On Thu, May 14, 2015, at 06:31, Dan Lukes wrote:> Patrick Proniewski wrote:
> >> "Data Transfer Interrupted
> >> The connection to forums.freebsd.org has terminated unexpectedly.
Some
> >> data may have been transferred."
> >
> > looks like your browser/OS does not support TLS 1.2.
>
> I'm confused by FreeBSD policy, a lot.
>
> Base OpenSSL in still supported releases is too old version and doesn't
> support TLS 1.2 as well.
>
> Either TLS 1.0 is so insecure and should not be used, or is secure
> enough for FreeBSD.
>
When the FreeBSD 8.0 (2009) and 9.0 (2012) releases were cut we didn't
have these vulnerabilities or problems. In fact, TLS 1.2 existed as a
protocol (2008) but OpenSSL didn't even implement it yet (not until
2010)! Thankfully FreeBSD 8 is EoL on June 30, 2015, but we still have
to live with FreeBSD 9.3 until Dec 31 2016. That's going to be painful,
but we shouldn't kill it off sooner than we have to as a courtesy to our
users.
FreeBSD needs to change, too. That is not being ignored.
In the future FreeBSD's base libraries like OpenSSL hopefully will be
private: only the base system knows they exist; no other software will
see them. This will mean that every port/package you install requiring
OpenSSL will *always* use OpenSSL from ports/packages; no conflict is
possible. This also solves the problem of stale software in the base
system and allows FreeBSD to do major upgrades of this software in point
releases to keep the base system fresh.
Last I knew this approach was still being discussed, but it will be a
fantastic improvement to the FreeBSD OS model when it happens.