Re: GOST was removed
On Tue, Apr 15, 2014 at 03:34:36PM -0600, Theo de Raadt wrote: Log message: Remove the GOST engine: It is not compiled or used and depends on the dynamic engine feature that is not enabled in our build. People who need it can still pull it out of the Attic; if it is to have a Russian engine just because it's a Russian engine. -- This hash function is a formal requirement in all public institutions in Russia. Removing it, the work of people using OpenBSD in these institutions is greatly complicated by its return. First off, this library primary function is to supply two major components for use by people: SSL protocol raw symmetric assymetric crypto functions Meeting the requirements of public institutions is pretty low on the list right about now. Quite frankly, I do not want my own government using OpenSSL for anything. As it is now, it is not suitable. This is a political decision, or indeed it is necessary for the cleaning OpenSSL? Do not throw out the child along with the bath. Dynamic loading of crypto libraries into a framework is not acceptable. Furthermore, if you dig just a bit deeper, you will quickly realize that this code has not worked in our tree before. It was not enabled. It did not work. In the interests of full disclosure, do you work for the government or sell to the government? I'm not sure what it means to work for the government in terms of the English language. I am now in the process of transfer to the IT-department of city hall of small town in the geographical center of Russia. In the area of my responsibility will be the network infrastructure of city hall. This is work for the government? I assumed that, for establishment GOST, it is enough to recompile OpenSSL in source tree and install it. Situation worsens in that it is the only implementation of GOST, so that there are no alternatives for unix and unix-like systems. Yet your words as the words of Bob and Reyk, given your competence in this area, sound convincing. If it makes the system more secure, it is a sensible move. I am glad that there is no politics.
Re: GOST was removed
On Wed, Apr 16, 2014 at 08:15:02AM +, Артур Истомин wrote: I assumed that, for establishment GOST, it is enough to recompile OpenSSL in source tree and install it. Situation worsens in that it is the only implementation of GOST, so that there are no alternatives for unix and unix-like systems. I am liar. Libgrypt, noteworthy changes between version 1.5.0 and 1.6.0 (Dec 16 18:49:01 CET 2013): * Added limited support for the GOST 28147-89 cipher algorithm. * Added support for the GOST R 34.11-94 and R 34.11-2012 (Stribog) hash algorithms.
Re: GOST was removed
On Wed, Apr 16, 2014 at 10:15 AM, Артур Истомин art.is...@yandex.ru wrote: On Tue, Apr 15, 2014 at 03:34:36PM -0600, Theo de Raadt wrote: Log message: Remove the GOST engine: It is not compiled or used and depends on the dynamic engine feature that is not enabled in our build. People who need it can still pull it out of the Attic; if it is to have a Russian engine just because it's a Russian engine. -- This hash function is a formal requirement in all public institutions in Russia. Removing it, the work of people using OpenBSD in these institutions is greatly complicated by its return. First off, this library primary function is to supply two major components for use by people: SSL protocol raw symmetric assymetric crypto functions Meeting the requirements of public institutions is pretty low on the list right about now. Quite frankly, I do not want my own government using OpenSSL for anything. As it is now, it is not suitable. This is a political decision, or indeed it is necessary for the cleaning OpenSSL? Do not throw out the child along with the bath. Dynamic loading of crypto libraries into a framework is not acceptable. Furthermore, if you dig just a bit deeper, you will quickly realize that this code has not worked in our tree before. It was not enabled. It did not work. In the interests of full disclosure, do you work for the government or sell to the government? I'm not sure what it means to work for the government in terms of the English language. I am now in the process of transfer to the IT-department of city hall of small town in the geographical center of Russia. In the area of my responsibility will be the network infrastructure of city hall. This is work for the government? I assumed that, for establishment GOST, it is enough to recompile OpenSSL in source tree and install it. Situation worsens in that it is the only implementation of GOST, so that there are no alternatives for unix and unix-like systems. Yet your words as the words of Bob and Reyk, given your competence in this area, sound convincing. If it makes the system more secure, it is a sensible move. I am glad that there is no politics. Well mostly no politics here in a sense you thought initially (and not everyone behind your borders think that * we can see in our media is true). OpenBSD is just trying to fix crap created by outside company http://undeadly.org/cgi?action=articlesid=20140415093252mode=expandedcount=8and well on the way things are removed which doesn't make any sense or were used in the past or are supposed to not be used. From this point of view it's maybe better to try to convince local authority where you will be doing some work in IT area to use something really newer and better. I know it can be nearly impossible, but it is worth of the try. Of course don''t know how much is GOST used in Russia and why (historical reasons, whatever).
GOST was removed
Log message: Remove the GOST engine: It is not compiled or used and depends on the dynamic engine feature that is not enabled in our build. People who need it can still pull it out of the Attic; if it is to have a Russian engine just because it's a Russian engine. -- This hash function is a formal requirement in all public institutions in Russia. Removing it, the work of people using OpenBSD in these institutions is greatly complicated by its return. This is a political decision, or indeed it is necessary for the cleaning OpenSSL? Do not throw out the child along with the bath.
Re: GOST was removed
Log message: Remove the GOST engine: It is not compiled or used and depends on the dynamic engine feature that is not enabled in our build. People who need it can still pull it out of the Attic; if it is to have a Russian engine just because it's a Russian engine. -- This hash function is a formal requirement in all public institutions in Russia. Removing it, the work of people using OpenBSD in these institutions is greatly complicated by its return. First off, this library primary function is to supply two major components for use by people: SSL protocol raw symmetric assymetric crypto functions Meeting the requirements of public institutions is pretty low on the list right about now. Quite frankly, I do not want my own government using OpenSSL for anything. As it is now, it is not suitable. This is a political decision, or indeed it is necessary for the cleaning OpenSSL? Do not throw out the child along with the bath. Dynamic loading of crypto libraries into a framework is not acceptable. Furthermore, if you dig just a bit deeper, you will quickly realize that this code has not worked in our tree before. It was not enabled. It did not work. In the interests of full disclosure, do you work for the government or sell to the government?
Re: GOST was removed
In the interests of full disclosure, do you work for the government or sell to the government? And in the interests of full disclosure, please note, It's absolutely not political. We just deleted all the FIPS junk too. the right way to add GOST if you need it is not as an engine, but as a working cipher suite supported like all the others. what was there has never worked in our tree.
Re: GOST was removed
Hi, On Tue, Apr 15, 2014 at 09:24:48PM +, �?�?�?�?�? �?�?�?омин wrote: Log message: Remove the GOST engine: It is not compiled or used and depends on the dynamic engine feature that is not enabled in our build. People who need it can still pull it out of the Attic; if it is to have a Russian engine just because it's a Russian engine. -- This hash function is a formal requirement in all public institutions in Russia. Removing it, the work of people using OpenBSD in these institutions is greatly complicated by its return. This is a political decision, or indeed it is necessary for the cleaning OpenSSL? Do not throw out the child along with the bath. No, I have no objections against GOST and it is not a political decision. But the GOST engine was not even compiled on OpenBSD and we have OPENSSL_NO_DYNAMIC_ENGINE defined by default. It was just sitting in our source tree. If there is really a demand for GOST, the better way would be to include it as normal built-in ciphers and algorithms instead of using GOST with an engine. So we basically have concerns about these dynamic engines and code that is not enabled by default. Reyk
