info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
GOST in OPENSSL_BASE
1 view
Skip to first unread message
Slawa Olhovchenkov
Jul 10, 2016, 11:34:15 AM7/10/16
to
I am surprised lack of support GOST in openssl-base.
Can be this enabled before 11.0 released?
Subject: svn commit: r412619 - in head/dns: bind9-devel bind910 bind99
Author: mat
Date: Wed Apr 6 13:53:09 2016
New Revision: 412619
URL: https://svnweb.freebsd.org/changeset/ports/412619
Log:
Stop bringing in OpenSSL from ports, it builds fine with the base one on
9, and WITH_OPENSSL_PORT does not belong in a port's Makefile anyway.
Not bumping PORTREVISION because:
- if you are building with poudriere, it will detect that a dependency
has changed and rebuild it.
- if you are building from ports, you will have OpenSSL from ports
installed, and it will choose to use it.
Sponsored by: Absolight
+.include <bsd.port.pre.mk>
+
+.if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && defined(WITH_OPENSSL_BASE)
+BROKEN= OpenSSL from the base system does not support GOST, add \
+ WITH_OPENSSL_PORT=yes to your /etc/make.conf and rebuild everything \
+ that needs SSL.
+.endif
+
_______________________________________________
freebsd-...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-securi...@freebsd.org"
Can be this enabled before 11.0 released?
Subject: svn commit: r412619 - in head/dns: bind9-devel bind910 bind99
Author: mat
Date: Wed Apr 6 13:53:09 2016
New Revision: 412619
URL: https://svnweb.freebsd.org/changeset/ports/412619
Log:
Stop bringing in OpenSSL from ports, it builds fine with the base one on
9, and WITH_OPENSSL_PORT does not belong in a port's Makefile anyway.
Not bumping PORTREVISION because:
- if you are building with poudriere, it will detect that a dependency
has changed and rebuild it.
- if you are building from ports, you will have OpenSSL from ports
installed, and it will choose to use it.
Sponsored by: Absolight
+.include <bsd.port.pre.mk>
+
+.if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && defined(WITH_OPENSSL_BASE)
+BROKEN= OpenSSL from the base system does not support GOST, add \
+ WITH_OPENSSL_PORT=yes to your /etc/make.conf and rebuild everything \
+ that needs SSL.
+.endif
+
_______________________________________________
freebsd-...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-securi...@freebsd.org"
Andrey Chernov
Jul 10, 2016, 11:34:16 AM7/10/16
to
On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
> I am surprised lack of support GOST in openssl-base.
> Can be this enabled before 11.0 released?
AFAIK openssl maintainers says something like they can't support this
> I am surprised lack of support GOST in openssl-base.
> Can be this enabled before 11.0 released?
code and it will become rotten shortly with new changes, so they drop it.
Slawa Olhovchenkov
Jul 10, 2016, 11:34:19 AM7/10/16
to
On Sun, Jul 10, 2016 at 05:10:04PM +0300, Andrey Chernov wrote:
> On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
> > I am surprised lack of support GOST in openssl-base.
> > Can be this enabled before 11.0 released?
>
> AFAIK openssl maintainers says something like they can't support this
> code and it will become rotten shortly with new changes, so they drop it.
>
Upstream or FreeBSD maintainers?
> On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
> > I am surprised lack of support GOST in openssl-base.
> > Can be this enabled before 11.0 released?
>
> AFAIK openssl maintainers says something like they can't support this
> code and it will become rotten shortly with new changes, so they drop it.
>
Andrey Chernov
Jul 10, 2016, 11:34:19 AM7/10/16
to
On 10.07.2016 18:12, Andrey Chernov wrote:
>
I.e. upstream.
> On 10.07.2016 18:01, Slawa Olhovchenkov wrote:
>> On Sun, Jul 10, 2016 at 05:10:04PM +0300, Andrey Chernov wrote:
>>
>>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
>>>> I am surprised lack of support GOST in openssl-base.
>>>> Can be this enabled before 11.0 released?
>>>
>>> AFAIK openssl maintainers says something like they can't support this
>>> code and it will become rotten shortly with new changes, so they drop it.
>>>
>>
>> Upstream or FreeBSD maintainers?
>>
>
> Openssl maintainers.
>> On Sun, Jul 10, 2016 at 05:10:04PM +0300, Andrey Chernov wrote:
>>
>>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
>>>> I am surprised lack of support GOST in openssl-base.
>>>> Can be this enabled before 11.0 released?
>>>
>>> AFAIK openssl maintainers says something like they can't support this
>>> code and it will become rotten shortly with new changes, so they drop it.
>>>
>>
>> Upstream or FreeBSD maintainers?
>>
>
>
I.e. upstream.
Andrey Chernov
Jul 10, 2016, 11:34:19 AM7/10/16
to
On 10.07.2016 18:13, Andrey Chernov wrote:
> On 10.07.2016 18:12, Andrey Chernov wrote:
>> On 10.07.2016 18:01, Slawa Olhovchenkov wrote:
>>> On Sun, Jul 10, 2016 at 05:10:04PM +0300, Andrey Chernov wrote:
>>>
>>>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
>>>>> I am surprised lack of support GOST in openssl-base.
>>>>> Can be this enabled before 11.0 released?
>>>>
>>>> AFAIK openssl maintainers says something like they can't support this
>>>> code and it will become rotten shortly with new changes, so they drop it.
>>>>
>>>
>>> Upstream or FreeBSD maintainers?
>>>
>>
>> Openssl maintainers.
>>
> I.e. upstream.
>
They mean built-in one, dropped from openssl 1.1.0 and above. It is
> On 10.07.2016 18:12, Andrey Chernov wrote:
>> On 10.07.2016 18:01, Slawa Olhovchenkov wrote:
>>> On Sun, Jul 10, 2016 at 05:10:04PM +0300, Andrey Chernov wrote:
>>>
>>>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
>>>>> I am surprised lack of support GOST in openssl-base.
>>>>> Can be this enabled before 11.0 released?
>>>>
>>>> AFAIK openssl maintainers says something like they can't support this
>>>> code and it will become rotten shortly with new changes, so they drop it.
>>>>
>>>
>>> Upstream or FreeBSD maintainers?
>>>
>>
>> Openssl maintainers.
>>
> I.e. upstream.
>
still available as 3rd party at:
https://github.com/gost-engine/engine
Andrey Chernov
Jul 10, 2016, 11:34:19 AM7/10/16
to
On 10.07.2016 18:01, Slawa Olhovchenkov wrote:
> On Sun, Jul 10, 2016 at 05:10:04PM +0300, Andrey Chernov wrote:
>
>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
>>> I am surprised lack of support GOST in openssl-base.
>>> Can be this enabled before 11.0 released?
>>
>> AFAIK openssl maintainers says something like they can't support this
>> code and it will become rotten shortly with new changes, so they drop it.
>>
>
> Upstream or FreeBSD maintainers?
>
Openssl maintainers.
> On Sun, Jul 10, 2016 at 05:10:04PM +0300, Andrey Chernov wrote:
>
>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
>>> I am surprised lack of support GOST in openssl-base.
>>> Can be this enabled before 11.0 released?
>>
>> AFAIK openssl maintainers says something like they can't support this
>> code and it will become rotten shortly with new changes, so they drop it.
>>
>
> Upstream or FreeBSD maintainers?
>
Openssl maintainers.
Andrey Chernov
Jul 10, 2016, 11:37:30 AM7/10/16
to
On 10.07.2016 18:28, Andrey Chernov wrote:
> On 10.07.2016 18:13, Andrey Chernov wrote:
*) The GOST engine was out of date and therefore it has been removed. An
up to date GOST engine is now being maintained in an external
repository. See: https://wiki.openssl.org/index.php/Binaries. Libssl
still retains support for GOST ciphersuites (these are only activated if
a GOST engine is present).
[Matt Caswell]
> On 10.07.2016 18:13, Andrey Chernov wrote:
>> On 10.07.2016 18:12, Andrey Chernov wrote:
>>> On 10.07.2016 18:01, Slawa Olhovchenkov wrote:
>>>> On Sun, Jul 10, 2016 at 05:10:04PM +0300, Andrey Chernov wrote:
>>>>
>>>>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
>>>>>> I am surprised lack of support GOST in openssl-base.
>>>>>> Can be this enabled before 11.0 released?
>>>>>
>>>>> AFAIK openssl maintainers says something like they can't support this
>>>>> code and it will become rotten shortly with new changes, so they drop it.
>>>>>
>>>>
>>>> Upstream or FreeBSD maintainers?
>>>>
>>>
>>> Openssl maintainers.
>>>
>>> On 10.07.2016 18:01, Slawa Olhovchenkov wrote:
>>>> On Sun, Jul 10, 2016 at 05:10:04PM +0300, Andrey Chernov wrote:
>>>>
>>>>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
>>>>>> I am surprised lack of support GOST in openssl-base.
>>>>>> Can be this enabled before 11.0 released?
>>>>>
>>>>> AFAIK openssl maintainers says something like they can't support this
>>>>> code and it will become rotten shortly with new changes, so they drop it.
>>>>>
>>>>
>>>> Upstream or FreeBSD maintainers?
>>>>
>>>
>>> Openssl maintainers.
>>>
>> I.e. upstream.
>>
> They mean built-in one, dropped from openssl 1.1.0 and above. It is
> still available as 3rd party at:
> https://github.com/gost-engine/engine
>
From their Changelog:
>>
> They mean built-in one, dropped from openssl 1.1.0 and above. It is
> still available as 3rd party at:
> https://github.com/gost-engine/engine
>
*) The GOST engine was out of date and therefore it has been removed. An
up to date GOST engine is now being maintained in an external
repository. See: https://wiki.openssl.org/index.php/Binaries. Libssl
still retains support for GOST ciphersuites (these are only activated if
a GOST engine is present).
[Matt Caswell]
Slawa Olhovchenkov
Jul 11, 2016, 6:29:20 AM7/11/16
to
On Sun, Jul 10, 2016 at 06:28:04PM +0300, Andrey Chernov wrote:
> On 10.07.2016 18:13, Andrey Chernov wrote:
> > On 10.07.2016 18:12, Andrey Chernov wrote:
> >> On 10.07.2016 18:01, Slawa Olhovchenkov wrote:
> >>> On Sun, Jul 10, 2016 at 05:10:04PM +0300, Andrey Chernov wrote:
> >>>
> >>>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
> >>>>> I am surprised lack of support GOST in openssl-base.
> >>>>> Can be this enabled before 11.0 released?
> >>>>
> >>>> AFAIK openssl maintainers says something like they can't support this
> >>>> code and it will become rotten shortly with new changes, so they drop it.
> >>>>
> >>>
> >>> Upstream or FreeBSD maintainers?
> >>>
> >>
> >> Openssl maintainers.
> >>
> > I.e. upstream.
> >
> They mean built-in one, dropped from openssl 1.1.0 and above. It is
> still available as 3rd party at:
> https://github.com/gost-engine/engine
I.e. GOST will be available in openssl.
> On 10.07.2016 18:13, Andrey Chernov wrote:
> > On 10.07.2016 18:12, Andrey Chernov wrote:
> >> On 10.07.2016 18:01, Slawa Olhovchenkov wrote:
> >>> On Sun, Jul 10, 2016 at 05:10:04PM +0300, Andrey Chernov wrote:
> >>>
> >>>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
> >>>>> I am surprised lack of support GOST in openssl-base.
> >>>>> Can be this enabled before 11.0 released?
> >>>>
> >>>> AFAIK openssl maintainers says something like they can't support this
> >>>> code and it will become rotten shortly with new changes, so they drop it.
> >>>>
> >>>
> >>> Upstream or FreeBSD maintainers?
> >>>
> >>
> >> Openssl maintainers.
> >>
> > I.e. upstream.
> >
> They mean built-in one, dropped from openssl 1.1.0 and above. It is
> still available as 3rd party at:
> https://github.com/gost-engine/engine
Under BSD-like license.
Can be this engine import in base system and enabled at time 1.1.0?
And can be GOST enabled now?
Slawa Olhovchenkov
Jul 11, 2016, 12:29:32 PM7/11/16
to
On Mon, Jul 11, 2016 at 11:04:33AM -0500, Mark Felder wrote:
>
>
> On Mon, Jul 11, 2016, at 05:29, Slawa Olhovchenkov wrote:
> >
> > I.e. GOST will be available in openssl.
> > Under BSD-like license.
> > Can be this engine import in base system and enabled at time 1.1.0?
> > And can be GOST enabled now?
> >
>
> I think the wrong question is being asked here. Instead we need to focus
> on decoupling openssl from base so this can all be handled by ports.
This is wrong direction with current policy.
ports: unsupported by FreeBSD core and securite team, no guaranted to comaptible
between options and applications.
base: supported by FreeBSD core and securite team, covered by CI,
checked for forward and backward API and ABI compatibility.
>
>
> On Mon, Jul 11, 2016, at 05:29, Slawa Olhovchenkov wrote:
> >
> > I.e. GOST will be available in openssl.
> > Under BSD-like license.
> > Can be this engine import in base system and enabled at time 1.1.0?
> > And can be GOST enabled now?
> >
>
> on decoupling openssl from base so this can all be handled by ports.
This is wrong direction with current policy.
ports: unsupported by FreeBSD core and securite team, no guaranted to comaptible
between options and applications.
base: supported by FreeBSD core and securite team, covered by CI,
checked for forward and backward API and ABI compatibility.
Mark Felder
Jul 11, 2016, 12:36:23 PM7/11/16
to
On Mon, Jul 11, 2016, at 05:29, Slawa Olhovchenkov wrote:
>
> I.e. GOST will be available in openssl.
> Under BSD-like license.
> Can be this engine import in base system and enabled at time 1.1.0?
> And can be GOST enabled now?
>
I think the wrong question is being asked here. Instead we need to focus
on decoupling openssl from base so this can all be handled by ports.
Mark Felder
fe...@feld.me
Kurt Jaeger
Jul 11, 2016, 12:46:19 PM7/11/16
to
Hi!
> > I.e. GOST will be available in openssl.
> > Under BSD-like license.
> > Can be this engine import in base system and enabled at time 1.1.0?
> > And can be GOST enabled now?
> I think the wrong question is being asked here. Instead we need to focus
> on decoupling openssl from base so this can all be handled by ports.
As far as I know, GOST is a standardized crypto algo in .ru, it's
suggested (required?) by the government in .ru. So, if FreeBSD does
not want to alienate the .ru userbase, GOST probably should be in base.
I'm not sure how difficult that would be.
--
p...@opsec.eu +49 171 3101372 4 years to go !
> > I.e. GOST will be available in openssl.
> > Under BSD-like license.
> > Can be this engine import in base system and enabled at time 1.1.0?
> > And can be GOST enabled now?
> I think the wrong question is being asked here. Instead we need to focus
> on decoupling openssl from base so this can all be handled by ports.
suggested (required?) by the government in .ru. So, if FreeBSD does
not want to alienate the .ru userbase, GOST probably should be in base.
I'm not sure how difficult that would be.
--
p...@opsec.eu +49 171 3101372 4 years to go !
Andrey Chernov
Jul 11, 2016, 12:49:19 PM7/11/16
to
On 11.07.2016 19:29, Slawa Olhovchenkov wrote:
> On Mon, Jul 11, 2016 at 11:04:33AM -0500, Mark Felder wrote:
>
>>
>>
> On Mon, Jul 11, 2016 at 11:04:33AM -0500, Mark Felder wrote:
>
>>
>>
>> On Mon, Jul 11, 2016, at 05:29, Slawa Olhovchenkov wrote:
>>>
>>>
>>> I.e. GOST will be available in openssl.
>>> Under BSD-like license.
>>> Can be this engine import in base system and enabled at time 1.1.0?
>>> And can be GOST enabled now?
>>>
>>
>> I think the wrong question is being asked here. Instead we need to focus
>> on decoupling openssl from base so this can all be handled by ports.
>
>>> Under BSD-like license.
>>> Can be this engine import in base system and enabled at time 1.1.0?
>>> And can be GOST enabled now?
>>>
>>
>> I think the wrong question is being asked here. Instead we need to focus
>> on decoupling openssl from base so this can all be handled by ports.
>
> This is wrong direction with current policy.
> ports: unsupported by FreeBSD core and securite team, no guaranted to comaptible
> between options and applications.
>
> base: supported by FreeBSD core and securite team, covered by CI,
> checked for forward and backward API and ABI compatibility.
>
Ports are supported by secteam, and recently I notice "headsup" mail
> ports: unsupported by FreeBSD core and securite team, no guaranted to comaptible
> between options and applications.
>
> base: supported by FreeBSD core and securite team, covered by CI,
> checked for forward and backward API and ABI compatibility.
>
with intention to make base openssl private and switch all ports to
security/openssl port.
Adding of GOST as 3rd party plugin is technically possible in both
(base, ports) cases, the rest of decision is up to FreeBSD openssl
maintainers and possible contributors efforts.
I need to specially point to "patches" section of the 3rd party GOST
plugin, from just viewing I don't understand, are those additional
openssl patches should be applied to openssl for GOST, or they are just
reflect existent changes in the openssl.
Andrei
Jul 11, 2016, 1:03:29 PM7/11/16
to
On Mon, 11 Jul 2016 18:39:34 +0200
Kurt Jaeger <li...@opsec.eu> wrote:
> As far as I know, GOST is a standardized crypto algo in .ru, it's
> suggested (required?) by the government in .ru. So, if FreeBSD does
> not want to alienate the .ru userbase, GOST probably should be in
> base.
>
> I'm not sure how difficult that would be.
Care about russian terrorists government? About Putin? No, thanks!
Kurt Jaeger <li...@opsec.eu> wrote:
> As far as I know, GOST is a standardized crypto algo in .ru, it's
> suggested (required?) by the government in .ru. So, if FreeBSD does
> not want to alienate the .ru userbase, GOST probably should be in
> base.
>
> I'm not sure how difficult that would be.
Andrey Chernov
Jul 11, 2016, 1:10:09 PM7/11/16
to
On 11.07.2016 19:54, Andrei wrote:
> On Mon, 11 Jul 2016 18:39:34 +0200
> Kurt Jaeger <li...@opsec.eu> wrote:
>
>> As far as I know, GOST is a standardized crypto algo in .ru, it's
>> suggested (required?) by the government in .ru. So, if FreeBSD does
>> not want to alienate the .ru userbase, GOST probably should be in
>> base.
>>
>> I'm not sure how difficult that would be.
> Care about russian terrorists government? About Putin? No, thanks!
Unfortunately, it affects normal people and organizations here,
> On Mon, 11 Jul 2016 18:39:34 +0200
> Kurt Jaeger <li...@opsec.eu> wrote:
>
>> As far as I know, GOST is a standardized crypto algo in .ru, it's
>> suggested (required?) by the government in .ru. So, if FreeBSD does
>> not want to alienate the .ru userbase, GOST probably should be in
>> base.
>>
>> I'm not sure how difficult that would be.
> Care about russian terrorists government? About Putin? No, thanks!
including internet providers f.e. and not affects Putin or government in
any way. Documents workflow require digital signatures by GOST.
Sergej Schmidt
Jul 11, 2016, 1:35:11 PM7/11/16
to
On 07/11/2016 07:09 PM, Andrey Chernov wrote:
> On 11.07.2016 19:54, Andrei wrote:
>> On Mon, 11 Jul 2016 18:39:34 +0200
>> Kurt Jaeger <li...@opsec.eu> wrote:
>>
>>> As far as I know, GOST is a standardized crypto algo in .ru, it's
>>> suggested (required?) by the government in .ru. So, if FreeBSD does
>>> not want to alienate the .ru userbase, GOST probably should be in
>>> base.
>>>
>>> I'm not sure how difficult that would be.
>> Care about russian terrorists government? About Putin? No, thanks!
Wtf is this? This is an international community and this list is read
> On 11.07.2016 19:54, Andrei wrote:
>> On Mon, 11 Jul 2016 18:39:34 +0200
>> Kurt Jaeger <li...@opsec.eu> wrote:
>>
>>> As far as I know, GOST is a standardized crypto algo in .ru, it's
>>> suggested (required?) by the government in .ru. So, if FreeBSD does
>>> not want to alienate the .ru userbase, GOST probably should be in
>>> base.
>>>
>>> I'm not sure how difficult that would be.
>> Care about russian terrorists government? About Putin? No, thanks!
across the world. There's no place for your political beliefs.
Especially when expressed in such manner. Please keep it to yourself.
Andrei
Jul 11, 2016, 2:08:51 PM7/11/16
to
On Mon, 11 Jul 2016 20:09:35 +0300
Andrey Chernov <ac...@freebsd.org> wrote:
Andrey Chernov <ac...@freebsd.org> wrote:
> >> As far as I know, GOST is a standardized crypto algo in .ru, it's
> >> suggested (required?) by the government in .ru. So, if FreeBSD does
> >> not want to alienate the .ru userbase, GOST probably should be in
> >> base.
> >>
> >> I'm not sure how difficult that would be.
> > Care about russian terrorists government? About Putin? No, thanks!
>
> Unfortunately, it affects normal people and organizations here,
> including internet providers f.e. and not affects Putin or government
> in any way. Documents workflow require digital signatures by GOST.
From 20 Jule of this year "organizers of information distribution on the Internet"
in Russia must have ability to decrypt all traffic by "Yarovaya law".
"There's another important amendment aimed at “organizers of information
distribution on the Internet”: if an online service—a messenger app, a social
network, an email client, or even just a website—encrypts its data, its
owners will be required to help the Federal Security Service decipher any
message sent by its users. The fine for refusing to cooperate can be as high
as a million rubles (more than $15,000)."
https://meduza.io/en/feature/2016/06/24/russia-s-state-duma-just-approved-some-of-the-most-repressive-laws-in-post-soviet-history
http://www.ibtimes.com/russian-anti-terrorism-law-signed-amid-business-human-rights-outcry-how-big-brother-2389849
Maybe russian GOST made with options to decrypt.. Nice backdoor from FSB? ;)
> Wtf is this? This is an international community and this list is read
> across the world. There's no place for your political beliefs.
> Especially when expressed in such manner. Please keep it to yourself.
I will write what I want. I'm live in democratic country, not in Russia.
Jung-uk Kim
Jul 11, 2016, 2:29:20 PM7/11/16
to
On 07/10/16 10:10 AM, Andrey Chernov wrote:
> On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
>> I am surprised lack of support GOST in openssl-base.
>> Can be this enabled before 11.0 released?
>
> AFAIK openssl maintainers says something like they can't support this
> code and it will become rotten shortly with new changes, so they drop it.
[OpenSSL-maintainer-for-the-base hat on]
> On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
>> I am surprised lack of support GOST in openssl-base.
>> Can be this enabled before 11.0 released?
>
> AFAIK openssl maintainers says something like they can't support this
> code and it will become rotten shortly with new changes, so they drop it.
GOST is supported on FreeBSD 10.x and 11.x. We will not drop it on
these branches unless secteam explicitly ask us to do so. However, we
*may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch.
[OpenSSL-maintainer-for-the-base hat off]
Jung-uk Kim
Slawa Olhovchenkov
Jul 11, 2016, 2:41:40 PM7/11/16
to
May be need file PR for dns/bind910?
# grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile
.include <bsd.port.pre.mk>
.if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && ${SSL_DEFAULT} == base
BROKEN= OpenSSL from the base system does not support GOST, add \
DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and rebuild everything \
that needs SSL.
.endif
Jung-uk Kim
Jul 11, 2016, 3:01:13 PM7/11/16
to
On 07/11/16 02:41 PM, Slawa Olhovchenkov wrote:
> On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote:
>
>> On 07/10/16 10:10 AM, Andrey Chernov wrote:
>>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
>>>> I am surprised lack of support GOST in openssl-base.
>>>> Can be this enabled before 11.0 released?
>>>
>>> AFAIK openssl maintainers says something like they can't support this
>>> code and it will become rotten shortly with new changes, so they drop it.
>>
>> [OpenSSL-maintainer-for-the-base hat on]
>>
>> GOST is supported on FreeBSD 10.x and 11.x. We will not drop it on
>> these branches unless secteam explicitly ask us to do so. However, we
>> *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch.
>>
>> [OpenSSL-maintainer-for-the-base hat off]
>>
>> Jung-uk Kim
>>
>
> Thanks!
>
> May be need file PR for dns/bind910?
>
> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile
> .include <bsd.port.pre.mk>
>
> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && ${SSL_DEFAULT} == base
> BROKEN= OpenSSL from the base system does not support GOST, add \
> DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and rebuild everything \
> that needs SSL.
> .endif
FreeBSD 9.3 is still supported but GOST is not available there. It
> On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote:
>
>> On 07/10/16 10:10 AM, Andrey Chernov wrote:
>>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
>>>> I am surprised lack of support GOST in openssl-base.
>>>> Can be this enabled before 11.0 released?
>>>
>>> AFAIK openssl maintainers says something like they can't support this
>>> code and it will become rotten shortly with new changes, so they drop it.
>>
>> [OpenSSL-maintainer-for-the-base hat on]
>>
>> GOST is supported on FreeBSD 10.x and 11.x. We will not drop it on
>> these branches unless secteam explicitly ask us to do so. However, we
>> *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch.
>>
>> [OpenSSL-maintainer-for-the-base hat off]
>>
>> Jung-uk Kim
>>
>
> Thanks!
>
> May be need file PR for dns/bind910?
>
> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile
> .include <bsd.port.pre.mk>
>
> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && ${SSL_DEFAULT} == base
> BROKEN= OpenSSL from the base system does not support GOST, add \
> DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and rebuild everything \
> that needs SSL.
> .endif
seems the ports maintainer didn't want to break it on 9.3 (CC added).
Version check may be needed there.
Jung-uk Kim
Slawa Olhovchenkov
Jul 11, 2016, 3:56:14 PM7/11/16
to
> seems the ports maintainer didn't want to break it on 9.3 (CC added).
> Version check may be needed there.
> Jung-uk Kim
Slawa Olhovchenkov
Jul 11, 2016, 4:14:22 PM7/11/16
to
On Mon, Jul 11, 2016 at 07:48:44PM +0300, Andrey Chernov wrote:
> On 11.07.2016 19:29, Slawa Olhovchenkov wrote:
> > On Mon, Jul 11, 2016 at 11:04:33AM -0500, Mark Felder wrote:
> >
> >>
> >>
> >> On Mon, Jul 11, 2016, at 05:29, Slawa Olhovchenkov wrote:
> >>>
> >>> I.e. GOST will be available in openssl.
> >>> Under BSD-like license.
> >>> Can be this engine import in base system and enabled at time 1.1.0?
> >>> And can be GOST enabled now?
> >>>
> >>
> >> I think the wrong question is being asked here. Instead we need to focus
> >> on decoupling openssl from base so this can all be handled by ports.
> >
> > This is wrong direction with current policy.
> > ports: unsupported by FreeBSD core and securite team, no guaranted to comaptible
> > between options and applications.
> >
> > base: supported by FreeBSD core and securite team, covered by CI,
> > checked for forward and backward API and ABI compatibility.
> >
>
> Ports are supported by secteam, and recently I notice "headsup" mail
> with intention to make base openssl private and switch all ports to
> security/openssl port.
I mean `support` is commit reviewing, auditing and etc.
> On 11.07.2016 19:29, Slawa Olhovchenkov wrote:
> > On Mon, Jul 11, 2016 at 11:04:33AM -0500, Mark Felder wrote:
> >
> >>
> >>
> >> On Mon, Jul 11, 2016, at 05:29, Slawa Olhovchenkov wrote:
> >>>
> >>> I.e. GOST will be available in openssl.
> >>> Under BSD-like license.
> >>> Can be this engine import in base system and enabled at time 1.1.0?
> >>> And can be GOST enabled now?
> >>>
> >>
> >> I think the wrong question is being asked here. Instead we need to focus
> >> on decoupling openssl from base so this can all be handled by ports.
> >
> > This is wrong direction with current policy.
> > ports: unsupported by FreeBSD core and securite team, no guaranted to comaptible
> > between options and applications.
> >
> > base: supported by FreeBSD core and securite team, covered by CI,
> > checked for forward and backward API and ABI compatibility.
> >
>
> Ports are supported by secteam, and recently I notice "headsup" mail
> with intention to make base openssl private and switch all ports to
> security/openssl port.
Secteam do it for ports?
> Adding of GOST as 3rd party plugin is technically possible in both
> (base, ports) cases, the rest of decision is up to FreeBSD openssl
> maintainers and possible contributors efforts.
>
> I need to specially point to "patches" section of the 3rd party GOST
> plugin, from just viewing I don't understand, are those additional
> openssl patches should be applied to openssl for GOST, or they are just
> reflect existent changes in the openssl.
>
Andrey Chernov
Jul 11, 2016, 6:01:55 PM7/11/16
to
On 11.07.2016 23:13, Slawa Olhovchenkov wrote:
> On Mon, Jul 11, 2016 at 07:48:44PM +0300, Andrey Chernov wrote:
>
>> On 11.07.2016 19:29, Slawa Olhovchenkov wrote:
>>> On Mon, Jul 11, 2016 at 11:04:33AM -0500, Mark Felder wrote:
>>>
>>>>
>>>>
>>>> On Mon, Jul 11, 2016, at 05:29, Slawa Olhovchenkov wrote:
>>>>>
>>>>> I.e. GOST will be available in openssl.
>>>>> Under BSD-like license.
>>>>> Can be this engine import in base system and enabled at time 1.1.0?
>>>>> And can be GOST enabled now?
>>>>>
>>>>
>>>> I think the wrong question is being asked here. Instead we need to focus
>>>> on decoupling openssl from base so this can all be handled by ports.
>>>
>>> This is wrong direction with current policy.
>>> ports: unsupported by FreeBSD core and securite team, no guaranted to comaptible
>>> between options and applications.
>>>
>>> base: supported by FreeBSD core and securite team, covered by CI,
>>> checked for forward and backward API and ABI compatibility.
>>>
>>
>> Ports are supported by secteam, and recently I notice "headsup" mail
>> with intention to make base openssl private and switch all ports to
>> security/openssl port.
>
> I mean `support` is commit reviewing, auditing and etc.
> Secteam do it for ports?
At least CVEs are tracked. You better ask about whole list of ports
> On Mon, Jul 11, 2016 at 07:48:44PM +0300, Andrey Chernov wrote:
>
>> On 11.07.2016 19:29, Slawa Olhovchenkov wrote:
>>> On Mon, Jul 11, 2016 at 11:04:33AM -0500, Mark Felder wrote:
>>>
>>>>
>>>>
>>>> On Mon, Jul 11, 2016, at 05:29, Slawa Olhovchenkov wrote:
>>>>>
>>>>> I.e. GOST will be available in openssl.
>>>>> Under BSD-like license.
>>>>> Can be this engine import in base system and enabled at time 1.1.0?
>>>>> And can be GOST enabled now?
>>>>>
>>>>
>>>> I think the wrong question is being asked here. Instead we need to focus
>>>> on decoupling openssl from base so this can all be handled by ports.
>>>
>>> This is wrong direction with current policy.
>>> ports: unsupported by FreeBSD core and securite team, no guaranted to comaptible
>>> between options and applications.
>>>
>>> base: supported by FreeBSD core and securite team, covered by CI,
>>> checked for forward and backward API and ABI compatibility.
>>>
>>
>> Ports are supported by secteam, and recently I notice "headsup" mail
>> with intention to make base openssl private and switch all ports to
>> security/openssl port.
>
> I mean `support` is commit reviewing, auditing and etc.
> Secteam do it for ports?
secteam duties secteam themselves.
Andrey Chernov
Jul 11, 2016, 6:36:09 PM7/11/16
to
On 11.07.2016 21:07, Andrei wrote:
> On Mon, 11 Jul 2016 20:09:35 +0300
> Andrey Chernov <ac...@freebsd.org> wrote:
>> Unfortunately, it affects normal people and organizations here,
>> including internet providers f.e. and not affects Putin or government
>> in any way. Documents workflow require digital signatures by GOST.
> On Mon, 11 Jul 2016 20:09:35 +0300
> Andrey Chernov <ac...@freebsd.org> wrote:
>> Unfortunately, it affects normal people and organizations here,
>> including internet providers f.e. and not affects Putin or government
>> in any way. Documents workflow require digital signatures by GOST.
> Maybe russian GOST made with options to decrypt.. Nice backdoor from FSB? ;)
Official documents workflow use GOST signatures for authenticity and
consistency verification, so there is no harm to have FSB backdoor in
the algo, unless some hacker will find it. Just don't use GOST for
something else to stay on safe side.
BTW, latest GOST based on elliptic curves, so from math point of view
probability of having backdoor here is minimal.
See
https://ru.wikipedia.org/wiki/%D0%93%D0%9E%D0%A1%D0%A2_%D0%A0_34.10-2012
You can consider GOST goals are the same as FIPS ones with the reason to
have things "domestically produced".
Andrey Chernov
Jul 11, 2016, 6:45:30 PM7/11/16
to
On 11.07.2016 21:41, Slawa Olhovchenkov wrote:
> On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote:
>
>> On 07/10/16 10:10 AM, Andrey Chernov wrote:
>>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
>>>> I am surprised lack of support GOST in openssl-base.
>>>> Can be this enabled before 11.0 released?
>>>
>>> AFAIK openssl maintainers says something like they can't support this
>>> code and it will become rotten shortly with new changes, so they drop it.
>>
>> [OpenSSL-maintainer-for-the-base hat on]
>>
>> GOST is supported on FreeBSD 10.x and 11.x. We will not drop it on
>> these branches unless secteam explicitly ask us to do so. However, we
>> *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch.
>>
>> [OpenSSL-maintainer-for-the-base hat off]
>>
>> Jung-uk Kim
>>
>
> Thanks!
>
> May be need file PR for dns/bind910?
>
> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile
> .include <bsd.port.pre.mk>
>
> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && ${SSL_DEFAULT} == base
> BROKEN= OpenSSL from the base system does not support GOST, add \
> DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and rebuild everything \
> that needs SSL.
> .endif
>
I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC
> On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote:
>
>> On 07/10/16 10:10 AM, Andrey Chernov wrote:
>>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
>>>> I am surprised lack of support GOST in openssl-base.
>>>> Can be this enabled before 11.0 released?
>>>
>>> AFAIK openssl maintainers says something like they can't support this
>>> code and it will become rotten shortly with new changes, so they drop it.
>>
>> [OpenSSL-maintainer-for-the-base hat on]
>>
>> GOST is supported on FreeBSD 10.x and 11.x. We will not drop it on
>> these branches unless secteam explicitly ask us to do so. However, we
>> *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch.
>>
>> [OpenSSL-maintainer-for-the-base hat off]
>>
>> Jung-uk Kim
>>
>
> Thanks!
>
> May be need file PR for dns/bind910?
>
> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile
> .include <bsd.port.pre.mk>
>
> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && ${SSL_DEFAULT} == base
> BROKEN= OpenSSL from the base system does not support GOST, add \
> DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and rebuild everything \
> that needs SSL.
> .endif
>
don't use GOST, so I vote for removing GOST option from there.
Andrey Chernov
Jul 11, 2016, 6:52:31 PM7/11/16
to
https://tools.ietf.org/html/rfc5933
but nobody really use it.
Sergej Schmidt
Jul 12, 2016, 4:19:22 AM7/12/16
to
On 07/11/2016 08:07 PM, Andrei wrote:
> On Mon, 11 Jul 2016 20:09:35 +0300
> Andrey Chernov <ac...@freebsd.org> wrote:
>
> On Mon, 11 Jul 2016 20:09:35 +0300
> Andrey Chernov <ac...@freebsd.org> wrote:
>
>>>> As far as I know, GOST is a standardized crypto algo in .ru, it's
>>>> suggested (required?) by the government in .ru. So, if FreeBSD does
>>>> not want to alienate the .ru userbase, GOST probably should be in
>>>> base.
>>>>
>>>> I'm not sure how difficult that would be.
>>> Care about russian terrorists government? About Putin? No, thanks!
>>>> suggested (required?) by the government in .ru. So, if FreeBSD does
>>>> not want to alienate the .ru userbase, GOST probably should be in
>>>> base.
>>>>
>>>> I'm not sure how difficult that would be.
>>> Care about russian terrorists government? About Putin? No, thanks!
>> Unfortunately, it affects normal people and organizations here,
>> including internet providers f.e. and not affects Putin or government
>> in any way. Documents workflow require digital signatures by GOST.
>> including internet providers f.e. and not affects Putin or government
>> in any way. Documents workflow require digital signatures by GOST.
> From 20 Jule of this year "organizers of information distribution on the Internet"
> in Russia must have ability to decrypt all traffic by "Yarovaya law".
>
> "There's another important amendment aimed at “organizers of information
> distribution on the Internet”: if an online service—a messenger app, a social
> network, an email client, or even just a website—encrypts its data, its
> owners will be required to help the Federal Security Service decipher any
> message sent by its users. The fine for refusing to cooperate can be as high
> as a million rubles (more than $15,000)."
> https://meduza.io/en/feature/2016/06/24/russia-s-state-duma-just-approved-some-of-the-most-repressive-laws-in-post-soviet-history
> http://www.ibtimes.com/russian-anti-terrorism-law-signed-amid-business-human-rights-outcry-how-big-brother-2389849
>
> in Russia must have ability to decrypt all traffic by "Yarovaya law".
>
> "There's another important amendment aimed at “organizers of information
> distribution on the Internet”: if an online service—a messenger app, a social
> network, an email client, or even just a website—encrypts its data, its
> owners will be required to help the Federal Security Service decipher any
> message sent by its users. The fine for refusing to cooperate can be as high
> as a million rubles (more than $15,000)."
> https://meduza.io/en/feature/2016/06/24/russia-s-state-duma-just-approved-some-of-the-most-repressive-laws-in-post-soviet-history
> http://www.ibtimes.com/russian-anti-terrorism-law-signed-amid-business-human-rights-outcry-how-big-brother-2389849
>
> Maybe russian GOST made with options to decrypt.. Nice backdoor from FSB? ;)
Many of constrains in that text excerpt apply also not only to Russia
but US, the country I live in and many other European countries too. If
you only look for stuff you want to find you wont see the rest. You
maybe should look up which cooperation your country's
citizens/businesses have to do when forced by law enforcement.
Btw, I am at least roughly aware of Russia's advances in law enforcement.
>
>
>> Wtf is this? This is an international community and this list is read
>> across the world. There's no place for your political beliefs.
>> Especially when expressed in such manner. Please keep it to yourself.
> I will write what I want. I'm live in democratic country, not in Russia.
This is not about freedom of speech in a democracy. Screaming your weird
>
>> Wtf is this? This is an international community and this list is read
>> across the world. There's no place for your political beliefs.
>> Especially when expressed in such manner. Please keep it to yourself.
> I will write what I want. I'm live in democratic country, not in Russia.
opinion in an insulting way is not a unique characteristic to a
democracy, it's one for a Trump rally. This is simply the wrong place
for it, especially considering the tone. It's the
"Freebsd-Security"-list. That was my whole point. However I am happy to
see I am the only one taking this serious and others having a productive
conversation. I see you are a person not to reason with so I will do
others here a favor and stop discussing this.
Andrey Chernov
Jul 12, 2016, 5:16:36 AM7/12/16
to
On 12.07.2016 8:48, Kevin Oberman wrote:
> >> May be need file PR for dns/bind910?
> >>
> >> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile
> >> .include <bsd.port.pre.mk <http://bsd.port.pre.mk>>
> >> May be need file PR for dns/bind910?
> >>
> >> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile
> >>
> >> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) &&
> ${SSL_DEFAULT} == base
> >> BROKEN= OpenSSL from the base system does not support GOST, add \
> >> DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and
> rebuild everything \
> >> that needs SSL.
> >> .endif
> >>
> >
> > I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC
> > don't use GOST, so I vote for removing GOST option from there.
> >
>
> I need to note that RFC exists, proposing GOST (old version) for DNSSEC:
> https://tools.ietf.org/html/rfc5933
> but nobody really use it.
>
> In case people are not aware of it, Russian law now requires ALL
> >> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) &&
> ${SSL_DEFAULT} == base
> >> BROKEN= OpenSSL from the base system does not support GOST, add \
> >> DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and
> rebuild everything \
> >> that needs SSL.
> >> .endif
> >>
> >
> > I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC
> > don't use GOST, so I vote for removing GOST option from there.
> >
>
> I need to note that RFC exists, proposing GOST (old version) for DNSSEC:
> https://tools.ietf.org/html/rfc5933
> but nobody really use it.
>
> encrypted traffic must either be accessible by the FSB or that the
> private keys must be available to the FSB.
It is not quite so. All traffic must be available for 6 months and they
express intention to ask big companies for their private keys, but later
is not required by the law (not yet...)
> I have always assumed that
> GOST has a hidden vulnerability/backdoor that the FSB is already using,
I already answer this question elsewhere in this thread with the reference.
> but this makes it mandatory. Putin gave the FSB 2 weeks to implement the
> law, which is clearly impossible, but I suspect that there will be a
> huge effort to pick all low-hanging fruit. As a result, I suspect no one
> outside of Russia will touch GOST. (Not that they do now, either.) I'd
> hate to see its support required for any protocol except in Russia as
> someone will be silly enough to use it.
I already explain required GOST usage pattern in this thread.
Andrey Chernov
Jul 12, 2016, 5:43:50 AM7/12/16
to
what I wrote:
Official documents workflow here require using GOST signatures for
authenticity and consistency verification, they are needed or, in some
cases, required for both people and companies. Since it is official in
any case, there is no harm to have FSB backdoor in the algo, unless some
hacker will find it. Just don't use GOST for something else to stay on
safe side.
BTW, latest GOST based on elliptic curves, so from math point of view
probability of having backdoor here is minimal. I don't examine its
safe side.
BTW, latest GOST based on elliptic curves, so from math point of view
implementation.
See
https://ru.wikipedia.org/wiki/%D0%93%D0%9E%D0%A1%D0%A2_%D0%A0_34.10-2012
You can consider GOST goals are the same as FIPS ones with the reason to
have things "domestically produced".
https://ru.wikipedia.org/wiki/%D0%93%D0%9E%D0%A1%D0%A2_%D0%A0_34.10-2012
You can consider GOST goals are the same as FIPS ones with the reason to
have things "domestically produced".
Kevin Oberman
Jul 12, 2016, 7:45:26 AM7/12/16
to
On Mon, Jul 11, 2016 at 3:51 PM, Andrey Chernov <ac...@freebsd.org> wrote:
> On 12.07.2016 1:44, Andrey Chernov wrote:
> > On 11.07.2016 21:41, Slawa Olhovchenkov wrote:
> >> On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote:
> >>
> >>> On 07/10/16 10:10 AM, Andrey Chernov wrote:
> >>>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
> >>>>> I am surprised lack of support GOST in openssl-base.
> >>>>> Can be this enabled before 11.0 released?
> >>>>
> >>>> AFAIK openssl maintainers says something like they can't support this
> >>>> code and it will become rotten shortly with new changes, so they drop
> it.
> >>>
> >>> [OpenSSL-maintainer-for-the-base hat on]
> >>>
> >>> GOST is supported on FreeBSD 10.x and 11.x. We will not drop it on
> >>> these branches unless secteam explicitly ask us to do so. However, we
> >>> *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch.
> >>>
> >>> [OpenSSL-maintainer-for-the-base hat off]
> >>>
> >>> Jung-uk Kim
> >>>
> >>
> >> Thanks!
> >>
> On 12.07.2016 1:44, Andrey Chernov wrote:
> > On 11.07.2016 21:41, Slawa Olhovchenkov wrote:
> >> On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote:
> >>
> >>> On 07/10/16 10:10 AM, Andrey Chernov wrote:
> >>>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
> >>>>> I am surprised lack of support GOST in openssl-base.
> >>>>> Can be this enabled before 11.0 released?
> >>>>
> >>>> AFAIK openssl maintainers says something like they can't support this
> >>>> code and it will become rotten shortly with new changes, so they drop
> it.
> >>>
> >>> [OpenSSL-maintainer-for-the-base hat on]
> >>>
> >>> GOST is supported on FreeBSD 10.x and 11.x. We will not drop it on
> >>> these branches unless secteam explicitly ask us to do so. However, we
> >>> *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch.
> >>>
> >>> [OpenSSL-maintainer-for-the-base hat off]
> >>>
> >>> Jung-uk Kim
> >>>
> >>
> >> Thanks!
> >>
> >> May be need file PR for dns/bind910?
> >>
> >> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile
> >> .include <bsd.port.pre.mk>
> >>
> >>
> >> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile
> >> .include <bsd.port.pre.mk>
> >>
> >> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) &&
> ${SSL_DEFAULT} == base
> >> BROKEN= OpenSSL from the base system does not support GOST, add \
> >> DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and
> rebuild everything \
> >> that needs SSL.
> >> .endif
> >>
> >
> > I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC
> > don't use GOST, so I vote for removing GOST option from there.
> >
>
> I need to note that RFC exists, proposing GOST (old version) for DNSSEC:
> https://tools.ietf.org/html/rfc5933
> but nobody really use it.
In case people are not aware of it, Russian law now requires ALL encrypted
traffic must either be accessible by the FSB or that the private keys must
be available to the FSB. I have always assumed that GOST has a hidden
> ${SSL_DEFAULT} == base
> >> BROKEN= OpenSSL from the base system does not support GOST, add \
> >> DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and
> rebuild everything \
> >> that needs SSL.
> >> .endif
> >>
> >
> > I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC
> > don't use GOST, so I vote for removing GOST option from there.
> >
>
> I need to note that RFC exists, proposing GOST (old version) for DNSSEC:
> https://tools.ietf.org/html/rfc5933
> but nobody really use it.
In case people are not aware of it, Russian law now requires ALL encrypted
traffic must either be accessible by the FSB or that the private keys must
vulnerability/backdoor that the FSB is already using, but this makes it
mandatory. Putin gave the FSB 2 weeks to implement the law, which is
clearly impossible, but I suspect that there will be a huge effort to pick
all low-hanging fruit. As a result, I suspect no one outside of Russia will
touch GOST. (Not that they do now, either.) I'd hate to see its support
required for any protocol except in Russia as someone will be silly enough
to use it.
(It's not possible because it requires the 6 month storage of all Internet
clearly impossible, but I suspect that there will be a huge effort to pick
all low-hanging fruit. As a result, I suspect no one outside of Russia will
touch GOST. (Not that they do now, either.) I'd hate to see its support
required for any protocol except in Russia as someone will be silly enough
to use it.
data and voice communications which will require the immediate installation
of massive amounts of storage, not to mention the floor space, cooling, and
power to support those disks.)
--
Kevin Oberman, Part time kid herder and retired Network Engineer
E-mail: rkob...@gmail.com
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
Andrei
Jul 12, 2016, 9:26:10 AM7/12/16
to
for supporting russian GOST because "degradable" european "nazi/fags/arabs/jews"
geeks don't want to have backdoor from Russia?
Oh man.. keep away your FSB talk tricks away from FreeBSD and from the
internet. We clearly understand that guys like you can work for FSB and
live in USA or Europe. German police know about russian propagandist
"Sergej Schmidt"?
Everybody must be aware that is very suspicious that the russian GOST
encryption is very aggressively trying to push anywhere on the background
of traffic decrypt law in Russia.
Marc van Houtum
Jul 12, 2016, 10:35:42 AM7/12/16
to
On 12-7-2016 15:25, Andrei wrote:
>> This is not about freedom of speech in a democracy. Screaming your
>> weird opinion in an insulting way is not a unique characteristic to a
>> democracy, it's one for a Trump rally. This is simply the wrong place
>> for it, especially considering the tone. It's the
>> "Freebsd-Security"-list. That was my whole point. However I am happy
>> to see I am the only one taking this serious and others having a
>> productive conversation. I see you are a person not to reason with so
>> I will do others here a favor and stop discussing this.
> If not, then what? You will ask Putler to move russian army to my country
> for supporting russian GOST because "degradable" european "nazi/fags/arabs/jews"
> geeks don't want to have backdoor from Russia?
>
> Oh man.. keep away your FSB talk tricks away from FreeBSD and from the
> internet. We clearly understand that guys like you can work for FSB and
> live in USA or Europe. German police know about russian propagandist
> "Sergej Schmidt"?
>
> Everybody must be aware that is very suspicious that the russian GOST
> encryption is very aggressively trying to push anywhere on the background
> of traffic decrypt law in Russia.
> _______________________________________________
Please refrain from going off-topic too much. There are many places on
>> This is not about freedom of speech in a democracy. Screaming your
>> weird opinion in an insulting way is not a unique characteristic to a
>> democracy, it's one for a Trump rally. This is simply the wrong place
>> for it, especially considering the tone. It's the
>> "Freebsd-Security"-list. That was my whole point. However I am happy
>> to see I am the only one taking this serious and others having a
>> productive conversation. I see you are a person not to reason with so
>> I will do others here a favor and stop discussing this.
> If not, then what? You will ask Putler to move russian army to my country
> for supporting russian GOST because "degradable" european "nazi/fags/arabs/jews"
> geeks don't want to have backdoor from Russia?
>
> Oh man.. keep away your FSB talk tricks away from FreeBSD and from the
> internet. We clearly understand that guys like you can work for FSB and
> live in USA or Europe. German police know about russian propagandist
> "Sergej Schmidt"?
>
> Everybody must be aware that is very suspicious that the russian GOST
> encryption is very aggressively trying to push anywhere on the background
> of traffic decrypt law in Russia.
> _______________________________________________
the internet where you can have discussions about politics, but the
freebsd-security mailinglist is not one of them.
- M
Mathieu Arnold
Jul 18, 2016, 8:12:45 AM7/18/16
to
Hi,
+--On 11 juillet 2016 22:56:00 +0300 Slawa Olhovchenkov <s...@zxy.spb.ru>
wrote:
ports with openssl from base, and half with openssl from ports, you are
going to have dragons attacks, and core dumps. Also, if you are using
openssl from ports, you cannot use GSSAPI from base, for the same reasons.
--
Mathieu Arnold
+--On 11 juillet 2016 22:56:00 +0300 Slawa Olhovchenkov <s...@zxy.spb.ru>
wrote:
| On Mon, Jul 11, 2016 at 03:00:39PM -0400, Jung-uk Kim wrote:
|> > .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) &&
|> > ${SSL_DEFAULT} == base BROKEN= OpenSSL from the base system does not
|> > support GOST, add \ DEFAULT_VERSIONS+=ssl=openssl to your
|> > /etc/make.conf and rebuild everything \ that needs SSL.
|> > .endif
|>
|> > ${SSL_DEFAULT} == base BROKEN= OpenSSL from the base system does not
|> > support GOST, add \ DEFAULT_VERSIONS+=ssl=openssl to your
|> > /etc/make.conf and rebuild everything \ that needs SSL.
|> > .endif
|>
|> FreeBSD 9.3 is still supported but GOST is not available there. It
|
| Thanks for clarifications.
|
|> seems the ports maintainer didn't want to break it on 9.3 (CC added).
|> Version check may be needed there.
|
| Thanks!
The idea is that you can't have mixed openssl usage. If you link half your
|
| Thanks for clarifications.
|
|> seems the ports maintainer didn't want to break it on 9.3 (CC added).
|> Version check may be needed there.
|
| Thanks!
ports with openssl from base, and half with openssl from ports, you are
going to have dragons attacks, and core dumps. Also, if you are using
openssl from ports, you cannot use GSSAPI from base, for the same reasons.
--
Mathieu Arnold
0 new messages