From owner-freebsd-security@FreeBSD.ORG Thu Apr 10 20:40:35 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 46EA594B for ; Thu, 10 Apr 2014 20:40:35 +0000 (UTC) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 01A28125E for ; Thu, 10 Apr 2014 20:40:34 +0000 (UTC) Received: from [10.20.30.90] (50-1-98-175.dsl.dynamic.sonic.net [50.1.98.175]) (authenticated bits=0) by hoffman.proper.com (8.14.8/8.14.7) with ESMTP id s3AKeVjR019765 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Thu, 10 Apr 2014 13:40:32 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) X-Authentication-Warning: hoffman.proper.com: Host 50-1-98-175.dsl.dynamic.sonic.net [50.1.98.175] claimed to be [10.20.30.90] Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) Subject: Re: A different proposal From: Paul Hoffman In-Reply-To: Date: Thu, 10 Apr 2014 13:40:29 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <86C6A2FD-DA42-425C-9E49-4A959311955F@vpnc.org> References: <9eeba1ab-2ab0-4188-82aa-686c5573a5db@me.com> <8D81F198-36A7-47F4-B486-DA059910A6B4@spam.lifeforms.nl> <867g6y1kfe.fsf@nine.des.no> To: Nathan Dorfman X-Mailer: Apple Mail (2.1874) X-Mailman-Approved-At: Thu, 10 Apr 2014 20:43:51 +0000 Cc: freebsd-security@freebsd.org, Pawel Biernacki X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2014 20:40:35 -0000 On Apr 10, 2014, at 12:34 PM, Nathan Dorfman wrote: > On Thu, Apr 10, 2014 at 10:56 AM, Paul Hoffman = wrote: >> If your reliance on OpenSSL bugs being fixed requires a fix at a rate = faster than what the FreeBSD community provides, then you should not = rely on the FreeBSD community. Install OpenSSL on your mission-critical = systems from OpenSSL source, not from FreeBSD ports or packages. >=20 > I really don't think one needs to go this far. The workaround provided > in the original OpenSSL advisory, recompiling with > -DOPENSSL_NO_HEARTBEATS, was directly applicable to FreeBSD. For > anyone unsure exactly where to effect that option, it was discussed on > this very list. Also posted on this list was a working patch > containing the actual fix, on Monday afternoon. That fixed *this* bug; earlier ones took actual patches. > So yes, if you want a fully tested, reviewed and supported fix, you > had to wait, but anyone in desperate need of an immediate fix had > options that didn't involve ditching FreeBSD's OpenSSL. I was not proposing ditching FreeBSD's OpenSSL when the next bug was = found: I was proposing that you switch at your own speed before the next = emergency. And I'm not proposing that's the best thing to do: I'm = certainly not going to, I'm quite happy with the FreeBSD response. This is a different proposal than "someone should get paid to reduce my = security timing issues". It is "I should take responsibility for my = security timing issues". --Paul Hoffman=