GOST in OPENSSL_BASE
Jung-uk Kim
jkim at FreeBSD.org
Mon Jul 18 16:39:47 UTC 2016
On 07/18/16 08:12 AM, Mathieu Arnold wrote:
> Hi,
>
> +--On 11 juillet 2016 22:56:00 +0300 Slawa Olhovchenkov <slw at zxy.spb.ru>
> wrote:
> | On Mon, Jul 11, 2016 at 03:00:39PM -0400, Jung-uk Kim wrote:
> |> > .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) &&
> |> > ${SSL_DEFAULT} == base BROKEN= OpenSSL from the base system does not
> |> > support GOST, add \ DEFAULT_VERSIONS+=ssl=openssl to your
> |> > /etc/make.conf and rebuild everything \ that needs SSL.
> |> > .endif
> |>
> |> FreeBSD 9.3 is still supported but GOST is not available there. It
> |
> | Thanks for clarifications.
> |
> |> seems the ports maintainer didn't want to break it on 9.3 (CC added).
> |> Version check may be needed there.
> |
> | Thanks!
>
>
> The idea is that you can't have mixed openssl usage. If you link half your
> ports with openssl from base, and half with openssl from ports, you are
> going to have dragons attacks, and core dumps. Also, if you are using
> openssl from ports, you cannot use GSSAPI from base, for the same reasons.
Exactly. That's why we should *allow* using base OpenSSL for 10.x and
later because many packages are already linked against base OpenSSL by
default.
Jung-uk Kim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20160718/c75a7176/attachment.sig>
More information about the freebsd-security
mailing list