Hi,
+--On 11 juillet 2016 22:56:00 +0300 Slawa Olhovchenkov <slw at
zxy.spb.ru>
wrote:
| On Mon, Jul 11, 2016 at 03:00:39PM -0400, Jung-uk Kim wrote:
|> > .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} )
&&
|> > ${SSL_DEFAULT} == base BROKEN= OpenSSL from the base system does not
|> > support GOST, add \ DEFAULT_VERSIONS+=ssl=openssl to your
|> > /etc/make.conf and rebuild everything \ that needs SSL.
|> > .endif
|>
|> FreeBSD 9.3 is still supported but GOST is not available there. It
|
| Thanks for clarifications.
|
|> seems the ports maintainer didn't want to break it on 9.3 (CC added).
|> Version check may be needed there.
|
| Thanks!
The idea is that you can't have mixed openssl usage. If you link half your
ports with openssl from base, and half with openssl from ports, you are
going to have dragons attacks, and core dumps. Also, if you are using
openssl from ports, you cannot use GSSAPI from base, for the same reasons.
--
Mathieu Arnold
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 949 bytes
Desc: not available
URL:
<http://lists.freebsd.org/pipermail/freebsd-security/attachments/20160718/e36967eb/attachment.sig>
On 07/18/16 08:12 AM, Mathieu Arnold wrote:> Hi, > > +--On 11 juillet 2016 22:56:00 +0300 Slawa Olhovchenkov <slw at zxy.spb.ru> > wrote: > | On Mon, Jul 11, 2016 at 03:00:39PM -0400, Jung-uk Kim wrote: > |> > .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && > |> > ${SSL_DEFAULT} == base BROKEN= OpenSSL from the base system does not > |> > support GOST, add \ DEFAULT_VERSIONS+=ssl=openssl to your > |> > /etc/make.conf and rebuild everything \ that needs SSL. > |> > .endif > |> > |> FreeBSD 9.3 is still supported but GOST is not available there. It > | > | Thanks for clarifications. > | > |> seems the ports maintainer didn't want to break it on 9.3 (CC added). > |> Version check may be needed there. > | > | Thanks! > > > The idea is that you can't have mixed openssl usage. If you link half your > ports with openssl from base, and half with openssl from ports, you are > going to have dragons attacks, and core dumps. Also, if you are using > openssl from ports, you cannot use GSSAPI from base, for the same reasons.Exactly. That's why we should *allow* using base OpenSSL for 10.x and later because many packages are already linked against base OpenSSL by default. Jung-uk Kim -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20160718/c75a7176/attachment.sig>
On Mon, Jul 18, 2016 at 12:39:46PM -0400, Jung-uk Kim wrote:> On 07/18/16 08:12 AM, Mathieu Arnold wrote: > > Hi, > > > > +--On 11 juillet 2016 22:56:00 +0300 Slawa Olhovchenkov <slw at zxy.spb.ru> > > wrote: > > | On Mon, Jul 11, 2016 at 03:00:39PM -0400, Jung-uk Kim wrote: > > |> > .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && > > |> > ${SSL_DEFAULT} == base BROKEN= OpenSSL from the base system does not > > |> > support GOST, add \ DEFAULT_VERSIONS+=ssl=openssl to your > > |> > /etc/make.conf and rebuild everything \ that needs SSL. > > |> > .endif > > |> > > |> FreeBSD 9.3 is still supported but GOST is not available there. It > > | > > | Thanks for clarifications. > > | > > |> seems the ports maintainer didn't want to break it on 9.3 (CC added). > > |> Version check may be needed there. > > | > > | Thanks! > > > > > > The idea is that you can't have mixed openssl usage. If you link half your > > ports with openssl from base, and half with openssl from ports, you are > > going to have dragons attacks, and core dumps. Also, if you are using > > openssl from ports, you cannot use GSSAPI from base, for the same reasons. > > Exactly. That's why we should *allow* using base OpenSSL for 10.x and > later because many packages are already linked against base OpenSSL by > default.Ports still refuse to GOST from base openssl.