Upcoming OpenSSL 1.1.0 release

Bernard Spil brnrd at FreeBSD.org
Wed Aug 24 19:27:42 UTC 2016 

On 2016-08-23 14:42, Matt Smith wrote:
> On Aug 22 20:39, Mathieu Arnold wrote:
>> ports-committers is a *NEVER POST DIRECTLY TO* list, so, moving it to
>> ports@ where this belongs a lot more.
>> 
>> +--On 22 août 2016 20:30:15 +0200 Bernard Spil <brnrd at FreeBSD.org> 
>> wrote:
>> | Curious to know how we should procede with the upgrade of the 
>> OpenSSL
>> | port to 1.1.0!
>> 
>> All ports need to work with it, I'm sure software like BIND9 do not 
>> build
>> with it.
>> 
>> -- Mathieu Arnold
> 
> Going slightly off-topic, I'm curious what the opinion is around this
> and LibreSSL. My understanding is that LibreSSL was forked from OpenSSL
> 1.0.1 and they have not backported newer stuff from OpenSSL. I also
> believe OpenSSL now has several full time paid developers working on it
> and that the 1.1 release has some significant changes under the hood?
> 
> I've been using LibreSSL for a while so that I can get chacha20 support
> but OpenSSL 1.1 will not only have chacha20, but will also have x25519
> support as well. This along with what I said above is making me think 
> it
> might be better to go back to OpenSSL.
> 
> I just wondered what people in the know think about the current
> situation with these two things. Plus are there any roadmaps for the
> future of FreeBSD regarding the defaults. Is the project ever going to
> look at making LibreSSL the default port, or will that be kept as
> OpenSSL for many years to come? I know Bernard has been looking into
> that and playing around with LibreSSL in base etc. Just curious what 
> the
> official policy is going to be on that.

Hi Matt,

Today new vulnerabilities with (3)DES and BlowFish were made public and 
I believe we'll see release of another paper which is OpenSSL 1.1 
related with the release of OpenSSL 1.1.0. I have no knowledge if the 
paper/report contained vulnerabilities that have postponed the release 
of 1.1.0 but I think that is likely. That would mean that these 
vulnerabilities have been solved pre-release.

As far as I know x25519 is still a Draft RFC so unlikely to appear in 
browsers for a while. I can see LibreSSL adding this as well, whether in 
the draft version or in the final. This they did with ChaCha20/Poly1305 
as well (draft in 2.3, release in 2.4). The LibreSSL devs would have 
closed the request if they didn't intend to support it 
https://github.com/libressl-portable/portable/issues/114

I don't think that FreeBSD will be making LibreSSL the libssl/libcrypto 
provider any time soon. The support timelines for LibreSSL (<1.5 years) 
are just too short for the FreeBSD release support (>3 years). OpenSSL 
is speeding up the release cycle as well but at least we can rely on 
RedHat to backport changes to older versions.

LibreSSL in base is a bit more than playing, it is becoming the default 
in HardenedBSD very soon and very likely in TrueOS (AKA PC-BSD) as of 
11.0 RELEASE. Both HardenedBSD and TrueOS have a different attitude 
towards updating things in the base system as they do not serve as 
upstream to other projects/products that require longer support 
timelines. Come see my talk at EuroBSDCon, it will contain LibreSSL in 
base things.

Cheers,

Bernard.

More information about the freebsd-ports mailing list