From owner-freebsd-security@freebsd.org Sun Jul 29 00:16:59 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0FD0A106297C for ; Sun, 29 Jul 2018 00:16:59 +0000 (UTC) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Received: from hermes.heuristicsystems.com.au (hermes.heuristicsystems.com.au [203.41.22.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.heuristicsystems.com.au", Issuer "Heuristic Systems Type 4 Host CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id DBACF86F9B for ; Sun, 29 Jul 2018 00:16:56 +0000 (UTC) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Received: from [10.0.5.3] (noddy.hs [10.0.5.3]) (authenticated bits=0) by hermes.heuristicsystems.com.au (8.15.2/8.15.2) with ESMTPSA id w6SNxUOC031958 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Sun, 29 Jul 2018 09:59:41 +1000 (AEST) (envelope-from dewayne.geraghty@heuristicsystems.com.au) X-Authentication-Warning: b3.hs: Host noddy.hs [10.0.5.3] claimed to be [10.0.5.3] Subject: Re: TLSv1.3 support in freeBSD 11.X To: "PRAKASH RAI (prakrai)" References: <2ECA83EC-B156-43DF-AFDD-407BDFF74DAA@contoso.com> From: Dewayne Geraghty Cc: "freebsd-security@freebsd.org" Message-ID: <81dc7784-62d2-37e8-95f0-1f49215d4a58@heuristicsystems.com.au> Date: Sun, 29 Jul 2018 09:59:29 +1000 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: <2ECA83EC-B156-43DF-AFDD-407BDFF74DAA@contoso.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-AU X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Jul 2018 00:16:59 -0000 On 26/07/2018 9:45 PM, PRAKASH RAI (prakrai) via freebsd-security wrote: > Hi All, > > I was going through the https://wiki.freebsd.org/OpenSSL and found that openssl 1.1.1 support is planned for freeBSD 12. > As TLSv1.3 is based on openssl 1.1.1, does it mean that freeBSD 11.X would not be having support for TLSv1.3? > > Basically I would like to understand if I can build openssl 1.1.1 (which is having support for TLSv1.3) with FreeBSD 11.2 without any issue and enable TLSv1.3 support? > > Regards, > Prakash > Prakash, You're very ambitious ;)  TLSv1.3 is very different from 1.2 and others.  Additional ciphers are "nice", but the session controls are quite different and will take a while for applications to settle into.  Quite a few applications are not yet at openssl 1.1.0, so surprise yourself and try something like: for interests in security www; do find /usr/ports/$interests/ -name Makefile|xargs grep openssl-devel|grep BROKEN; done And you should also note that the ports are only built on lowest supported FreeBSD (#1), and on the 11 stream, that seems to be FreeBSD 11.1Release; so we should really work in unison to migrate to openssl 1.1.1 :)  Drawn your own conclusions about what ports have been tested on 11.2Release FYI perhaps consider libressl which has some additional/useful ciphers, might be worth a look if the ciphers are your driver.  Ref: #1 Poke around here:  http://beefy9.nyi.freebsd.org/data/latest-per-pkg/ Cheers. From owner-freebsd-security@freebsd.org Sun Jul 29 16:14:41 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 15F72105A55A for ; Sun, 29 Jul 2018 16:14:41 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5EA3E85732 for ; Sun, 29 Jul 2018 16:14:40 +0000 (UTC) (envelope-from kaduk@mit.edu) X-AuditID: 12074425-af3ff7000000770c-2d-5b5de455515f Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id 87.F0.30476.654ED5B5; Sun, 29 Jul 2018 11:59:18 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id w6TFxGRT018323; Sun, 29 Jul 2018 11:59:16 -0400 Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w6TFxBtH010903 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 29 Jul 2018 11:59:14 -0400 Date: Sun, 29 Jul 2018 10:59:11 -0500 From: Benjamin Kaduk To: Dewayne Geraghty Cc: "PRAKASH RAI (prakrai)" , "freebsd-security@freebsd.org" Subject: Re: TLSv1.3 support in freeBSD 11.X Message-ID: <20180729155908.GA79679@kduck.kaduk.org> References: <2ECA83EC-B156-43DF-AFDD-407BDFF74DAA@contoso.com> <81dc7784-62d2-37e8-95f0-1f49215d4a58@heuristicsystems.com.au> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <81dc7784-62d2-37e8-95f0-1f49215d4a58@heuristicsystems.com.au> User-Agent: Mutt/1.9.1 (2017-09-22) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprOKsWRmVeSWpSXmKPExsUixCmqrBv2JDba4PFrXYut96YxW/RsesJm sen2c2YHZo8pvzeyesz4NJ/FY8PhZcwBzFFcNimpOZllqUX6dglcGVvvfmMtuChRMfX/AdYG xhfCXYycHBICJhL/l3xj72Lk4hASWMwkcXHybVYIZyOjxNHrd6Gcq0wSJ87PZO5i5OBgEVCV +LFXHqSbTUBFoqH7MlhYRMBe4tt6P5Aws0C5xNR3k9hBbGEBHYnXS/eB2bxAy279vA1mCwnU S9z/dJ0VIi4ocXLmExaIXh2JnVvvsIGMZBaQllj+jwMiLC/RvHU2M4jNKeAtcffvSrAxogLK Env7DrFPYBSchWTSLCSTZiFMmoVk0gJGllWMsim5Vbq5iZk5xanJusXJiXl5qUW6Fnq5mSV6 qSmlmxhBYc7uorqDcc5fr0OMAhyMSjy8ATdjooVYE8uKK3MPMUpyMCmJ8rLkAoX4kvJTKjMS izPii0pzUosPMUpwMCuJ8Cbdj40W4k1JrKxKLcqHSUlzsCiJ896vCY8WEkhPLEnNTk0tSC2C ycpwcChJ8KY8BmoULEpNT61Iy8wpQUgzcXCCDOcBGj4dpIa3uCAxtzgzHSJ/ilGX48/7qZOY hVjy8vNSpcR5vz8CKhIAKcoozYObA0pPEtn7a14xigO9Jcz7FaSKB5ja4Ca9AlrCBLREOwRs SUkiQkqqgbExlclzatixgz9P+E+/Kx/Pauf/NnjZccf7z5nWpJ2wfSz5e+nkNbOajfYdD56Z 8YlxyxadeOM57P1bZm+7xGRwe8kRi1iPBtdtl347pnEWr536Ym30J54HP3JmBW89zKy+b9/e jkP5LCKHnoScq//npSk996FgE4ONln+0qavbGcWJprzbuBuUWIozEg21mIuKEwHuL1WrKgMA AA== X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Jul 2018 16:14:41 -0000 Hi Dewayne, (Full disclosure: I am currently the IETF Area Director responsible for the TLS working group, and as such the TLS 1.3 spec itself; I am also an OpenSSL committer.) On Sun, Jul 29, 2018 at 09:59:29AM +1000, Dewayne Geraghty wrote: > > On 26/07/2018 9:45 PM, PRAKASH RAI (prakrai) via freebsd-security wrote: > > Hi All, > > > > I was going through the https://wiki.freebsd.org/OpenSSL and found that openssl 1.1.1 support is planned for freeBSD 12. > > As TLSv1.3 is based on openssl 1.1.1, does it mean that freeBSD 11.X would not be having support for TLSv1.3? > > > > Basically I would like to understand if I can build openssl 1.1.1 (which is having support for TLSv1.3) with FreeBSD 11.2 without any issue and enable TLSv1.3 support? > > > > Regards, > > Prakash > > > Prakash, > You're very ambitious ;)  TLSv1.3 is very different from 1.2 and > others.  Additional ciphers are "nice", but the session controls are > quite different and will take a while for applications to settle into.  While I don't dispute that this is an amibitous goal, I do dispute that the changes in TLS 1.3 are merely "nice"; there are real improvements to performance, privacy, and security that can be compelling points to drive work for adoption, in some cases. We should let Prakesh make their own decision based on the facts. > Quite a few applications are not yet at openssl 1.1.0, so surprise > yourself and try something like: > for interests in security www; do find /usr/ports/$interests/ -name > Makefile|xargs grep openssl-devel|grep BROKEN; done > > And you should also note that the ports are only built on lowest > supported FreeBSD (#1), and on the 11 stream, that seems to be FreeBSD The officially published *packages* are built on the oldest supported release from a branch; anyone can build the ports on the version they are running (and, of course, build software outside the Ports Collection entirely). > 11.1Release; so we should really work in unison to migrate to openssl > 1.1.1 :)  Drawn your own conclusions about what ports have been tested > on 11.2Release > > FYI perhaps consider libressl which has some additional/useful ciphers, > might be worth a look if the ciphers are your driver.  I'm not sure that I'd echo that advice -- openssl has made some pretty substantial architectural improvements in the 1.1.x series, with a well-designed state machine, unified extension handling, and the (W)PACKET_ APIs for handling network data (and of course the prospect of TLS 1.3 support). While I'm happy to see that libressl has adopted the CBB/CBS APIs from boringssl (to be frank, not using an API of that sort for network data would be pretty hard to justify, in this day and age), it seems to still be organically evolving the openssl 1.0.1 state machine it inherited, and I am unaware of motion for TLS 1.3 support therein. I also don't think that ciphers would be a motivation for OpenSSL 1.1.1 over 1.1.0 -- the only non-TLS 1.3 ciphers that are new across that version jump appear to be the ARIA ciphers, which are not exactly widely used. -Ben From owner-freebsd-security@freebsd.org Wed Aug 1 10:45:57 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 114F51051FE8; Wed, 1 Aug 2018 10:45:57 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from mail.metricspace.net (mail.metricspace.net [IPv6:2001:470:1f11:617::107]) by mx1.freebsd.org (Postfix) with ESMTP id 7665E8D4E1; Wed, 1 Aug 2018 10:45:56 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from [172.16.0.23] (unknown [172.16.0.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: eric) by mail.metricspace.net (Postfix) with ESMTPSA id 19C6F5CC4; Wed, 1 Aug 2018 10:45:50 +0000 (UTC) To: "freebsd-hackers@freebsd.org" , "freebsd-security@freebsd.org security" , "freebsd-arch@freebsd.org" , freebsd-current From: Eric McCorkle Subject: Status of OpenSSL 1.1.1 Openpgp: preference=signencrypt Autocrypt: addr=eric@metricspace.net; prefer-encrypt=mutual; keydata= mDMEWue2FBYJKwYBBAHaRw8BAQdAP/qVPlXodV6pYO5b1Jw0eFyMhyDD7B5y5eFsciutEfS0 JEVyaWMgTWNDb3JrbGUgPGVyaWNAbWV0cmljc3BhY2UubmV0PoiWBBMWCAA+FiEEDxi/0rkj zd6Uc6cFCN/CKRbBwmwFAlrnthQCGwMFCQHhM4AFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AA CgkQCN/CKRbBwmyGKAD/XTSBOItCKcYCPTlsaS1aQYVEwWXXFgdjWE+WsNdZUS8A/AhYAbQZ kNZNimE2rQLoklkfTA74qF/V257NuQi4QDcLuDgEWue2FBIKKwYBBAGXVQEFAQEHQKpZVyCG ync/xqejm2C1HKGXLJTUu38RvnrR3UYECz9nAwEIB4h+BBgWCAAmFiEEDxi/0rkjzd6Uc6cF CN/CKRbBwmwFAlrnthQCGwwFCQHhM4AACgkQCN/CKRbBwmyi2wEAmvaGt8QMjGELzm27gP4c jJGUi7oigsLmTiFPkpJqPz0A+QFBSCvxJaxCMyoVru/xB6bunpJ+Wtsj8HD1EuJOn4EJ Message-ID: Date: Wed, 1 Aug 2018 06:45:46 -0400 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.9.0 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="uvRxCuPiU4O8rLJUO8gnVepNcNGAYCG8B" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2018 10:45:57 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --uvRxCuPiU4O8rLJUO8gnVepNcNGAYCG8B Content-Type: multipart/mixed; boundary="5PqJ62IpHtYhdL4HEu7BZ3qbdy4AlIwSY"; protected-headers="v1" From: Eric McCorkle To: "freebsd-hackers@freebsd.org" , "freebsd-security@freebsd.org security" , "freebsd-arch@freebsd.org" , freebsd-current Message-ID: Subject: Status of OpenSSL 1.1.1 --5PqJ62IpHtYhdL4HEu7BZ3qbdy4AlIwSY Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable Hi folks, I'm wondering what's the status of OpenSSL 1.1.1 integration into base? More specifically, is there a repo or a branch that's started the integration? I'm aware of the wiki page and the list of port build issues, but that seems to be based on replacing the base OpenSSL with a port build (similar to the way one replaces it with LibreSSL). I have some work I'd like to do that's gating on sorting out the kernel/loader crypto situation, and I'd very much like to see OpenSSL 1.1.1 get merged, so I can start to look into doing that. Incidentally, if there's something I can do to help out with integrating 1.1.1 into base, I'd potentially be interested. --5PqJ62IpHtYhdL4HEu7BZ3qbdy4AlIwSY-- --uvRxCuPiU4O8rLJUO8gnVepNcNGAYCG8B Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQQPGL/SuSPN3pRzpwUI38IpFsHCbAUCW2GPWgAKCRAI38IpFsHC bJePAQCmuLjTR2PAwzbA+l16EUlF5M109QDnv/UGFSBQp0RSngD/fN4NHt3Vfmq3 /dlzLN2yDCJasSCThgN25NbUisHRjQI= =RdGb -----END PGP SIGNATURE----- --uvRxCuPiU4O8rLJUO8gnVepNcNGAYCG8B-- From owner-freebsd-security@freebsd.org Wed Aug 1 14:05:34 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 60F1C105D3E4; Wed, 1 Aug 2018 14:05:34 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from mail.metricspace.net (static-98-116-200-172.nycmny.fios.verizon.net [98.116.200.172]) by mx1.freebsd.org (Postfix) with ESMTP id 0773B754A8; Wed, 1 Aug 2018 14:05:33 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from [192.168.43.57] (mobile-107-107-59-242.mycingular.net [107.107.59.242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: eric) by mail.metricspace.net (Postfix) with ESMTPSA id 7B9BF5D4F; Wed, 1 Aug 2018 14:05:32 +0000 (UTC) Subject: Re: Status of OpenSSL 1.1.1 To: Warner Losh Cc: FreeBSD Hackers , freebsd-security , "freebsd-arch@freebsd.org" , freebsd-current References: From: Eric McCorkle Openpgp: preference=signencrypt Autocrypt: addr=eric@metricspace.net; prefer-encrypt=mutual; keydata= mDMEWue2FBYJKwYBBAHaRw8BAQdAP/qVPlXodV6pYO5b1Jw0eFyMhyDD7B5y5eFsciutEfS0 JEVyaWMgTWNDb3JrbGUgPGVyaWNAbWV0cmljc3BhY2UubmV0PoiWBBMWCAA+FiEEDxi/0rkj zd6Uc6cFCN/CKRbBwmwFAlrnthQCGwMFCQHhM4AFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AA CgkQCN/CKRbBwmyGKAD/XTSBOItCKcYCPTlsaS1aQYVEwWXXFgdjWE+WsNdZUS8A/AhYAbQZ kNZNimE2rQLoklkfTA74qF/V257NuQi4QDcLuDgEWue2FBIKKwYBBAGXVQEFAQEHQKpZVyCG ync/xqejm2C1HKGXLJTUu38RvnrR3UYECz9nAwEIB4h+BBgWCAAmFiEEDxi/0rkjzd6Uc6cF CN/CKRbBwmwFAlrnthQCGwwFCQHhM4AACgkQCN/CKRbBwmyi2wEAmvaGt8QMjGELzm27gP4c jJGUi7oigsLmTiFPkpJqPz0A+QFBSCvxJaxCMyoVru/xB6bunpJ+Wtsj8HD1EuJOn4EJ Message-ID: Date: Wed, 1 Aug 2018 10:05:28 -0400 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.9.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="JA5mbHlyqvhScI7wZ6R8M1XpZcozqnJpS" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2018 14:05:34 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --JA5mbHlyqvhScI7wZ6R8M1XpZcozqnJpS Content-Type: multipart/mixed; boundary="MkkRTdgKDiexhqqCfM3q3sy204CtZoNlA"; protected-headers="v1" From: Eric McCorkle To: Warner Losh Cc: FreeBSD Hackers , freebsd-security , "freebsd-arch@freebsd.org" , freebsd-current Message-ID: Subject: Re: Status of OpenSSL 1.1.1 References: In-Reply-To: --MkkRTdgKDiexhqqCfM3q3sy204CtZoNlA Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 08/01/2018 09:02, Warner Losh wrote: >=20 >=20 > On Wed, Aug 1, 2018, 12:31 PM Eric McCorkle > wrote: >=20 > Hi folks, >=20 > I'm wondering what's the status of OpenSSL 1.1.1 integration into b= ase? > More specifically, is there a repo or a branch that's started the > integration?=C2=A0 I'm aware of the wiki page and the list of port = build > issues, but that seems to be based on replacing the base OpenSSL wi= th a > port build (similar to the way one replaces it with LibreSSL). >=20 > I have some work I'd like to do that's gating on sorting out the > kernel/loader crypto situation, and I'd very much like to see OpenS= SL > 1.1.1 get merged, so I can start to look into doing that. >=20 >=20 > There are patches to use bear SSL for the loader. OpenSSL is simply too= > large to use due to limits the loader operates under. I was going to look into the feasibility of doing something like what LibreSSL does with portable, where they extract a subset of the full library designed to be embedded in the kernel, loader, etc. I think it ought to be possible to do something like that, but it really ought to be done in a tree with 1.1.1 integrated. --MkkRTdgKDiexhqqCfM3q3sy204CtZoNlA-- --JA5mbHlyqvhScI7wZ6R8M1XpZcozqnJpS Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQQPGL/SuSPN3pRzpwUI38IpFsHCbAUCW2G+KAAKCRAI38IpFsHC bGLuAPwJYpPYYEmpGeu6HQnVaM9iakWHN8vM2OAGNoySUSn01QD/UfTooHun+QlI wvSpvUvJ1rCt+H5m6Ho6w49tHObnUgs= =jIbP -----END PGP SIGNATURE----- --JA5mbHlyqvhScI7wZ6R8M1XpZcozqnJpS-- From owner-freebsd-security@freebsd.org Wed Aug 1 13:02:58 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C801E105B954 for ; Wed, 1 Aug 2018 13:02:58 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: from mail-io0-x229.google.com (mail-io0-x229.google.com [IPv6:2607:f8b0:4001:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6068D72EBA for ; Wed, 1 Aug 2018 13:02:58 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: by mail-io0-x229.google.com with SMTP id l14-v6so15944734iob.7 for ; Wed, 01 Aug 2018 06:02:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsdimp-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9iFYQcW5bmYSYAKQpPKP2DdPY4RdHvnvxYD2jmtwvjQ=; b=iyxCR24fC4dqI/L954Zn7ydCbmXmQPWvyEqGSkU2iA1UvVmSLAgAnhguZdSynfF0Hq WnivKz3YwNTX4+eiGKzB85hR/dKcOh4WTlqoFhZzxJjA6RZfH2bcqlmxPV+vav6tfT9a NDWWepXvfKN80sApvLfnZ+tuy0+Q8zS4k1mSlzv0mNVoxrrwnLXhgWPzEr1xbdEGfTbv 1GtDqVC8yoB80lwOxr9H8Ceg5NMsz7IRF/y426zU7i/I8TBNcdoxj0j00btdPrN+paNM b3RARY5wgPgyJGZ2pIsUjoffNQ7RI5DtZUTBLSjohLtrFvyaewH55uwLl9GARo94Rn78 DpRA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9iFYQcW5bmYSYAKQpPKP2DdPY4RdHvnvxYD2jmtwvjQ=; b=JWuW+X8FW4Is419Bvo4JHWuKGkmhRNWHjJ6HMPTdrNn3KJ1xduwGoz1k2QUxoYgIUD HNZk6DzvIneN8SwafTA1lkJwVEMNPZP3a40AnJibrOAv/mnrVwOTrx+cyk1qEkPyoiSR W1QpUY7Tp1ZpsUmFTeybPnVgK/0Xmen1+wmZOrXyyTOk/mkZ+qBm21lPCbeB3/A38Hms 6SNAPn8QrSfNucPo7ZTFu2Uqkzu2s5c8XjaJ9kvtJsld4iLP3LwdVqntIjJy3EpMvBg0 /MvArB5vTg8kLJEH7pB+cMEP068odaulVAbid4J5IhOAvCYDSZzEf5rJ0R7Fe2cNwu7H rzOQ== X-Gm-Message-State: AOUpUlFH+MMoJWIRAMhgYcbx9jPzTqG/+XQOhj0JZxDCdC23WyZGsYJA ZfpjLktxFD6IQnMkOpfGVNLomxr1amPdZVjlIfE2TqZ1qX8= X-Google-Smtp-Source: AAOMgpeua2uji37665Jo3KSqhx78c+24h3sP4o9fScVTtTBwXOSp64OteB/mdos3JzjKyjEX3Pu6HBriOS55QEWwyyQ= X-Received: by 2002:a6b:3902:: with SMTP id g2-v6mr3217918ioa.168.1533128577684; Wed, 01 Aug 2018 06:02:57 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Warner Losh Date: Wed, 1 Aug 2018 14:02:46 +0100 Message-ID: Subject: Re: Status of OpenSSL 1.1.1 To: Eric McCorkle Cc: FreeBSD Hackers , freebsd-security , "freebsd-arch@freebsd.org" , freebsd-current X-Mailman-Approved-At: Wed, 01 Aug 2018 14:16:34 +0000 Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.27 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2018 13:02:59 -0000 On Wed, Aug 1, 2018, 12:31 PM Eric McCorkle wrote: > Hi folks, > > I'm wondering what's the status of OpenSSL 1.1.1 integration into base? > More specifically, is there a repo or a branch that's started the > integration? I'm aware of the wiki page and the list of port build > issues, but that seems to be based on replacing the base OpenSSL with a > port build (similar to the way one replaces it with LibreSSL). > > I have some work I'd like to do that's gating on sorting out the > kernel/loader crypto situation, and I'd very much like to see OpenSSL > 1.1.1 get merged, so I can start to look into doing that. > There are patches to use bear SSL for the loader. OpenSSL is simply too large to use due to limits the loader operates under. Warner Incidentally, if there's something I can do to help out with integrating > 1.1.1 into base, I'd potentially be interested. > > From owner-freebsd-security@freebsd.org Thu Aug 2 20:21:46 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 87CD0104ED7F for ; Thu, 2 Aug 2018 20:21:46 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-io0-x243.google.com (mail-io0-x243.google.com [IPv6:2607:f8b0:4001:c06::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2530B7A638 for ; Thu, 2 Aug 2018 20:21:46 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-io0-x243.google.com with SMTP id i18-v6so3116541ioj.13 for ; Thu, 02 Aug 2018 13:21:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=7G+P0nqh5TTYT8lhYuusf32FxmpKyw96FJdwW72k3QY=; b=fddmjfThuFcrfjo5zotrx9c8imXc05uZv0ladvAlB5Xi1wbcpyzqlrPXX2fJjF0nIk Z+s0886AeUME9Xlxx4Jn9tV/HAxDG1AWFZejljHNCBIkAG6IsfNjVSzySHO+j7stbuJQ fIG1ckFZK9cmtgLDtDFlSCVlInBeLKNQDCxPTkZB93u25GFnVNcTsWnfkLrRx1Gh/Xz/ E0i+Lt3Pv8uCW4TrrTi71CohwmFDiKLXibdyG0vtUQmy8Cc94V3GREZg7I2A0+eyYjoM aCSdXcGu4ACxNidVX4vlKRmnzSJQLDl8i4hZ9I1SG+s8KP8KiZRpEhRPf2JF1/rQaCk6 oPUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=7G+P0nqh5TTYT8lhYuusf32FxmpKyw96FJdwW72k3QY=; b=G7Bra/Hg2n52EXOAsBAxrkZolzzNAINABNRxqEuiI3W4kaKh/EX6Me9zvf16bNX5n4 2nQVz/u5fEeWRkLgrc8zW3oUXWmaqn/Rr2zY5/gcJObouihwY5Iqjo9TU1PhRJ4Q1Cxl onhg9Nf068l+sy0u1HNjH7Baswsfdn9XjF2ajOXuvKgcL8vOshNM+VpdIZk83XYF1ln8 U07dYEbWEBPZ3zlzoxFtbWhpK5gGEXLOKEcRdnvhRPNSI6xyTU3GZx3ntf0t6F9c+kBo kYZ+YUNvL18aeLzMcRbUD59Tp0nt71j7FydaPa9LaeUw5ZvGVx/DIhiLyAoV88Nyub8h f0lg== X-Gm-Message-State: AOUpUlFiFYvy4VhQOkyYCZ2VUzzE8i4aXWcmWNhXBen5g+9aBM5QuXru 6JmPOUQz+wxdETZ479qBt0f9ivOKLnBJOTBzRHs= X-Google-Smtp-Source: AAOMgpfV5Rzi23Q/LzF3ZtIxkchA74rLqlDwKtGyvL5/ck23UvHVxK+C0LqmWfXZx80to5PcS7dipHClLJ7cn+22SVY= X-Received: by 2002:a6b:c8c8:: with SMTP id y191-v6mr3766056iof.295.1533241305098; Thu, 02 Aug 2018 13:21:45 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a02:7781:0:0:0:0:0 with HTTP; Thu, 2 Aug 2018 13:21:04 -0700 (PDT) In-Reply-To: <34cb48da-1f15-1610-966d-1e30314f7665@freebsd.org> References: <34cb48da-1f15-1610-966d-1e30314f7665@freebsd.org> From: grarpamp Date: Thu, 2 Aug 2018 16:21:04 -0400 Message-ID: Subject: Re: Archives of last quarterly package builds? To: freebsd-ports@freebsd.org Cc: freebsd-pkg@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Mailman-Approved-At: Thu, 02 Aug 2018 21:40:29 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2018 20:21:46 -0000 > I've asked for this but the answer is > "no we don't do that.. and have no plans to". What is the rationale? Or is another model of pkg build, distribution, and archiving coming? It seems no more would be needed than - an update to release / handbook / mirror info noting their status as "final, to be removed [to archives] on date + timeframe", say 1 year. - simple sysadmin on pkg / web side as part of each quarter activity. - some storage space. - obviously they are the final builds of the branch, thus frozen. Anything else / prereqs missing to doing that? In addition to the earlier reasons... 'packages /latest' trails 'repo HEAD' so it's a fairly linear turnover. Yet /quarterly gets a massive bump when the branches swap out from underneath it. So one could also see where enterprise and other pkg users might be expecting a similar progression in /quarterly, and to manually cutforward, not automatic large whack at once. Those production bumps can hurt. So they might choose to track repo_conf /yyyyQn and trial the new quarter before moving to it. It just seems that the final builds on those quarterly branches should be left online for a while, instead of just ...poof...GONE. ie: with pkg, this should work for a year or so... /.../repo_conf: url: "pkg+https://pkg.FreeBSD.org/${ABI}/2018Q2" Some labels could also be added for use in pkg's repo_conf... /last_quarter - simpler than dealing with the date, alternately: /prev_quarter /this_quarter - same as today's /quarterly /head - unlikely due to build / mirror times and other factors /yyyyQn - expose these for manual tracking and cutforward, and the validation purposes below [bcc for thread ref] On Sun, Jul 22, 2018 at 4:44 AM, Julian Elischer wrote: > On 22/7/18 5:59 am, grarpamp wrote: >> >> Packages are delivered via a single quarterly label here >> >> https://pkg.freebsd.org/FreeBSD:11:amd64/quarterly/ >> >> which corresponds to the latest quarterly branch label here >> >> https://svnweb.freebsd.org/ports/branches/?sortby=date#dirlist >> >> >> However, similar to how the tags here >> >> https://svnweb.freebsd.org/ports/tags/?sortby=date#dirlist >> >> are archived here >> >> https://pkg.freebsd.org/FreeBSD:11:amd64/ >> as these >> https://pkg.freebsd.org/FreeBSD:11:amd64/release_[n] >> >> >> The last "ie: final" builds of each quarterly branch before they >> roll over should also be moved off into their own archived >> quarterly directories as > > > I've asked for this but the answer is "no we don't do that.. and have no > plans to". > Which is a putty as it means you need to make your own snapshots if you want > to have any reproducability. > It no linger matters to me as we now roll all our own packages from source > (we have private OS changes > that make this a requirement), but it was a sore point for many years. > > >> >> https://pkg.freebsd.org/FreeBSD:11:amd64/yyyyQ[n] >> >> For example /quarterly/ should be repointed from 2018Q2 >> to 2018Q3, leaving 2018Q2 as a live "pkg" accessible archive. >> >> >> Eventually all such archives could be moved to historical >> archive server under typical release support expiry periods. >> >> >> This would also serve critical purpose as an independant >> original remote repository for validating local package / file >> signatures against compromise, corruption, loss. >> >> >> For example, does the last 2018Q2 (or older ones) still exist >> anywhere for users to reference and use? > > no. From owner-freebsd-security@freebsd.org Thu Aug 2 23:45:41 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2551F1054D29; Thu, 2 Aug 2018 23:45:41 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 53D9F8421B; Thu, 2 Aug 2018 23:45:40 +0000 (UTC) (envelope-from kaduk@mit.edu) X-AuditID: 12074422-887ff7000000681f-63-5b63979bc4e7 Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id 4A.FF.26655.C97936B5; Thu, 2 Aug 2018 19:45:32 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id w72NjQE6006707; Thu, 2 Aug 2018 19:45:27 -0400 Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w72NjJkH013976 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 2 Aug 2018 19:45:22 -0400 Date: Thu, 2 Aug 2018 18:45:19 -0500 From: Benjamin Kaduk To: Eric McCorkle Cc: Warner Losh , FreeBSD Hackers , "freebsd-arch@freebsd.org" , freebsd-current , freebsd-security Subject: Re: Status of OpenSSL 1.1.1 Message-ID: <20180802234519.GD68224@kduck.kaduk.org> References: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.9.1 (2017-09-22) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrOKsWRmVeSWpSXmKPExsUixG6nojtnenK0wd3zxhbfpv9lsZg9fRqT xZw3H5gstm/+x2jRs+kJm8XTrcsZHdg8Puz+yuox49N8Fo97OyYwBTBHcdmkpOZklqUW6dsl cGW8vLyOueASd8WBD6/YGhifcnQxcnJICJhI7F+4gamLkYtDSGAxk8SypiPMEM4GRomdjXOh MleYJD5sPsAO0sIioCLx49NBVhCbDchu6L4M1MHBISKgITF/tyBIPbNAF5PEr0lnWUBqhIFq ui/dB6vhBVp3cHY5xMxDjBL7N/eA1fAKCEqcnPkEzGYW0JHYufUOG0g9s4C0xPJ/HBBheYnm rbPBxnAKOEtM+uMDEhYVUJbY23eIfQKj4Cwkg2YhGTQLYdAsJIMWMLKsYpRNya3SzU3MzClO TdYtTk7My0st0jXVy80s0UtNKd3ECI4DF6UdjBP/eR1iFOBgVOLh1dBIjhZiTSwrrsw9xCjJ waQkystfDhTiS8pPqcxILM6ILyrNSS0Geo+DWUmE920nUI43JbGyKrUoHyYlzcGiJM57vyY8 WkggPbEkNTs1tSC1CCYrw8GhJMG7cRpQo2BRanpqRVpmTglCmomDE2Q4D9BwFZAa3uKCxNzi zHSI/ClGXY4/76dOYhZiycvPS5US5xUCKRIAKcoozYObA0pfEtn7a14xigO9Jcw7DaSKB5j6 4Ca9AlrCBLQk2zERZElJIkJKqoExo2f2n3aLPr2M1OT57Lez/KVzyjUd35uV/b75wlLp3TGt uKQA82sNTP/uv1r+7Mss5ap1dTcjthhHBzo/rth1emmdBnNrzr0+x+nx7+WL1XYUbipimPQr rTU838O3dlE//6QJr4WWvThrk1nl0lN0xHGt3YMpn5hdclg7Lu1aLRd+/NYqzT4lluKMREMt 5qLiRABbGPrYOgMAAA== X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2018 23:45:41 -0000 On Wed, Aug 01, 2018 at 10:05:28AM -0400, Eric McCorkle wrote: > On 08/01/2018 09:02, Warner Losh wrote: > > > > > > On Wed, Aug 1, 2018, 12:31 PM Eric McCorkle > > wrote: > > > > Hi folks, > > > > I'm wondering what's the status of OpenSSL 1.1.1 integration into base? > > More specifically, is there a repo or a branch that's started the > > integration?  I'm aware of the wiki page and the list of port build > > issues, but that seems to be based on replacing the base OpenSSL with a > > port build (similar to the way one replaces it with LibreSSL). > > > > I have some work I'd like to do that's gating on sorting out the > > kernel/loader crypto situation, and I'd very much like to see OpenSSL > > 1.1.1 get merged, so I can start to look into doing that. > > > > > > There are patches to use bear SSL for the loader. OpenSSL is simply too > > large to use due to limits the loader operates under. > > I was going to look into the feasibility of doing something like what > LibreSSL does with portable, where they extract a subset of the full > library designed to be embedded in the kernel, loader, etc. > > I think it ought to be possible to do something like that, but it really > ought to be done in a tree with 1.1.1 integrated. > It wouldn't be terribly easy or effective, IMO. OpenSSL wasn't designed with such modularity in mind. -Ben From owner-freebsd-security@freebsd.org Fri Aug 3 08:44:11 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 04C5E10623F6 for ; Fri, 3 Aug 2018 08:44:11 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: from mail-io0-x22b.google.com (mail-io0-x22b.google.com [IPv6:2607:f8b0:4001:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8AC3C7719A for ; Fri, 3 Aug 2018 08:44:10 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: by mail-io0-x22b.google.com with SMTP id q19-v6so4347361ioh.11 for ; Fri, 03 Aug 2018 01:44:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsdimp-com.20150623.gappssmtp.com; s=20150623; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=BAiAO4BN65wamN90CtGrC3g8xn03btAGQa9snL4okZQ=; b=AgMTGXLK+Jm7fyXoAok+LfpFrN9+zmvWAB8v6GV1RWkMUIfzUd4+da10WpE+aPBBgu zbsUXqKSs/e3aDV1giQLrA7ElR+OFj8z2087t1FF9Eaol0cYIeDW509p2cAuVP3EZ2mN 8arVoYI9ax8IB78J4rSQebSB2plZOVvrOZZAoPxSjMtuZb/OBzEUnjfPkL1ucAge4R1O wNEy9mapC8fyfnonYrcDEb0GdFnfY1KU/YkoQc4a5IDHYhDcx64AFF/aDg0B6SsNy4dw 1BSDXVc8p8JhB0LA9tjvWFI+kQ4Oad6MaXpQV75Qy6gqq6xpSRS8c/xM/5zuwYJBu9sg XJwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=BAiAO4BN65wamN90CtGrC3g8xn03btAGQa9snL4okZQ=; b=G0Bcy1vVbB5l8pGwspSiRT/TmVZ2gZqaS2mRS63RBku127+IVGDF0/aCoi0SEYTKyf n+5XJ0ftT5sygH4o4SBlLq2cFICUwUTfLkpRgbwi3AQSH3CPoCfTKxIzQhc6SqrAge5x Uw+CllOxIm0BKyOOs4wW1JVUQu+BtpYHfekxiPqYKuScf4ipt6S2c36QI3c6kknI1hNc ON0awa1KEukHDG85U8nd1fkPlxUmYUR3HS6tbCmZvLdKSXQQYNX2XuzMWx2mknrHd/Va BudnoYEDfc6jhQWwmbCX+3Kaf5DgKc60W3FrgxuerZu5wOGue74VBFbRE0WDzFu1C/l8 FSSg== X-Gm-Message-State: AOUpUlE9VXKQlTcZvJ156+S0IlnaUq7nLGpDaYDIftL8MsZuCHMyVN+b //FpBzOYJxbrYjxBoEuZW63+0JwLDJFSDkTMLmE4Sw== X-Google-Smtp-Source: AA+uWPxRtETiA0vQuvKOkan73dUmhjbC72QhIOzEYkHQ5bQhRNSsT2bApwIbofxOY4mxJwvfamQK9l4tbkP2Pn85yKQ= X-Received: by 2002:a6b:d004:: with SMTP id x4-v6mr5064998ioa.299.1533285849927; Fri, 03 Aug 2018 01:44:09 -0700 (PDT) MIME-Version: 1.0 Sender: wlosh@bsdimp.com Received: by 2002:a4f:4485:0:0:0:0:0 with HTTP; Fri, 3 Aug 2018 01:44:09 -0700 (PDT) X-Originating-IP: [86.153.210.77] In-Reply-To: <20180802234519.GD68224@kduck.kaduk.org> References: <20180802234519.GD68224@kduck.kaduk.org> From: Warner Losh Date: Fri, 3 Aug 2018 02:44:09 -0600 X-Google-Sender-Auth: ij_u90ZUmAUGxcJSfLBylG5FCvM Message-ID: Subject: Re: Status of OpenSSL 1.1.1 To: Benjamin Kaduk Cc: Eric McCorkle , FreeBSD Hackers , "freebsd-arch@freebsd.org" , freebsd-current , freebsd-security X-Mailman-Approved-At: Fri, 03 Aug 2018 10:34:11 +0000 Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.27 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Aug 2018 08:44:11 -0000 On Thu, Aug 2, 2018 at 5:45 PM, Benjamin Kaduk wrote: > On Wed, Aug 01, 2018 at 10:05:28AM -0400, Eric McCorkle wrote: > > On 08/01/2018 09:02, Warner Losh wrote: > > > > > > > > > On Wed, Aug 1, 2018, 12:31 PM Eric McCorkle > > > wrote: > > > > > > Hi folks, > > > > > > I'm wondering what's the status of OpenSSL 1.1.1 integration into > base? > > > More specifically, is there a repo or a branch that's started the > > > integration? I'm aware of the wiki page and the list of port build > > > issues, but that seems to be based on replacing the base OpenSSL > with a > > > port build (similar to the way one replaces it with LibreSSL). > > > > > > I have some work I'd like to do that's gating on sorting out the > > > kernel/loader crypto situation, and I'd very much like to see > OpenSSL > > > 1.1.1 get merged, so I can start to look into doing that. > > > > > > > > > There are patches to use bear SSL for the loader. OpenSSL is simply too > > > large to use due to limits the loader operates under. > > > > I was going to look into the feasibility of doing something like what > > LibreSSL does with portable, where they extract a subset of the full > > library designed to be embedded in the kernel, loader, etc. > > > > I think it ought to be possible to do something like that, but it really > > ought to be done in a tree with 1.1.1 integrated. > > > > It wouldn't be terribly easy or effective, IMO. OpenSSL wasn't designed > with such modularity in mind. > Others that have tried have found OpenSSL to be way too large for the boot loader and a completely impossible to subset enough to get things small enough due to the intertwingled nature of things. Warner From owner-freebsd-security@freebsd.org Fri Aug 3 11:02:24 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 03AB31065CDE; Fri, 3 Aug 2018 11:02:24 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from mail.metricspace.net (static-98-116-200-172.nycmny.fios.verizon.net [98.116.200.172]) by mx1.freebsd.org (Postfix) with ESMTP id A0FD67C467; Fri, 3 Aug 2018 11:02:23 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from [172.16.0.23] (unknown [172.16.0.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: eric) by mail.metricspace.net (Postfix) with ESMTPSA id 89930619A; Fri, 3 Aug 2018 11:02:22 +0000 (UTC) Subject: Re: Status of OpenSSL 1.1.1 To: Warner Losh , Benjamin Kaduk Cc: FreeBSD Hackers , "freebsd-arch@freebsd.org" , freebsd-current , freebsd-security References: <20180802234519.GD68224@kduck.kaduk.org> From: Eric McCorkle Openpgp: preference=signencrypt Autocrypt: addr=eric@metricspace.net; prefer-encrypt=mutual; keydata= mDMEWue2FBYJKwYBBAHaRw8BAQdAP/qVPlXodV6pYO5b1Jw0eFyMhyDD7B5y5eFsciutEfS0 JEVyaWMgTWNDb3JrbGUgPGVyaWNAbWV0cmljc3BhY2UubmV0PoiWBBMWCAA+FiEEDxi/0rkj zd6Uc6cFCN/CKRbBwmwFAlrnthQCGwMFCQHhM4AFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AA CgkQCN/CKRbBwmyGKAD/XTSBOItCKcYCPTlsaS1aQYVEwWXXFgdjWE+WsNdZUS8A/AhYAbQZ kNZNimE2rQLoklkfTA74qF/V257NuQi4QDcLuDgEWue2FBIKKwYBBAGXVQEFAQEHQKpZVyCG ync/xqejm2C1HKGXLJTUu38RvnrR3UYECz9nAwEIB4h+BBgWCAAmFiEEDxi/0rkjzd6Uc6cF CN/CKRbBwmwFAlrnthQCGwwFCQHhM4AACgkQCN/CKRbBwmyi2wEAmvaGt8QMjGELzm27gP4c jJGUi7oigsLmTiFPkpJqPz0A+QFBSCvxJaxCMyoVru/xB6bunpJ+Wtsj8HD1EuJOn4EJ Message-ID: Date: Fri, 3 Aug 2018 07:02:18 -0400 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.9.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="3Jlf5EtgHrBUwuVED8RcynGXM8EBmN3FH" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Aug 2018 11:02:24 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --3Jlf5EtgHrBUwuVED8RcynGXM8EBmN3FH Content-Type: multipart/mixed; boundary="SgFMOIbWT0nMndG6NllvpPpohfXOlolaP"; protected-headers="v1" From: Eric McCorkle To: Warner Losh , Benjamin Kaduk Cc: FreeBSD Hackers , "freebsd-arch@freebsd.org" , freebsd-current , freebsd-security Message-ID: Subject: Re: Status of OpenSSL 1.1.1 References: <20180802234519.GD68224@kduck.kaduk.org> In-Reply-To: --SgFMOIbWT0nMndG6NllvpPpohfXOlolaP Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 08/03/2018 04:44, Warner Losh wrote: >=20 >=20 > On Thu, Aug 2, 2018 at 5:45 PM, Benjamin Kaduk > wrote: >=20 > On Wed, Aug 01, 2018 at 10:05:28AM -0400, Eric McCorkle wrote: > > On 08/01/2018 09:02, Warner Losh wrote: > > > > > > > > > On Wed, Aug 1, 2018, 12:31 PM Eric McCorkle > > > > >> wr= ote: > > > > > >=C2=A0 =C2=A0 =C2=A0Hi folks, > > > > > >=C2=A0 =C2=A0 =C2=A0I'm wondering what's the status of OpenSSL 1= =2E1.1 integration > into base? > > >=C2=A0 =C2=A0 =C2=A0More specifically, is there a repo or a bran= ch that's > started the > > >=C2=A0 =C2=A0 =C2=A0integration?=C2=A0 I'm aware of the wiki pag= e and the list of > port build > > >=C2=A0 =C2=A0 =C2=A0issues, but that seems to be based on replac= ing the base > OpenSSL with a > > >=C2=A0 =C2=A0 =C2=A0port build (similar to the way one replaces = it with LibreSSL). > > > > > >=C2=A0 =C2=A0 =C2=A0I have some work I'd like to do that's gatin= g on sorting out the > > >=C2=A0 =C2=A0 =C2=A0kernel/loader crypto situation, and I'd very= much like to > see OpenSSL > > >=C2=A0 =C2=A0 =C2=A01.1.1 get merged, so I can start to look int= o doing that. > > > > > > > > > There are patches to use bear SSL for the loader. OpenSSL is > simply too > > > large to use due to limits the loader operates under. > > > > I was going to look into the feasibility of doing something like = what > > LibreSSL does with portable, where they extract a subset of the f= ull > > library designed to be embedded in the kernel, loader, etc. > > > > I think it ought to be possible to do something like that, but it= > really > > ought to be done in a tree with 1.1.1 integrated. > > >=20 > It wouldn't be terribly easy or effective, IMO.=C2=A0 OpenSSL wasn'= t designed > with such modularity in mind. >=20 >=20 > Others that have tried have found OpenSSL to be way too large for the > boot loader and a completely impossible to subset enough to get things > small enough due to the intertwingled nature of things. To what extent, if any, does this change in 1.1.1, though? --SgFMOIbWT0nMndG6NllvpPpohfXOlolaP-- --3Jlf5EtgHrBUwuVED8RcynGXM8EBmN3FH Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQQPGL/SuSPN3pRzpwUI38IpFsHCbAUCW2Q2OgAKCRAI38IpFsHC bHx7AQCF1Yu898/tbKfMJvXrPaJmDmV2wf66gtK5k+KJ1ulKmgEAuuXdSuUriYuK n3pc4P82OqfT9LnymaHfY6T9KM/6QAg= =tWx/ -----END PGP SIGNATURE----- --3Jlf5EtgHrBUwuVED8RcynGXM8EBmN3FH-- From owner-freebsd-security@freebsd.org Sat Aug 4 22:09:03 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8811D1054952; Sat, 4 Aug 2018 22:09:03 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1367D8A914; Sat, 4 Aug 2018 22:09:03 +0000 (UTC) (envelope-from kaduk@mit.edu) X-AuditID: 1209190e-57fff70000007f9c-29-5b6622cb2425 Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 85.A9.32668.CC2266B5; Sat, 4 Aug 2018 18:03:56 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id w74M3rZD021204; Sat, 4 Aug 2018 18:03:54 -0400 Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w74M3nrs010151 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 4 Aug 2018 18:03:51 -0400 Date: Sat, 4 Aug 2018 17:03:49 -0500 From: Benjamin Kaduk To: Eric McCorkle Cc: Warner Losh , FreeBSD Hackers , "freebsd-arch@freebsd.org" , freebsd-current , freebsd-security Subject: Re: Status of OpenSSL 1.1.1 Message-ID: <20180804220349.GJ68224@kduck.kaduk.org> References: <20180802234519.GD68224@kduck.kaduk.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.9.1 (2017-09-22) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrOKsWRmVeSWpSXmKPExsUixCmqrXtGKS3aYE+PoMW36X9ZLGZPn8Zk MefNByaL7Zv/MVr0bHrCZvF063JGBzaPD7u/snrM+DSfxePejglMAcxRXDYpqTmZZalF+nYJ XBmbWqQKdghXbLh5lrmB8SVvFyMnh4SAicSzTx8Zuxi5OIQEFjNJLNw4EcrZwChx9OgLZgjn CpPEv642li5GDg4WARWJ2WcVQLrZgMyG7svMIGERAQ2J+bsFQcqZBbqYJH5NOssCUiMMVNN9 6T4ziM0LtO3BqitQM98ySTzZ8oQNIiEocXLmE7AGZgEdiZ1b77CBDGUWkJZY/o8DIiwv0bx1 NtgcTgFnibe7v7KD2KICyhJ7+w6xT2AUnIVk0iwkk2YhTJqFZNICRpZVjLIpuVW6uYmZOcWp ybrFyYl5ealFusZ6uZkleqkppZsYwXEgybeDcVKD9yFGAQ5GJR7eEzxp0UKsiWXFlbmHGCU5 mJREeU0vp0QL8SXlp1RmJBZnxBeV5qQWH2KU4GBWEuH935AaLcSbklhZlVqUD5OS5mBREue9 VxMeLSSQnliSmp2aWpBaBJOV4eBQkuA9oQi0R7AoNT21Ii0zpwQhzcTBCTKcB2i4H0gNb3FB Ym5xZjpE/hSjLsef91MnMQux5OXnpUqJ81aBFAmAFGWU5sHNAaUviez9Na8YxYHeEuaVASYz IR5g6oOb9ApoCRPQkmoTkA+KSxIRUlINjOq3b4TMurCu6EJmaMvyo/0P3f9kfuZ9+fvwzDUf /Sbu1PjxjC3xj/O8kIeWGk9fROzpnvBS5JjzliaRPT5ZTUqz08+GsaTdkNgr1vU45NJhX/Oo KGcJUZfm2tmbLARzrm7devDNwTYdoeOZBiJKBzlWFn3plK0MY376uubx9EnN5ue7/x6J01Fi Kc5INNRiLipOBACMabjjOgMAAA== X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Aug 2018 22:09:03 -0000 On Fri, Aug 03, 2018 at 07:02:18AM -0400, Eric McCorkle wrote: > On 08/03/2018 04:44, Warner Losh wrote: > > > > > > On Thu, Aug 2, 2018 at 5:45 PM, Benjamin Kaduk > > wrote: > > > > On Wed, Aug 01, 2018 at 10:05:28AM -0400, Eric McCorkle wrote: > > > On 08/01/2018 09:02, Warner Losh wrote: > > > > > > > > > > > > On Wed, Aug 1, 2018, 12:31 PM Eric McCorkle > > > > > > >> wrote: > > > > > > > >     Hi folks, > > > > > > > >     I'm wondering what's the status of OpenSSL 1.1.1 integration > > into base? > > > >     More specifically, is there a repo or a branch that's > > started the > > > >     integration?  I'm aware of the wiki page and the list of > > port build > > > >     issues, but that seems to be based on replacing the base > > OpenSSL with a > > > >     port build (similar to the way one replaces it with LibreSSL). > > > > > > > >     I have some work I'd like to do that's gating on sorting out the > > > >     kernel/loader crypto situation, and I'd very much like to > > see OpenSSL > > > >     1.1.1 get merged, so I can start to look into doing that. > > > > > > > > > > > > There are patches to use bear SSL for the loader. OpenSSL is > > simply too > > > > large to use due to limits the loader operates under. > > > > > > I was going to look into the feasibility of doing something like what > > > LibreSSL does with portable, where they extract a subset of the full > > > library designed to be embedded in the kernel, loader, etc. > > > > > > I think it ought to be possible to do something like that, but it > > really > > > ought to be done in a tree with 1.1.1 integrated. > > > > > > > It wouldn't be terribly easy or effective, IMO.  OpenSSL wasn't designed > > with such modularity in mind. > > > > > > Others that have tried have found OpenSSL to be way too large for the > > boot loader and a completely impossible to subset enough to get things > > small enough due to the intertwingled nature of things. > > To what extent, if any, does this change in 1.1.1, though? > Probably not enough -- while libssl got a bit reorganized, libcrypto hasn't changed much. -Ben