Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 12 Jul 2016 01:51:54 +0300
From:      Andrey Chernov <ache@freebsd.org>
To:        Slawa Olhovchenkov <slw@zxy.spb.ru>, Jung-uk Kim <jkim@FreeBSD.org>
Cc:        freebsd-security@freebsd.org, freebsd-current@freebsd.org
Subject:   Re: GOST in OPENSSL_BASE
Message-ID:  <c0bb5ae3-fee6-d40c-86bd-988c843d757b@freebsd.org>
In-Reply-To: <98f27660-47ff-d212-8c50-9e6e1cd52e0b@freebsd.org>
References:  <20160710133019.GD20831@zxy.spb.ru> <f35c1806-c06d-0d46-1c8a-58a56adef9a7@freebsd.org> <a4f0585d-cc99-e44a-7f59-0dd23e3c969f@FreeBSD.org> <20160711184122.GP46309@zxy.spb.ru> <98f27660-47ff-d212-8c50-9e6e1cd52e0b@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 12.07.2016 1:44, Andrey Chernov wrote:
> On 11.07.2016 21:41, Slawa Olhovchenkov wrote:
>> On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote:
>>
>>> On 07/10/16 10:10 AM, Andrey Chernov wrote:
>>>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
>>>>> I am surprised lack of support GOST in openssl-base.
>>>>> Can be this enabled before 11.0 released?
>>>>
>>>> AFAIK openssl maintainers says something like they can't support this
>>>> code and it will become rotten shortly with new changes, so they drop it.
>>>
>>> [OpenSSL-maintainer-for-the-base hat on]
>>>
>>> GOST is supported on FreeBSD 10.x and 11.x.  We will not drop it on
>>> these branches unless secteam explicitly ask us to do so.  However, we
>>> *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch.
>>>
>>> [OpenSSL-maintainer-for-the-base hat off]
>>>
>>> Jung-uk Kim
>>>
>>
>> Thanks!
>>
>> May be need file PR for dns/bind910?
>>
>> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile
>> .include <bsd.port.pre.mk>
>>
>> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && ${SSL_DEFAULT} == base
>> BROKEN= OpenSSL from the base system does not support GOST, add \
>>         DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and rebuild everything \
>>         that needs SSL.
>> .endif
>>
> 
> I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC
> don't use GOST, so I vote for removing GOST option from there.
> 

I need to note that RFC exists, proposing GOST (old version) for DNSSEC:
https://tools.ietf.org/html/rfc5933
but nobody really use it.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c0bb5ae3-fee6-d40c-86bd-988c843d757b>