On Thu, May 14, 2015, at 06:31, Dan Lukes wrote:> Patrick Proniewski wrote: > >> "Data Transfer Interrupted > >> The connection to forums.freebsd.org has terminated unexpectedly. Some > >> data may have been transferred." > > > > looks like your browser/OS does not support TLS 1.2. > > I'm confused by FreeBSD policy, a lot. > > Base OpenSSL in still supported releases is too old version and doesn't > support TLS 1.2 as well. > > Either TLS 1.0 is so insecure and should not be used, or is secure > enough for FreeBSD. >When the FreeBSD 8.0 (2009) and 9.0 (2012) releases were cut we didn't have these vulnerabilities or problems. In fact, TLS 1.2 existed as a protocol (2008) but OpenSSL didn't even implement it yet (not until 2010)! Thankfully FreeBSD 8 is EoL on June 30, 2015, but we still have to live with FreeBSD 9.3 until Dec 31 2016. That's going to be painful, but we shouldn't kill it off sooner than we have to as a courtesy to our users. FreeBSD needs to change, too. That is not being ignored. In the future FreeBSD's base libraries like OpenSSL hopefully will be private: only the base system knows they exist; no other software will see them. This will mean that every port/package you install requiring OpenSSL will *always* use OpenSSL from ports/packages; no conflict is possible. This also solves the problem of stale software in the base system and allows FreeBSD to do major upgrades of this software in point releases to keep the base system fresh. Last I knew this approach was still being discussed, but it will be a fantastic improvement to the FreeBSD OS model when it happens.
Mark Felder wrote:> In the future FreeBSD's base libraries like OpenSSL hopefully will be > private: only the base system knows they exist; no other software will > see them. This will mean that every port/package you install requiring > OpenSSL will *always* use OpenSSL from ports/packages; no conflict is > possible.That's one way of approaching it but there are drawbacks to this method. Maintaining two sets of binaries and libraries that must be kept separate (using what kind of ACLs?) adds complexity. Complexity is the enemy of security. Another option is a second openssl port, one that overwrites base and guarantees compatibility with RELEASE. Then we could at least have all versions of openssl in vuln.xml (not that that's been a reliable indicator of security of late). Roger Marquis
Mark Felder wrote:>> Base OpenSSL in still supported releases is too old version and doesn't >> support TLS 1.2 as well. >> >> Either TLS 1.0 is so insecure and should not be used, or is secure >> enough for FreeBSD.> When the FreeBSD 8.0 (2009) and 9.0 (2012) releases were cut we didn't > have these vulnerabilities or problems.All security patches are released because of something discovered after release. So it is nothing new nor special. But it's not the matter of my comment. As far as I know, there has been no discussion on FreeBSD Security related to fact that FreeBSD 9 will not receive security patches for particular known security issue. Nor even announcement, if it has been considered no topic for discussion here. So I'm confused (as claimed in previous comment). Other the issue is not so severe, then I don't understand why TLS 1.0 needs to be disabled on forums. Or it is so severe so I don't understand why there is still no Security Advisory dedicated to it. Well, there may be no solution known - but even in such case the issue should be announced. Dan