tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Minium version of OpenSSL required by "pkgsrc"



        Hello,

the minimum OpenSSL API version that we currently accept in "pkgsrc"
is 0.9.6m. I would like to bump this to 1.0.1c (same as the API dependency)
for security reasons:

- OpenSSL 0.9.* don't support TLS 1.1 which is required to mitigate the
  BEAST attack (No, using RC4 is *not* an option, not even if Google
  think so).
- OpenSSL 0.9.* doesn't support TLS 1.2 and is therefore limitted to
  using SHA1 as a hash function which is no longer considered secure.
- OpenSSL 0.9.* doesn't support Elliptic curve cryptography. In particular
  ECDHE_RSA is important to achieve Forward Secrecy as a lot of web server
  don't support DHE. And DHE is slow to start with.

Requiring OpenSSL 1.0.1* would also allow us to get rid of a lot of
OpenSSL 0.9.* hacks. Please have a look at e.g. "lang/python27/Makefile"
or "mail/fetchmail/options.mk".

As a consequence NetBSD 5.0*, 5.1* and Mac OS X up to at least
Mountain Lion and possibly other platforms would all be forced to
use OpenSSL from "pkgrsc".

Opinions?

        Kind regards

-- 
Matthias Scheler                                 https://zhadum.org.uk/


Home | Main Index | Thread Index | Old Index