 1.1 API.
+These components will be updated progressively over time in order to consume OpenSSL 3's native API instead.
+
+While there is a known performance impact associated with the update when consuming small input block sizes, it was found to be marginal when working with blocks of 1 KB and above.
+Another challenge lies with the FIPS provider module, which currently requires some manual steps in order to have it working.
+We are currently looking for a solution to ship FreeBSD with a functional FIPS provider by default.
+
+Sponsor: The FreeBSD Foundation