tech-pkg archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Minium version of OpenSSL required by "pkgsrc"
Hello,
the minimum OpenSSL API version that we currently accept in "pkgsrc"
is 0.9.6m. I would like to bump this to 1.0.1c (same as the API dependency)
for security reasons:
- OpenSSL 0.9.* don't support TLS 1.1 which is required to mitigate the
BEAST attack (No, using RC4 is *not* an option, not even if Google
think so).
- OpenSSL 0.9.* doesn't support TLS 1.2 and is therefore limitted to
using SHA1 as a hash function which is no longer considered secure.
- OpenSSL 0.9.* doesn't support Elliptic curve cryptography. In particular
ECDHE_RSA is important to achieve Forward Secrecy as a lot of web server
don't support DHE. And DHE is slow to start with.
Requiring OpenSSL 1.0.1* would also allow us to get rid of a lot of
OpenSSL 0.9.* hacks. Please have a look at e.g. "lang/python27/Makefile"
or "mail/fetchmail/options.mk".
As a consequence NetBSD 5.0*, 5.1* and Mac OS X up to at least
Mountain Lion and possibly other platforms would all be forced to
use OpenSSL from "pkgrsc".
Opinions?
Kind regards
--
Matthias Scheler https://zhadum.org.uk/
Home |
Main Index |
Thread Index |
Old Index