Date: Wed, 24 Aug 2016 20:36:03 +0100 From: Matt Smith <fbsd@xtaz.co.uk> To: Bernard Spil <brnrd@FreeBSD.org> Cc: Mathieu Arnold <mat@freebsd.org>, ports@freebsd.org Subject: Re: Upcoming OpenSSL 1.1.0 release Message-ID: <20160824193603.GA16568@xtaz.uk> In-Reply-To: <ba968d48738a1b5f05546993e70abf7d@imap.brnrd.eu> References: <6d35459045985929d061f3c6cca85efe@imap.brnrd.eu> <0E328A9485C47045F93C19AB@atuin.in.mat.cc> <20160823124201.GB48814@xtaz.uk> <ba968d48738a1b5f05546993e70abf7d@imap.brnrd.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Aug 24 21:18, Bernard Spil wrote: >Today new vulnerabilities with (3)DES and BlowFish were made public and >I believe we'll see release of another paper which is OpenSSL 1.1 >related with the release of OpenSSL 1.1.0. I have no knowledge if the >paper/report contained vulnerabilities that have postponed the release >of 1.1.0 but I think that is likely. That would mean that these >vulnerabilities have been solved pre-release. > >As far as I know x25519 is still a Draft RFC so unlikely to appear in >browsers for a while. I can see LibreSSL adding this as well, whether >in the draft version or in the final. This they did with >ChaCha20/Poly1305 as well (draft in 2.3, release in 2.4). The LibreSSL >devs would have closed the request if they didn't intend to support it >https://github.com/libressl-portable/portable/issues/114 > >I don't think that FreeBSD will be making LibreSSL the >libssl/libcrypto provider any time soon. The support timelines for >LibreSSL (<1.5 years) are just too short for the FreeBSD release >support (>3 years). OpenSSL is speeding up the release cycle as well >but at least we can rely on RedHat to backport changes to older >versions. > >LibreSSL in base is a bit more than playing, it is becoming the >default in HardenedBSD very soon and very likely in TrueOS (AKA >PC-BSD) as of 11.0 RELEASE. Both HardenedBSD and TrueOS have a >different attitude towards updating things in the base system as they >do not serve as upstream to other projects/products that require >longer support timelines. Come see my talk at EuroBSDCon, it will >contain LibreSSL in base things. > >Cheers, > >Bernard. Thanks for that reply. That answers things quite nicely. I believe x25519 is currently in chrome: https://www.ssllabs.com/ssltest/viewClient.html?name=Chrome&version=51&platform=Win%207&key=126 It has x25519 listed as an Elliptic curve near the bottom. So for that reason I am interested in enabling it as I like to do things bleeding edge! I will probably stick with security/libressl-devel for the foreseeable future though I think and at least wait and see what people make of OpenSSL 1.1 after a few months if only for the fact it's a bit of a pain to switch back again by recompiling everything. -- Matt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160824193603.GA16568>