Re: GOST in OPENSSL_BASE
On Mon, Jul 18, 2016 at 12:39:46PM -0400, Jung-uk Kim wrote:
> On 07/18/16 08:12 AM, Mathieu Arnold wrote:
> > Hi,
> >
> > +--On 11 juillet 2016 22:56:00 +0300 Slawa Olhovchenkov
> > wrote:
> > | On Mon, Jul 11, 2016 at 03:00:39PM -0400, Jung-uk Kim wrote:
> > |> > .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) &&
> > |> > ${SSL_DEFAULT} == base BROKEN= OpenSSL from the base system does not
> > |> > support GOST, add \ DEFAULT_VERSIONS+=ssl=openssl to your
> > |> > /etc/make.conf and rebuild everything \ that needs SSL.
> > |> > .endif
> > |>
> > |> FreeBSD 9.3 is still supported but GOST is not available there. It
> > |
> > | Thanks for clarifications.
> > |
> > |> seems the ports maintainer didn't want to break it on 9.3 (CC added).
> > |> Version check may be needed there.
> > |
> > | Thanks!
> >
> >
> > The idea is that you can't have mixed openssl usage. If you link half your
> > ports with openssl from base, and half with openssl from ports, you are
> > going to have dragons attacks, and core dumps. Also, if you are using
> > openssl from ports, you cannot use GSSAPI from base, for the same reasons.
>
> Exactly. That's why we should *allow* using base OpenSSL for 10.x and
> later because many packages are already linked against base OpenSSL by
> default.
Ports still refuse to GOST from base openssl.
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: GOST in OPENSSL_BASE
On 07/18/16 08:12 AM, Mathieu Arnold wrote:
> Hi,
>
> +--On 11 juillet 2016 22:56:00 +0300 Slawa Olhovchenkov
> wrote:
> | On Mon, Jul 11, 2016 at 03:00:39PM -0400, Jung-uk Kim wrote:
> |> > .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) &&
> |> > ${SSL_DEFAULT} == base BROKEN= OpenSSL from the base system does not
> |> > support GOST, add \ DEFAULT_VERSIONS+=ssl=openssl to your
> |> > /etc/make.conf and rebuild everything \ that needs SSL.
> |> > .endif
> |>
> |> FreeBSD 9.3 is still supported but GOST is not available there. It
> |
> | Thanks for clarifications.
> |
> |> seems the ports maintainer didn't want to break it on 9.3 (CC added).
> |> Version check may be needed there.
> |
> | Thanks!
>
>
> The idea is that you can't have mixed openssl usage. If you link half your
> ports with openssl from base, and half with openssl from ports, you are
> going to have dragons attacks, and core dumps. Also, if you are using
> openssl from ports, you cannot use GSSAPI from base, for the same reasons.
Exactly. That's why we should *allow* using base OpenSSL for 10.x and
later because many packages are already linked against base OpenSSL by
default.
Jung-uk Kim
signature.asc
Description: OpenPGP digital signature
Re: GOST in OPENSSL_BASE
Hi,
+--On 11 juillet 2016 22:56:00 +0300 Slawa Olhovchenkov
wrote:
| On Mon, Jul 11, 2016 at 03:00:39PM -0400, Jung-uk Kim wrote:
|> > .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) &&
|> > ${SSL_DEFAULT} == base BROKEN= OpenSSL from the base system does not
|> > support GOST, add \ DEFAULT_VERSIONS+=ssl=openssl to your
|> > /etc/make.conf and rebuild everything \ that needs SSL.
|> > .endif
|>
|> FreeBSD 9.3 is still supported but GOST is not available there. It
|
| Thanks for clarifications.
|
|> seems the ports maintainer didn't want to break it on 9.3 (CC added).
|> Version check may be needed there.
|
| Thanks!
The idea is that you can't have mixed openssl usage. If you link half your
ports with openssl from base, and half with openssl from ports, you are
going to have dragons attacks, and core dumps. Also, if you are using
openssl from ports, you cannot use GSSAPI from base, for the same reasons.
--
Mathieu Arnold
pgp9MwLeD4z11.pgp
Description: PGP signature
Re: GOST in OPENSSL_BASE
On Tue, Jul 12, 2016 at 5:33 AM, Daniel Kalchev wrote: > > > On 12.07.2016 г., at 13:26, Franco Fichtner > wrote: > > > > > >> On 12 Jul 2016, at 11:59 AM, Daniel Kalchev wrote: > >> > >> It is trivial to play MTIM with this protocol and in fact, there are > commercially available “solutions” for “securing one’s corporate network” > that doe exactly that. Some believe this is with the knowledge and approval > of the corporation, but who is to say what the black box actually does and > whose interests it serves? > > > > It's also trivial to ignore that pinning certificates and using client > > certificates can actually help a great deal to prevent all of what you > > just said. ;) > > I don’t know many users who even know that they can do this — much less > actually using it. Pinning the browser vendor’s certificates does not > protect you from being spied while visiting someone else’s site. This is > also non-trivial to support. > In the early days of DANE, Google even had a version of Chrome that > supported DANE, just to kill it a bit later: > https://www.ietf.org/mail-archive/web/dane/current/msg06980.html > > > > > The bottom line is not having GOST support readily available could > alienate > > a whole lot of businesses. Not wanting those downstream use cases will > make > > those shift elsewhere and the decision will be seen as an overly > political > > move that in no possible way reflects the motivation of community growth. > > > Exactly — especially as long as there is no demonstrable proof that GOST > is actually broken. I may have been misunderstood, possibly because I was unclear. I do not object to GOST being readily available as it is legally required in some places. I do object on its being enabled by default and I do object to standards endorsing it use, though I do not object to standards for GOST, itself. Making the method for enabling GOST simple and clearly documented is a reasonable thing and, as long as its use is mandated it is really essential. And, thinks, Andrey, for clarifying the Russian law. I don't know the language and have depended on others for the details. In areas of tine points of laws, this is often inadequate. (As it is when you read the language fluently. I read and speak American English quite well, but that does not mean that legalese is covered.) Reality is that the law is what those charges with formal interpretation of it say it is. In the US, that is the Supreme Court. Not sure who is in Russia, but it's not me!) -- Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkober...@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: GOST in OPENSSL_BASE
> On 12.07.2016 г., at 13:26, Franco Fichtner wrote: > > >> On 12 Jul 2016, at 11:59 AM, Daniel Kalchev wrote: >> >> It is trivial to play MTIM with this protocol and in fact, there are >> commercially available “solutions” for “securing one’s corporate network” >> that doe exactly that. Some believe this is with the knowledge and approval >> of the corporation, but who is to say what the black box actually does and >> whose interests it serves? > > It's also trivial to ignore that pinning certificates and using client > certificates can actually help a great deal to prevent all of what you > just said. ;) I don’t know many users who even know that they can do this — much less actually using it. Pinning the browser vendor’s certificates does not protect you from being spied while visiting someone else’s site. This is also non-trivial to support. In the early days of DANE, Google even had a version of Chrome that supported DANE, just to kill it a bit later: https://www.ietf.org/mail-archive/web/dane/current/msg06980.html > > The bottom line is not having GOST support readily available could alienate > a whole lot of businesses. Not wanting those downstream use cases will make > those shift elsewhere and the decision will be seen as an overly political > move that in no possible way reflects the motivation of community growth. Exactly — especially as long as there is no demonstrable proof that GOST is actually broken. Daniel ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: GOST in OPENSSL_BASE
On 12.07.2016 12:59, Daniel Kalchev wrote: > The standard HTTPS implementation is already sufficiently broken, with the > door wide open by the concept of “multiple CAs”. The protocol design is > flawed, as any CA can issue certificate for any site. Applications are > required to trust that certificates, as long as they trust the CA that issued > them. > > It is trivial to play MTIM with this protocol and in fact, there are > commercially available “solutions” for “securing one’s corporate network” > that doe exactly that. Some believe this is with the knowledge and approval > of the corporation, but who is to say what the black box actually does and > whose interests it serves? > > There is of course an update to the protocol, DANE, that just shuts this door > off. But… it faces heavy resistance, as it’s acceptance would mean the end of > the lucrative CA business and the ability to intercept “secure” HTTPS > communication. Those relying on the HPPTS flaws will never let it become wide > spread. > > In summary — anyone can sniff HTTPS traffic. No need for any cipher backdoors > here. Nor any need for GOST to be involved. You forget to mention that CA must already be in the trusted root list to allow it happens. signature.asc Description: OpenPGP digital signature
Re: GOST in OPENSSL_BASE
> On 12 Jul 2016, at 11:59 AM, Daniel Kalchev wrote: > > It is trivial to play MTIM with this protocol and in fact, there are > commercially available “solutions” for “securing one’s corporate network” > that doe exactly that. Some believe this is with the knowledge and approval > of the corporation, but who is to say what the black box actually does and > whose interests it serves? It's also trivial to ignore that pinning certificates and using client certificates can actually help a great deal to prevent all of what you just said. ;) The bottom line is not having GOST support readily available could alienate a whole lot of businesses. Not wanting those downstream use cases will make those shift elsewhere and the decision will be seen as an overly political move that in no possible way reflects the motivation of community growth. Cheers, Franco ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: GOST in OPENSSL_BASE
> On 12 Jul 2016, at 11:59 AM, Daniel Kalchev wrote: > > It is trivial to play MTIM with this protocol and in fact, there are > commercially available “solutions” for “securing one’s corporate network” > that doe exactly that. Some believe this is with the knowledge and approval > of the corporation, but who is to say what the black box actually does and > whose interests it serves? It's also trivial to ignore that pinning certificates and using client certificates can actually help a great deal to prevent all of what you just said. ;) The bottom line is not having GOST support readily available could alienate a whole lot of businesses. Not wanting those downstream use cases will make those shift elsewhere and the decision will be seen as an overly political move that in no possible way reflects the motivation of community growth. Cheers, Franco ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: GOST in OPENSSL_BASE
> On 12.07.2016 г., at 12:12, Matthew Seaman wrote: > > I'm also curious as to how far these regulations are supposed to extend. > Presumably traffic which is merely transiting Russian territory isn't > covered, at least in a practical sense. How about people from Russia > accessing foreign websites? I can't see any of the big Internet players > implementing GOST in any locations outside Russia any time soon. > Neither would I as a non-Russian have GOST capabilities client-side, so > what happens if I go and look at say a YandX website over HTTPS? Putin > and his advisors aren't stupid, and they'd already have considered all > this; plus, as you say, the timetable is clearly impossible; so there > must be something else going on here. The standard HTTPS implementation is already sufficiently broken, with the door wide open by the concept of “multiple CAs”. The protocol design is flawed, as any CA can issue certificate for any site. Applications are required to trust that certificates, as long as they trust the CA that issued them. It is trivial to play MTIM with this protocol and in fact, there are commercially available “solutions” for “securing one’s corporate network” that doe exactly that. Some believe this is with the knowledge and approval of the corporation, but who is to say what the black box actually does and whose interests it serves? There is of course an update to the protocol, DANE, that just shuts this door off. But… it faces heavy resistance, as it’s acceptance would mean the end of the lucrative CA business and the ability to intercept “secure” HTTPS communication. Those relying on the HPPTS flaws will never let it become wide spread. In summary — anyone can sniff HTTPS traffic. No need for any cipher backdoors here. Nor any need for GOST to be involved. > > Of course, now there's fairly good evidence that there's some sort of > backdoor in the GOST ciphers, all bets are off on how long it will be > until they get broken in a very public manner. > One can say the same for any other crypto. Plus, for some ciphers there is already evidence.. yet they are still in use. But, a good show is always worth it. Let’s watch for those heroes. :) Daniel signature.asc Description: Message signed with OpenPGP using GPGMail
Re: GOST in OPENSSL_BASE
On 12.07.2016 12:16, Andrey Chernov wrote:
> On 12.07.2016 8:48, Kevin Oberman wrote:
>> >> May be need file PR for dns/bind910?
>> >>
>> >> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile
>> >> .include http://bsd.port.pre.mk>>
>> >>
>> >> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) &&
>> ${SSL_DEFAULT} == base
>> >> BROKEN= OpenSSL from the base system does not support GOST, add \
>> >> DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and
>> rebuild everything \
>> >> that needs SSL.
>> >> .endif
>> >>
>> >
>> > I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC
>> > don't use GOST, so I vote for removing GOST option from there.
>> >
>>
>> I need to note that RFC exists, proposing GOST (old version) for DNSSEC:
>> https://tools.ietf.org/html/rfc5933
>> but nobody really use it.
>>
>> In case people are not aware of it, Russian law now requires ALL
>> encrypted traffic must either be accessible by the FSB or that the
>> private keys must be available to the FSB.
>
> It is not quite so. All traffic must be available for 6 months and they
> express intention to ask big companies for their private keys, but later
> is not required by the law (not yet...)
>
>> I have always assumed that
>> GOST has a hidden vulnerability/backdoor that the FSB is already using,
>
> I already answer this question elsewhere in this thread with the reference.
>
>> but this makes it mandatory. Putin gave the FSB 2 weeks to implement the
>> law, which is clearly impossible, but I suspect that there will be a
>> huge effort to pick all low-hanging fruit. As a result, I suspect no one
>> outside of Russia will touch GOST. (Not that they do now, either.) I'd
>> hate to see its support required for any protocol except in Russia as
>> someone will be silly enough to use it.
>
> I already explain required GOST usage pattern in this thread.
>
Ah, I see, freebsd-current list was excluded by someone, so I repeat
what I wrote:
Official documents workflow here require using GOST signatures for
authenticity and consistency verification, they are needed or, in some
cases, required for both people and companies. Since it is official in
any case, there is no harm to have FSB backdoor in the algo, unless some
hacker will find it. Just don't use GOST for something else to stay on
safe side.
BTW, latest GOST based on elliptic curves, so from math point of view
probability of having backdoor here is minimal. I don't examine its
implementation.
See
https://ru.wikipedia.org/wiki/%D0%93%D0%9E%D0%A1%D0%A2_%D0%A0_34.10-2012
You can consider GOST goals are the same as FIPS ones with the reason to
have things "domestically produced".
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: GOST in OPENSSL_BASE
On 12.07.2016 8:48, Kevin Oberman wrote:
> >> May be need file PR for dns/bind910?
> >>
> >> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile
> >> .include http://bsd.port.pre.mk>>
> >>
> >> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) &&
> ${SSL_DEFAULT} == base
> >> BROKEN= OpenSSL from the base system does not support GOST, add \
> >> DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and
> rebuild everything \
> >> that needs SSL.
> >> .endif
> >>
> >
> > I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC
> > don't use GOST, so I vote for removing GOST option from there.
> >
>
> I need to note that RFC exists, proposing GOST (old version) for DNSSEC:
> https://tools.ietf.org/html/rfc5933
> but nobody really use it.
>
> In case people are not aware of it, Russian law now requires ALL
> encrypted traffic must either be accessible by the FSB or that the
> private keys must be available to the FSB.
It is not quite so. All traffic must be available for 6 months and they
express intention to ask big companies for their private keys, but later
is not required by the law (not yet...)
> I have always assumed that
> GOST has a hidden vulnerability/backdoor that the FSB is already using,
I already answer this question elsewhere in this thread with the reference.
> but this makes it mandatory. Putin gave the FSB 2 weeks to implement the
> law, which is clearly impossible, but I suspect that there will be a
> huge effort to pick all low-hanging fruit. As a result, I suspect no one
> outside of Russia will touch GOST. (Not that they do now, either.) I'd
> hate to see its support required for any protocol except in Russia as
> someone will be silly enough to use it.
I already explain required GOST usage pattern in this thread.
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: GOST in OPENSSL_BASE
On 07/12/16 06:48, Kevin Oberman wrote: > In case people are not aware of it, Russian law now requires ALL encrypted > traffic must either be accessible by the FSB or that the private keys must > be available to the FSB. I have always assumed that GOST has a hidden > vulnerability/backdoor that the FSB is already using, but this makes it > mandatory. Putin gave the FSB 2 weeks to implement the law, which is > clearly impossible, but I suspect that there will be a huge effort to pick > all low-hanging fruit. As a result, I suspect no one outside of Russia will > touch GOST. (Not that they do now, either.) I'd hate to see its support > required for any protocol except in Russia as someone will be silly enough > to use it. Agreed that it should be possible to use GOST crypto readily on FreeBSD, but I dislike the idea of shipping with 'known vulnerable' ciphers enabled by default. It should take a positive act to enable them, given the circumstances. Whether that should entail installing something from ports, or recompiling the system with specific settings in src.conf or it could just be down to tweaking a config file somewhere I wouldn't care to venture an opinion though. I'm also curious as to how far these regulations are supposed to extend. Presumably traffic which is merely transiting Russian territory isn't covered, at least in a practical sense. How about people from Russia accessing foreign websites? I can't see any of the big Internet players implementing GOST in any locations outside Russia any time soon. Neither would I as a non-Russian have GOST capabilities client-side, so what happens if I go and look at say a YandX website over HTTPS? Putin and his advisors aren't stupid, and they'd already have considered all this; plus, as you say, the timetable is clearly impossible; so there must be something else going on here. Of course, now there's fairly good evidence that there's some sort of backdoor in the GOST ciphers, all bets are off on how long it will be until they get broken in a very public manner. Cheers, Matthew signature.asc Description: OpenPGP digital signature
Re: GOST in OPENSSL_BASE
On Mon, Jul 11, 2016 at 3:51 PM, Andrey Chernov wrote:
> On 12.07.2016 1:44, Andrey Chernov wrote:
> > On 11.07.2016 21:41, Slawa Olhovchenkov wrote:
> >> On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote:
> >>
> >>> On 07/10/16 10:10 AM, Andrey Chernov wrote:
> On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
> > I am surprised lack of support GOST in openssl-base.
> > Can be this enabled before 11.0 released?
>
> AFAIK openssl maintainers says something like they can't support this
> code and it will become rotten shortly with new changes, so they drop
> it.
> >>>
> >>> [OpenSSL-maintainer-for-the-base hat on]
> >>>
> >>> GOST is supported on FreeBSD 10.x and 11.x. We will not drop it on
> >>> these branches unless secteam explicitly ask us to do so. However, we
> >>> *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch.
> >>>
> >>> [OpenSSL-maintainer-for-the-base hat off]
> >>>
> >>> Jung-uk Kim
> >>>
> >>
> >> Thanks!
> >>
> >> May be need file PR for dns/bind910?
> >>
> >> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile
> >> .include
> >>
> >> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) &&
> ${SSL_DEFAULT} == base
> >> BROKEN= OpenSSL from the base system does not support GOST, add \
> >> DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and
> rebuild everything \
> >> that needs SSL.
> >> .endif
> >>
> >
> > I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC
> > don't use GOST, so I vote for removing GOST option from there.
> >
>
> I need to note that RFC exists, proposing GOST (old version) for DNSSEC:
> https://tools.ietf.org/html/rfc5933
> but nobody really use it.
In case people are not aware of it, Russian law now requires ALL encrypted
traffic must either be accessible by the FSB or that the private keys must
be available to the FSB. I have always assumed that GOST has a hidden
vulnerability/backdoor that the FSB is already using, but this makes it
mandatory. Putin gave the FSB 2 weeks to implement the law, which is
clearly impossible, but I suspect that there will be a huge effort to pick
all low-hanging fruit. As a result, I suspect no one outside of Russia will
touch GOST. (Not that they do now, either.) I'd hate to see its support
required for any protocol except in Russia as someone will be silly enough
to use it.
(It's not possible because it requires the 6 month storage of all Internet
data and voice communications which will require the immediate installation
of massive amounts of storage, not to mention the floor space, cooling, and
power to support those disks.)
--
Kevin Oberman, Part time kid herder and retired Network Engineer
E-mail: rkober...@gmail.com
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: GOST in OPENSSL_BASE
On 12.07.2016 1:44, Andrey Chernov wrote:
> On 11.07.2016 21:41, Slawa Olhovchenkov wrote:
>> On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote:
>>
>>> On 07/10/16 10:10 AM, Andrey Chernov wrote:
On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
> I am surprised lack of support GOST in openssl-base.
> Can be this enabled before 11.0 released?
AFAIK openssl maintainers says something like they can't support this
code and it will become rotten shortly with new changes, so they drop it.
>>>
>>> [OpenSSL-maintainer-for-the-base hat on]
>>>
>>> GOST is supported on FreeBSD 10.x and 11.x. We will not drop it on
>>> these branches unless secteam explicitly ask us to do so. However, we
>>> *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch.
>>>
>>> [OpenSSL-maintainer-for-the-base hat off]
>>>
>>> Jung-uk Kim
>>>
>>
>> Thanks!
>>
>> May be need file PR for dns/bind910?
>>
>> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile
>> .include
>>
>> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) &&
>> ${SSL_DEFAULT} == base
>> BROKEN= OpenSSL from the base system does not support GOST, add \
>> DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and rebuild
>> everything \
>> that needs SSL.
>> .endif
>>
>
> I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC
> don't use GOST, so I vote for removing GOST option from there.
>
I need to note that RFC exists, proposing GOST (old version) for DNSSEC:
https://tools.ietf.org/html/rfc5933
but nobody really use it.
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: GOST in OPENSSL_BASE
On 11.07.2016 21:41, Slawa Olhovchenkov wrote:
> On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote:
>
>> On 07/10/16 10:10 AM, Andrey Chernov wrote:
>>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
I am surprised lack of support GOST in openssl-base.
Can be this enabled before 11.0 released?
>>>
>>> AFAIK openssl maintainers says something like they can't support this
>>> code and it will become rotten shortly with new changes, so they drop it.
>>
>> [OpenSSL-maintainer-for-the-base hat on]
>>
>> GOST is supported on FreeBSD 10.x and 11.x. We will not drop it on
>> these branches unless secteam explicitly ask us to do so. However, we
>> *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch.
>>
>> [OpenSSL-maintainer-for-the-base hat off]
>>
>> Jung-uk Kim
>>
>
> Thanks!
>
> May be need file PR for dns/bind910?
>
> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile
> .include
>
> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && ${SSL_DEFAULT}
> == base
> BROKEN= OpenSSL from the base system does not support GOST, add \
> DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and rebuild
> everything \
> that needs SSL.
> .endif
>
I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC
don't use GOST, so I vote for removing GOST option from there.
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: GOST in OPENSSL_BASE
On 11.07.2016 23:13, Slawa Olhovchenkov wrote: > On Mon, Jul 11, 2016 at 07:48:44PM +0300, Andrey Chernov wrote: > >> On 11.07.2016 19:29, Slawa Olhovchenkov wrote: >>> On Mon, Jul 11, 2016 at 11:04:33AM -0500, Mark Felder wrote: >>> On Mon, Jul 11, 2016, at 05:29, Slawa Olhovchenkov wrote: > > I.e. GOST will be available in openssl. > Under BSD-like license. > Can be this engine import in base system and enabled at time 1.1.0? > And can be GOST enabled now? > I think the wrong question is being asked here. Instead we need to focus on decoupling openssl from base so this can all be handled by ports. >>> >>> This is wrong direction with current policy. >>> ports: unsupported by FreeBSD core and securite team, no guaranted to >>> comaptible >>> between options and applications. >>> >>> base: supported by FreeBSD core and securite team, covered by CI, >>> checked for forward and backward API and ABI compatibility. >>> >> >> Ports are supported by secteam, and recently I notice "headsup" mail >> with intention to make base openssl private and switch all ports to >> security/openssl port. > > I mean `support` is commit reviewing, auditing and etc. > Secteam do it for ports? At least CVEs are tracked. You better ask about whole list of ports secteam duties secteam themselves. > >> Adding of GOST as 3rd party plugin is technically possible in both >> (base, ports) cases, the rest of decision is up to FreeBSD openssl >> maintainers and possible contributors efforts. >> >> I need to specially point to "patches" section of the 3rd party GOST >> plugin, from just viewing I don't understand, are those additional >> openssl patches should be applied to openssl for GOST, or they are just >> reflect existent changes in the openssl. >> >> ___ >> freebsd-secur...@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org" > ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: GOST in OPENSSL_BASE
On Mon, Jul 11, 2016 at 07:48:44PM +0300, Andrey Chernov wrote: > On 11.07.2016 19:29, Slawa Olhovchenkov wrote: > > On Mon, Jul 11, 2016 at 11:04:33AM -0500, Mark Felder wrote: > > > >> > >> > >> On Mon, Jul 11, 2016, at 05:29, Slawa Olhovchenkov wrote: > >>> > >>> I.e. GOST will be available in openssl. > >>> Under BSD-like license. > >>> Can be this engine import in base system and enabled at time 1.1.0? > >>> And can be GOST enabled now? > >>> > >> > >> I think the wrong question is being asked here. Instead we need to focus > >> on decoupling openssl from base so this can all be handled by ports. > > > > This is wrong direction with current policy. > > ports: unsupported by FreeBSD core and securite team, no guaranted to > > comaptible > > between options and applications. > > > > base: supported by FreeBSD core and securite team, covered by CI, > > checked for forward and backward API and ABI compatibility. > > > > Ports are supported by secteam, and recently I notice "headsup" mail > with intention to make base openssl private and switch all ports to > security/openssl port. I mean `support` is commit reviewing, auditing and etc. Secteam do it for ports? > Adding of GOST as 3rd party plugin is technically possible in both > (base, ports) cases, the rest of decision is up to FreeBSD openssl > maintainers and possible contributors efforts. > > I need to specially point to "patches" section of the 3rd party GOST > plugin, from just viewing I don't understand, are those additional > openssl patches should be applied to openssl for GOST, or they are just > reflect existent changes in the openssl. > > ___ > freebsd-secur...@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org" ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: GOST in OPENSSL_BASE
On Mon, Jul 11, 2016 at 03:00:39PM -0400, Jung-uk Kim wrote:
> On 07/11/16 02:41 PM, Slawa Olhovchenkov wrote:
> > On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote:
> >
> >> On 07/10/16 10:10 AM, Andrey Chernov wrote:
> >>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
> I am surprised lack of support GOST in openssl-base.
> Can be this enabled before 11.0 released?
> >>>
> >>> AFAIK openssl maintainers says something like they can't support this
> >>> code and it will become rotten shortly with new changes, so they drop it.
> >>
> >> [OpenSSL-maintainer-for-the-base hat on]
> >>
> >> GOST is supported on FreeBSD 10.x and 11.x. We will not drop it on
> >> these branches unless secteam explicitly ask us to do so. However, we
> >> *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch.
> >>
> >> [OpenSSL-maintainer-for-the-base hat off]
> >>
> >> Jung-uk Kim
> >>
> >
> > Thanks!
> >
> > May be need file PR for dns/bind910?
> >
> > # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile
> > .include
> >
> > .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) &&
> > ${SSL_DEFAULT} == base
> > BROKEN= OpenSSL from the base system does not support GOST, add \
> > DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and rebuild
> > everything \
> > that needs SSL.
> > .endif
>
> FreeBSD 9.3 is still supported but GOST is not available there. It
Thanks for clarifications.
> seems the ports maintainer didn't want to break it on 9.3 (CC added).
> Version check may be needed there.
Thanks!
> Jung-uk Kim
>
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: GOST in OPENSSL_BASE
On 07/11/16 02:41 PM, Slawa Olhovchenkov wrote:
> On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote:
>
>> On 07/10/16 10:10 AM, Andrey Chernov wrote:
>>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
I am surprised lack of support GOST in openssl-base.
Can be this enabled before 11.0 released?
>>>
>>> AFAIK openssl maintainers says something like they can't support this
>>> code and it will become rotten shortly with new changes, so they drop it.
>>
>> [OpenSSL-maintainer-for-the-base hat on]
>>
>> GOST is supported on FreeBSD 10.x and 11.x. We will not drop it on
>> these branches unless secteam explicitly ask us to do so. However, we
>> *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch.
>>
>> [OpenSSL-maintainer-for-the-base hat off]
>>
>> Jung-uk Kim
>>
>
> Thanks!
>
> May be need file PR for dns/bind910?
>
> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile
> .include
>
> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && ${SSL_DEFAULT}
> == base
> BROKEN= OpenSSL from the base system does not support GOST, add \
> DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and rebuild
> everything \
> that needs SSL.
> .endif
FreeBSD 9.3 is still supported but GOST is not available there. It
seems the ports maintainer didn't want to break it on 9.3 (CC added).
Version check may be needed there.
Jung-uk Kim
signature.asc
Description: OpenPGP digital signature
Re: GOST in OPENSSL_BASE
On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote:
> On 07/10/16 10:10 AM, Andrey Chernov wrote:
> > On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
> >> I am surprised lack of support GOST in openssl-base.
> >> Can be this enabled before 11.0 released?
> >
> > AFAIK openssl maintainers says something like they can't support this
> > code and it will become rotten shortly with new changes, so they drop it.
>
> [OpenSSL-maintainer-for-the-base hat on]
>
> GOST is supported on FreeBSD 10.x and 11.x. We will not drop it on
> these branches unless secteam explicitly ask us to do so. However, we
> *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch.
>
> [OpenSSL-maintainer-for-the-base hat off]
>
> Jung-uk Kim
>
Thanks!
May be need file PR for dns/bind910?
# grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile
.include
.if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && ${SSL_DEFAULT}
== base
BROKEN= OpenSSL from the base system does not support GOST, add \
DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and rebuild
everything \
that needs SSL.
.endif
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: GOST in OPENSSL_BASE
On 07/10/16 10:10 AM, Andrey Chernov wrote: > On 10.07.2016 16:30, Slawa Olhovchenkov wrote: >> I am surprised lack of support GOST in openssl-base. >> Can be this enabled before 11.0 released? > > AFAIK openssl maintainers says something like they can't support this > code and it will become rotten shortly with new changes, so they drop it. [OpenSSL-maintainer-for-the-base hat on] GOST is supported on FreeBSD 10.x and 11.x. We will not drop it on these branches unless secteam explicitly ask us to do so. However, we *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch. [OpenSSL-maintainer-for-the-base hat off] Jung-uk Kim signature.asc Description: OpenPGP digital signature
Re: GOST in OPENSSL_BASE
On 07/10/16 09:30 AM, Slawa Olhovchenkov wrote: > I am surprised lack of support GOST in openssl-base. > Can be this enabled before 11.0 released? It works for me, I think. The following change was all I need to enable the engine: --- /etc/ssl/openssl.cnf.orig +++ /etc/ssl/openssl.cnf @@ -13,6 +13,21 @@ #oid_file = $ENV::HOME/.oid oid_section= new_oids +# GOST +openssl_conf = openssl_def + +[openssl_def] +engines= engine_section + +[engine_section] +gost = gost_section + +[gost_section] +engine_id = gost +dynamic_path = /usr/lib/engines/libgost.so +default_algorithms = ALL +CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet + # To use this configuration file with the "-extfile" option of the # "openssl x509" utility, name here the section containing the # X.509v3 extensions to use: Please see the README file for more info: https://svnweb.freebsd.org/base/head/crypto/openssl/engines/ccgost/README.gost?revision=238405&view=co Jung-uk Kim signature.asc Description: OpenPGP digital signature
Re: GOST in OPENSSL_BASE
On 11.07.2016 19:29, Slawa Olhovchenkov wrote: > On Mon, Jul 11, 2016 at 11:04:33AM -0500, Mark Felder wrote: > >> >> >> On Mon, Jul 11, 2016, at 05:29, Slawa Olhovchenkov wrote: >>> >>> I.e. GOST will be available in openssl. >>> Under BSD-like license. >>> Can be this engine import in base system and enabled at time 1.1.0? >>> And can be GOST enabled now? >>> >> >> I think the wrong question is being asked here. Instead we need to focus >> on decoupling openssl from base so this can all be handled by ports. > > This is wrong direction with current policy. > ports: unsupported by FreeBSD core and securite team, no guaranted to > comaptible > between options and applications. > > base: supported by FreeBSD core and securite team, covered by CI, > checked for forward and backward API and ABI compatibility. > Ports are supported by secteam, and recently I notice "headsup" mail with intention to make base openssl private and switch all ports to security/openssl port. Adding of GOST as 3rd party plugin is technically possible in both (base, ports) cases, the rest of decision is up to FreeBSD openssl maintainers and possible contributors efforts. I need to specially point to "patches" section of the 3rd party GOST plugin, from just viewing I don't understand, are those additional openssl patches should be applied to openssl for GOST, or they are just reflect existent changes in the openssl. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: GOST in OPENSSL_BASE
Hi! > > I.e. GOST will be available in openssl. > > Under BSD-like license. > > Can be this engine import in base system and enabled at time 1.1.0? > > And can be GOST enabled now? > I think the wrong question is being asked here. Instead we need to focus > on decoupling openssl from base so this can all be handled by ports. As far as I know, GOST is a standardized crypto algo in .ru, it's suggested (required?) by the government in .ru. So, if FreeBSD does not want to alienate the .ru userbase, GOST probably should be in base. I'm not sure how difficult that would be. -- p...@opsec.eu+49 171 3101372 4 years to go ! ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: GOST in OPENSSL_BASE
On Mon, Jul 11, 2016, at 05:29, Slawa Olhovchenkov wrote: > > I.e. GOST will be available in openssl. > Under BSD-like license. > Can be this engine import in base system and enabled at time 1.1.0? > And can be GOST enabled now? > I think the wrong question is being asked here. Instead we need to focus on decoupling openssl from base so this can all be handled by ports. -- Mark Felder f...@feld.me ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: GOST in OPENSSL_BASE
On Mon, Jul 11, 2016 at 11:04:33AM -0500, Mark Felder wrote: > > > On Mon, Jul 11, 2016, at 05:29, Slawa Olhovchenkov wrote: > > > > I.e. GOST will be available in openssl. > > Under BSD-like license. > > Can be this engine import in base system and enabled at time 1.1.0? > > And can be GOST enabled now? > > > > I think the wrong question is being asked here. Instead we need to focus > on decoupling openssl from base so this can all be handled by ports. This is wrong direction with current policy. ports: unsupported by FreeBSD core and securite team, no guaranted to comaptible between options and applications. base: supported by FreeBSD core and securite team, covered by CI, checked for forward and backward API and ABI compatibility. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: GOST in OPENSSL_BASE
On Sun, Jul 10, 2016 at 06:28:04PM +0300, Andrey Chernov wrote: > On 10.07.2016 18:13, Andrey Chernov wrote: > > On 10.07.2016 18:12, Andrey Chernov wrote: > >> On 10.07.2016 18:01, Slawa Olhovchenkov wrote: > >>> On Sun, Jul 10, 2016 at 05:10:04PM +0300, Andrey Chernov wrote: > >>> > On 10.07.2016 16:30, Slawa Olhovchenkov wrote: > > I am surprised lack of support GOST in openssl-base. > > Can be this enabled before 11.0 released? > > AFAIK openssl maintainers says something like they can't support this > code and it will become rotten shortly with new changes, so they drop it. > > >>> > >>> Upstream or FreeBSD maintainers? > >>> > >> > >> Openssl maintainers. > >> > > I.e. upstream. > > > They mean built-in one, dropped from openssl 1.1.0 and above. It is > still available as 3rd party at: > https://github.com/gost-engine/engine I.e. GOST will be available in openssl. Under BSD-like license. Can be this engine import in base system and enabled at time 1.1.0? And can be GOST enabled now? ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: GOST in OPENSSL_BASE
On 10.07.2016 18:28, Andrey Chernov wrote: > On 10.07.2016 18:13, Andrey Chernov wrote: >> On 10.07.2016 18:12, Andrey Chernov wrote: >>> On 10.07.2016 18:01, Slawa Olhovchenkov wrote: On Sun, Jul 10, 2016 at 05:10:04PM +0300, Andrey Chernov wrote: > On 10.07.2016 16:30, Slawa Olhovchenkov wrote: >> I am surprised lack of support GOST in openssl-base. >> Can be this enabled before 11.0 released? > > AFAIK openssl maintainers says something like they can't support this > code and it will become rotten shortly with new changes, so they drop it. > Upstream or FreeBSD maintainers? >>> >>> Openssl maintainers. >>> >> I.e. upstream. >> > They mean built-in one, dropped from openssl 1.1.0 and above. It is > still available as 3rd party at: > https://github.com/gost-engine/engine > >From their Changelog: *) The GOST engine was out of date and therefore it has been removed. An up to date GOST engine is now being maintained in an external repository. See: https://wiki.openssl.org/index.php/Binaries. Libssl still retains support for GOST ciphersuites (these are only activated if a GOST engine is present). [Matt Caswell] ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: GOST in OPENSSL_BASE
On 10.07.2016 18:13, Andrey Chernov wrote: > On 10.07.2016 18:12, Andrey Chernov wrote: >> On 10.07.2016 18:01, Slawa Olhovchenkov wrote: >>> On Sun, Jul 10, 2016 at 05:10:04PM +0300, Andrey Chernov wrote: >>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote: > I am surprised lack of support GOST in openssl-base. > Can be this enabled before 11.0 released? AFAIK openssl maintainers says something like they can't support this code and it will become rotten shortly with new changes, so they drop it. >>> >>> Upstream or FreeBSD maintainers? >>> >> >> Openssl maintainers. >> > I.e. upstream. > They mean built-in one, dropped from openssl 1.1.0 and above. It is still available as 3rd party at: https://github.com/gost-engine/engine ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: GOST in OPENSSL_BASE
On 10.07.2016 18:12, Andrey Chernov wrote: > On 10.07.2016 18:01, Slawa Olhovchenkov wrote: >> On Sun, Jul 10, 2016 at 05:10:04PM +0300, Andrey Chernov wrote: >> >>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote: I am surprised lack of support GOST in openssl-base. Can be this enabled before 11.0 released? >>> >>> AFAIK openssl maintainers says something like they can't support this >>> code and it will become rotten shortly with new changes, so they drop it. >>> >> >> Upstream or FreeBSD maintainers? >> > > Openssl maintainers. > I.e. upstream. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: GOST in OPENSSL_BASE
On 10.07.2016 18:01, Slawa Olhovchenkov wrote: > On Sun, Jul 10, 2016 at 05:10:04PM +0300, Andrey Chernov wrote: > >> On 10.07.2016 16:30, Slawa Olhovchenkov wrote: >>> I am surprised lack of support GOST in openssl-base. >>> Can be this enabled before 11.0 released? >> >> AFAIK openssl maintainers says something like they can't support this >> code and it will become rotten shortly with new changes, so they drop it. >> > > Upstream or FreeBSD maintainers? > Openssl maintainers. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: GOST in OPENSSL_BASE
On Sun, Jul 10, 2016 at 05:10:04PM +0300, Andrey Chernov wrote: > On 10.07.2016 16:30, Slawa Olhovchenkov wrote: > > I am surprised lack of support GOST in openssl-base. > > Can be this enabled before 11.0 released? > > AFAIK openssl maintainers says something like they can't support this > code and it will become rotten shortly with new changes, so they drop it. > Upstream or FreeBSD maintainers? ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: GOST in OPENSSL_BASE
On 10.07.2016 16:30, Slawa Olhovchenkov wrote: > I am surprised lack of support GOST in openssl-base. > Can be this enabled before 11.0 released? AFAIK openssl maintainers says something like they can't support this code and it will become rotten shortly with new changes, so they drop it. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
GOST in OPENSSL_BASE
I am surprised lack of support GOST in openssl-base.
Can be this enabled before 11.0 released?
Subject: svn commit: r412619 - in head/dns: bind9-devel bind910 bind99
Author: mat
Date: Wed Apr 6 13:53:09 2016
New Revision: 412619
URL: https://svnweb.freebsd.org/changeset/ports/412619
Log:
Stop bringing in OpenSSL from ports, it builds fine with the base one on
9, and WITH_OPENSSL_PORT does not belong in a port's Makefile anyway.
Not bumping PORTREVISION because:
- if you are building with poudriere, it will detect that a dependency
has changed and rebuild it.
- if you are building from ports, you will have OpenSSL from ports
installed, and it will choose to use it.
Sponsored by: Absolight
+.include
+
+.if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) &&
defined(WITH_OPENSSL_BASE)
+BROKEN=OpenSSL from the base system does not support GOST, add \
+ WITH_OPENSSL_PORT=yes to your /etc/make.conf and rebuild everything \
+ that needs SSL.
+.endif
+
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
