On 12.07.2016 1:44, Andrey Chernov wrote:> On 11.07.2016 21:41, Slawa Olhovchenkov wrote: >> On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote: >> >>> On 07/10/16 10:10 AM, Andrey Chernov wrote: >>>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote: >>>>> I am surprised lack of support GOST in openssl-base. >>>>> Can be this enabled before 11.0 released? >>>> >>>> AFAIK openssl maintainers says something like they can't support this >>>> code and it will become rotten shortly with new changes, so they drop it. >>> >>> [OpenSSL-maintainer-for-the-base hat on] >>> >>> GOST is supported on FreeBSD 10.x and 11.x. We will not drop it on >>> these branches unless secteam explicitly ask us to do so. However, we >>> *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch. >>> >>> [OpenSSL-maintainer-for-the-base hat off] >>> >>> Jung-uk Kim >>> >> >> Thanks! >> >> May be need file PR for dns/bind910? >> >> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile >> .include <bsd.port.pre.mk> >> >> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && ${SSL_DEFAULT} == base >> BROKEN= OpenSSL from the base system does not support GOST, add \ >> DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and rebuild everything \ >> that needs SSL. >> .endif >> > > I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC > don't use GOST, so I vote for removing GOST option from there. >I need to note that RFC exists, proposing GOST (old version) for DNSSEC: https://tools.ietf.org/html/rfc5933 but nobody really use it.
On Mon, Jul 11, 2016 at 3:51 PM, Andrey Chernov <ache at freebsd.org> wrote:> On 12.07.2016 1:44, Andrey Chernov wrote: > > On 11.07.2016 21:41, Slawa Olhovchenkov wrote: > >> On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote: > >> > >>> On 07/10/16 10:10 AM, Andrey Chernov wrote: > >>>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote: > >>>>> I am surprised lack of support GOST in openssl-base. > >>>>> Can be this enabled before 11.0 released? > >>>> > >>>> AFAIK openssl maintainers says something like they can't support this > >>>> code and it will become rotten shortly with new changes, so they drop > it. > >>> > >>> [OpenSSL-maintainer-for-the-base hat on] > >>> > >>> GOST is supported on FreeBSD 10.x and 11.x. We will not drop it on > >>> these branches unless secteam explicitly ask us to do so. However, we > >>> *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch. > >>> > >>> [OpenSSL-maintainer-for-the-base hat off] > >>> > >>> Jung-uk Kim > >>> > >> > >> Thanks! > >> > >> May be need file PR for dns/bind910? > >> > >> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile > >> .include <bsd.port.pre.mk> > >> > >> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && > ${SSL_DEFAULT} == base > >> BROKEN= OpenSSL from the base system does not support GOST, add \ > >> DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and > rebuild everything \ > >> that needs SSL. > >> .endif > >> > > > > I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC > > don't use GOST, so I vote for removing GOST option from there. > > > > I need to note that RFC exists, proposing GOST (old version) for DNSSEC: > https://tools.ietf.org/html/rfc5933 > but nobody really use it.In case people are not aware of it, Russian law now requires ALL encrypted traffic must either be accessible by the FSB or that the private keys must be available to the FSB. I have always assumed that GOST has a hidden vulnerability/backdoor that the FSB is already using, but this makes it mandatory. Putin gave the FSB 2 weeks to implement the law, which is clearly impossible, but I suspect that there will be a huge effort to pick all low-hanging fruit. As a result, I suspect no one outside of Russia will touch GOST. (Not that they do now, either.) I'd hate to see its support required for any protocol except in Russia as someone will be silly enough to use it. (It's not possible because it requires the 6 month storage of all Internet data and voice communications which will require the immediate installation of massive amounts of storage, not to mention the floor space, cooling, and power to support those disks.) -- Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkoberman at gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
On 12.07.2016 8:48, Kevin Oberman wrote:> >> May be need file PR for dns/bind910? > >> > >> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile > >> .include <bsd.port.pre.mk <http://bsd.port.pre.mk>> > >> > >> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && > ${SSL_DEFAULT} == base > >> BROKEN= OpenSSL from the base system does not support GOST, add \ > >> DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and > rebuild everything \ > >> that needs SSL. > >> .endif > >> > > > > I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC > > don't use GOST, so I vote for removing GOST option from there. > > > > I need to note that RFC exists, proposing GOST (old version) for DNSSEC: > https://tools.ietf.org/html/rfc5933 > but nobody really use it. > > In case people are not aware of it, Russian law now requires ALL > encrypted traffic must either be accessible by the FSB or that the > private keys must be available to the FSB.It is not quite so. All traffic must be available for 6 months and they express intention to ask big companies for their private keys, but later is not required by the law (not yet...)> I have always assumed that > GOST has a hidden vulnerability/backdoor that the FSB is already using,I already answer this question elsewhere in this thread with the reference.> but this makes it mandatory. Putin gave the FSB 2 weeks to implement the > law, which is clearly impossible, but I suspect that there will be a > huge effort to pick all low-hanging fruit. As a result, I suspect no one > outside of Russia will touch GOST. (Not that they do now, either.) I'd > hate to see its support required for any protocol except in Russia as > someone will be silly enough to use it.I already explain required GOST usage pattern in this thread.