From nobody Sat Jul 15 15:00:45 2023 X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4R3BNs3mnsz4n8G8 for ; Sat, 15 Jul 2023 15:00:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4R3BNs3LgNz3CXf; Sat, 15 Jul 2023 15:00:45 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1689433245; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=g8d4xsQwmnnDnU6SLrUFrteuyAGxwUtsVIdfHK1Z93k=; b=sojtmE/SmtOCEU7P7B7ct2Sa/G+bdfm+CA3a5HVZp6q9kbJwKUZI+gwjGKZI4wOdOSLJq9 qd8QFzkQZL854cFB5GJzegUucnrXN2ZiKiZS0f1Rov7EgoHFzmD2fbMPlw/ZZL0DuD38c7 kFHhHZCTV85bua1+BL1DBgL8hG9rrF/5gmrX0+7jQeXMfuZ30q2i5ZFGs3NUXxCKFH9tzI a3dk0OnvkKUgwbX5duT0PzvsR5GcDe6svvN9gfjOjrs/sK9PVSk+pfIprbteRLAhFc6mPG 6JwYR/UWzdP8xy2R6jxBiag4J1HIGDRu1knadHleOTLfFMNlWDbd8DQ5weQFvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1689433245; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=g8d4xsQwmnnDnU6SLrUFrteuyAGxwUtsVIdfHK1Z93k=; b=h/pXtAQr9WGz3GRWpD/GwOnAhyweUDRuve5d0oVzkUaQEI6NxPu8b/IMqwv/W25ID2P4UP TYrzuShy6KsFQb/tfvf1GTkMgqcq75Wn/iuNvTsb448C7AoeRBnoXEQfGOMKI8tC9Txlhk nbugYlumUfpBgs30EhhwYkqFC9R+TYs1tGmPau6O5eWZYjs2Np+EOQeQFfhY99KyJMPUMo Lmy1Ngeb20wG9QVpv9oAiwUGMQaBTNwGOCNXn+oDL74zJVvdPrYOjbgwejiC5NBCPg3z4F J50XpbyH3mi2Q7wZ3D7LV60OKQA+SfZCFxA2NSU59O3Xd24IxqUsxL7MLGmWzg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1689433245; a=rsa-sha256; cv=none; b=tspDjxtMzgtmKCNyEQhxxHxO6VpDPi26VVRHmmKK0lMYT80q+JvSD7EorKWveuMfJZHd2A 8wIZffPSMtD7rUSD8oIkt8AVQ6egFqaCGok95l1GuAw2gwizrgzH8cMyyLXbwjA/soArsJ FysvKDQyvT4WocFtWHP0p/OPC5uFHYMsBmhpXNNL1lv4N7w7EAgxrCk+BgPfwuug9NDdmF ZUanHsJho1/FDla1RXpolPz0s7KBWropIwY3gexHAUh13hDT8vkYPxBG35lTpX+xAhv5tu w0BLsAseivMCXCc32nWIpbpw1IcTT05oVmITKxi6HKPJk18dNXBgFfv53TNHTA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4R3BNs2SMTz14Jf; Sat, 15 Jul 2023 15:00:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 36FF0j93039347; Sat, 15 Jul 2023 15:00:45 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 36FF0jjQ039346; Sat, 15 Jul 2023 15:00:45 GMT (envelope-from git) Date: Sat, 15 Jul 2023 15:00:45 GMT Message-Id: <202307151500.36FF0jjQ039346@gitrepo.freebsd.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org From: Lorenzo Salvadore Subject: git: eb2d1d5c67 - main - Status/2023Q2/openssl3.adoc: Add report List-Id: Commit messages for all branches of the doc repository List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-doc-all@freebsd.org X-BeenThere: dev-commits-doc-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: salvadore X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: eb2d1d5c67c738c8804c06b6c42318f77ff133e9 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by salvadore: URL: https://cgit.FreeBSD.org/doc/commit/?id=eb2d1d5c67c738c8804c06b6c42318f77ff133e9 commit eb2d1d5c67c738c8804c06b6c42318f77ff133e9 Author: Pierre Pronchery AuthorDate: 2023-07-15 14:56:04 +0000 Commit: Lorenzo Salvadore CommitDate: 2023-07-15 14:56:04 +0000 Status/2023Q2/openssl3.adoc: Add report Reviewed by: carlavilla Approved by: carlavilla (mentor) Differential Revision: https://reviews.freebsd.org/D40974 --- .../en/status/report-2023-04-2023-06/openssl3.adoc | 38 ++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/website/content/en/status/report-2023-04-2023-06/openssl3.adoc b/website/content/en/status/report-2023-04-2023-06/openssl3.adoc new file mode 100644 index 0000000000..119ee459c4 --- /dev/null +++ b/website/content/en/status/report-2023-04-2023-06/openssl3.adoc @@ -0,0 +1,38 @@ +=== OpenSSL 3 in base + +Links: + +link:https://www.openssl.org/source/[OpenSSL Downloads] URL: link:https://www.openssl.org/source/[] + +link:https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final/[OpenSSL 3.0 Has Been Released!] URL: link:https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final/[] + +link:https://www.openssl.org/docs/man3.0/man1/openssl-fipsinstall.html[openssl-fipsinstall] URL: link:https://www.openssl.org/docs/man3.0/man1/openssl-fipsinstall.html[] + +Contact: Pierre Pronchery + +Pierre has been tasked with importing OpenSSL 3 into the base system. + +OpenSSL is a library for general-purpose cryptography and secure communication. +It provides an Open Source implementation of the SSL and TLS network protocols, which are widely used in applications such as e-mail, instant messaging, Voice over IP (VoIP), or more prominently the global Web (aka HTTPS). +Assuming that the Apache and nginx web servers use OpenSSL, their combined market share for web traffic exceeds 50%, cementing the leadership and critical importance of OpenSSL as part of Internet's infrastructure. + +Since its initial release in August 2016, the 1.1 branch of OpenSSL has been adopted by most Linux and BSD systems, while remaining supported by the upstream maintainers through a Long Term Support policy. +However, official support is planned to end in the middle of September this year, and it became urgent and necessary to consider adopting its successor for Long Term Support, the 3.0 branch. + +OpenSSL has largely outgrown its ancestor SSLeay, now shipping over half a million single lines of code (SLOC) split in over 2.000 files. +Perhaps as a consequence, its build system is relatively complex and normally requires Perl, which has been removed from FreeBSD's base system since 5.0-RELEASE. +Thankfully however, it was possible to import and setup OpenSSL's 3.0.9 release the FreeBSD way, and it is now part of the base system as planned for FreeBSD's 14.0 release. + +It is an understatement to mention that OpenSSL 3 is a new major release. +First, its problematic licensing model has finally been solved, with a complete switch to the Apache License 2.0. +Then, OpenSSL 3 introduces the concept of provider modules. +While obsolete cryptographical algorithms have been isolated away into a "legacy" module, it is also possible to restrict the implementation to standards part of link:https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards[FIPS] with the "fips" module. +The latter can then benefit from a dedicated certification process, and be validated officially (like the 3.0.8 release when writing these lines). + +Moreover, the updated library comes with a version bump, as applications using OpenSSL 1.1 need to be recompiled to use 3.0. +Many API functions have been deprecated and replaced with newer, more generic alternatives, however it is still possible to explicitly request older APIs and have OpenSSL 3 expose them accordingly. +This possibility has been leveraged in FreeBSD to help with the transition, where a number of libraries and applications have simply been configured to request the OpenSSL 1.1 API. +These components will be updated progressively over time in order to consume OpenSSL 3's native API instead. + +While there is a known performance impact associated with the update when consuming small input block sizes, it was found to be marginal when working with blocks of 1 KB and above. +Another challenge lies with the FIPS provider module, which currently requires some manual steps in order to have it working. +We are currently looking for a solution to ship FreeBSD with a functional FIPS provider by default. + +Sponsor: The FreeBSD Foundation