On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote:> On 07/10/16 10:10 AM, Andrey Chernov wrote: > > On 10.07.2016 16:30, Slawa Olhovchenkov wrote: > >> I am surprised lack of support GOST in openssl-base. > >> Can be this enabled before 11.0 released? > > > > AFAIK openssl maintainers says something like they can't support this > > code and it will become rotten shortly with new changes, so they drop it. > > [OpenSSL-maintainer-for-the-base hat on] > > GOST is supported on FreeBSD 10.x and 11.x. We will not drop it on > these branches unless secteam explicitly ask us to do so. However, we > *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch. > > [OpenSSL-maintainer-for-the-base hat off] > > Jung-uk Kim >Thanks! May be need file PR for dns/bind910? # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile .include <bsd.port.pre.mk> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && ${SSL_DEFAULT} == base BROKEN= OpenSSL from the base system does not support GOST, add \ DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and rebuild everything \ that needs SSL. .endif
On 07/11/16 02:41 PM, Slawa Olhovchenkov wrote:> On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote: > >> On 07/10/16 10:10 AM, Andrey Chernov wrote: >>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote: >>>> I am surprised lack of support GOST in openssl-base. >>>> Can be this enabled before 11.0 released? >>> >>> AFAIK openssl maintainers says something like they can't support this >>> code and it will become rotten shortly with new changes, so they drop it. >> >> [OpenSSL-maintainer-for-the-base hat on] >> >> GOST is supported on FreeBSD 10.x and 11.x. We will not drop it on >> these branches unless secteam explicitly ask us to do so. However, we >> *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch. >> >> [OpenSSL-maintainer-for-the-base hat off] >> >> Jung-uk Kim >> > > Thanks! > > May be need file PR for dns/bind910? > > # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile > .include <bsd.port.pre.mk> > > .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && ${SSL_DEFAULT} == base > BROKEN= OpenSSL from the base system does not support GOST, add \ > DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and rebuild everything \ > that needs SSL. > .endifFreeBSD 9.3 is still supported but GOST is not available there. It seems the ports maintainer didn't want to break it on 9.3 (CC added). Version check may be needed there. Jung-uk Kim -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20160711/c6d776cd/attachment.sig>
On 11.07.2016 21:41, Slawa Olhovchenkov wrote:> On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote: > >> On 07/10/16 10:10 AM, Andrey Chernov wrote: >>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote: >>>> I am surprised lack of support GOST in openssl-base. >>>> Can be this enabled before 11.0 released? >>> >>> AFAIK openssl maintainers says something like they can't support this >>> code and it will become rotten shortly with new changes, so they drop it. >> >> [OpenSSL-maintainer-for-the-base hat on] >> >> GOST is supported on FreeBSD 10.x and 11.x. We will not drop it on >> these branches unless secteam explicitly ask us to do so. However, we >> *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch. >> >> [OpenSSL-maintainer-for-the-base hat off] >> >> Jung-uk Kim >> > > Thanks! > > May be need file PR for dns/bind910? > > # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile > .include <bsd.port.pre.mk> > > .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && ${SSL_DEFAULT} == base > BROKEN= OpenSSL from the base system does not support GOST, add \ > DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and rebuild everything \ > that needs SSL. > .endif >I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC don't use GOST, so I vote for removing GOST option from there.