> On 11. Dec 2020, at 12:38 PM, Martin Simmons <martin at lispworks.com> wrote: > >>>>>> On Thu, 10 Dec 2020 22:46:28 -0800, John-Mark Gurney said: >> >> What are peoples thoughts on how to address the support mismatch between >> FreeBSD and OpenSSL? And how to address it? > > Maybe it would help a little if the packages on pkg.FreeBSD.org all used the > pkg version of OpenSSL? Currently, it looks like you have build your own > ports if you want that.This pretty much breaks LibreSSL ports usage for binary package consumers. Cheers, Franco
>>>>> On Fri, 11 Dec 2020 12:44:17 +0100, Franco Fichtner said: > > > On 11. Dec 2020, at 12:38 PM, Martin Simmons <martin at lispworks.com> wrote: > > > >>>>>> On Thu, 10 Dec 2020 22:46:28 -0800, John-Mark Gurney said: > >> > >> What are peoples thoughts on how to address the support mismatch between > >> FreeBSD and OpenSSL? And how to address it? > > > > Maybe it would help a little if the packages on pkg.FreeBSD.org all used the > > pkg version of OpenSSL? Currently, it looks like you have build your own > > ports if you want that. > > This pretty much breaks LibreSSL ports usage for binary package consumers.I'm talking about the binary packages from pkg.FreeBSD.org. Don't they always use the base OpenSSL at the moment? __Martin
On Fri, Dec 11, 2020 at 12:44 PM Franco Fichtner wrote:> > On 11. Dec 2020, at 12:38 PM, Martin Simmons <martin at lispworks.com> wrote: > >>>>>> On Thu, 10 Dec 2020 22:46:28 -0800, John-Mark Gurney said: > >> What are peoples thoughts on how to address the support mismatch between > >> FreeBSD and OpenSSL? And how to address it? > > Maybe it would help a little if the packages on pkg.FreeBSD.org all used the > > pkg version of OpenSSL? Currently, it looks like you have build your own > > ports if you want that. > > This pretty much breaks LibreSSL ports usage for binary package consumers.Why not switch to LibreSSL as default? :-) -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info
> On 11. Dec 2020, at 1:36 PM, Tomasz CEDRO <tomek at cedro.info> wrote: > > On Fri, Dec 11, 2020 at 12:44 PM Franco Fichtner wrote: >>> On 11. Dec 2020, at 12:38 PM, Martin Simmons <martin at lispworks.com> wrote: >>>>>>>> On Thu, 10 Dec 2020 22:46:28 -0800, John-Mark Gurney said: >>>> What are peoples thoughts on how to address the support mismatch between >>>> FreeBSD and OpenSSL? And how to address it? >>> Maybe it would help a little if the packages on pkg.FreeBSD.org all used the >>> pkg version of OpenSSL? Currently, it looks like you have build your own >>> ports if you want that. >> >> This pretty much breaks LibreSSL ports usage for binary package consumers. > > Why not switch to LibreSSL as default? :-)Good question. LibreSSL lacks engine and PSK support. TLS 1.3 was tailing behind. Missing CMS also was a large issue for those who needed it. Someone with more in- depth knowledge can probably name more. The other issue with LibreSSL in general is that third party support is mostly ok, but some high profile cases have had issues with it for years: HAProxy, OpenVPN, StrongSwan just to name a few. Having ports contributors and committers chase these unthankful quests is probably not worth the overall effort. It works pretty well as a ports crypto replacement, but for the reasons listed above it is probably not going to happen on a default scale. Also, LibreSSL in base was a failed experiment in HardenedBSD. Its release cycle and support policy is tailored neatly around OpenBSD releases and the attempt to break ABI compatibility in packages while you retrofit a new version into a minor release can fail pretty spectacularly. I'm not being skeptical. I helped improve overall LibreSSL support in the ports tree since 2015. The LibreSSL team is doing a great job all things considered. This is simply the current reality of keeping LibreSSL in ports a steady alternative. Cheers, Franco