Re: GOST in OPENSSL_BASE

From: Kevin Oberman <rkoberman_at_gmail.com>
Date: Mon, 11 Jul 2016 22:48:00 -0700
On Mon, Jul 11, 2016 at 3:51 PM, Andrey Chernov <ache_at_freebsd.org> wrote:

> On 12.07.2016 1:44, Andrey Chernov wrote:
> > On 11.07.2016 21:41, Slawa Olhovchenkov wrote:
> >> On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote:
> >>
> >>> On 07/10/16 10:10 AM, Andrey Chernov wrote:
> >>>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
> >>>>> I am surprised lack of support GOST in openssl-base.
> >>>>> Can be this enabled before 11.0 released?
> >>>>
> >>>> AFAIK openssl maintainers says something like they can't support this
> >>>> code and it will become rotten shortly with new changes, so they drop
> it.
> >>>
> >>> [OpenSSL-maintainer-for-the-base hat on]
> >>>
> >>> GOST is supported on FreeBSD 10.x and 11.x.  We will not drop it on
> >>> these branches unless secteam explicitly ask us to do so.  However, we
> >>> *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch.
> >>>
> >>> [OpenSSL-maintainer-for-the-base hat off]
> >>>
> >>> Jung-uk Kim
> >>>
> >>
> >> Thanks!
> >>
> >> May be need file PR for dns/bind910?
> >>
> >> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile
> >> .include <bsd.port.pre.mk>
> >>
> >> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) &&
> ${SSL_DEFAULT} == base
> >> BROKEN= OpenSSL from the base system does not support GOST, add \
> >>         DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and
> rebuild everything \
> >>         that needs SSL.
> >> .endif
> >>
> >
> > I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC
> > don't use GOST, so I vote for removing GOST option from there.
> >
>
> I need to note that RFC exists, proposing GOST (old version) for DNSSEC:
> https://tools.ietf.org/html/rfc5933
> but nobody really use it.


In case people are not aware of it, Russian law now requires ALL encrypted
traffic must either be accessible by the FSB or that the private keys must
be available to the FSB. I have always assumed that GOST has a hidden
vulnerability/backdoor that the FSB is already using, but this makes it
mandatory. Putin gave the FSB 2 weeks to implement the law, which is
clearly impossible, but I suspect that there will be a huge effort to pick
all low-hanging fruit. As a result, I suspect no one outside of Russia will
touch GOST. (Not that they do now, either.) I'd hate to see its support
required for any protocol except in Russia as someone will be silly enough
to use it.

(It's not possible because it requires the 6 month storage of all Internet
data and voice communications which will require the immediate installation
of massive amounts of storage, not to mention the floor space, cooling, and
power to support those disks.)
--
Kevin Oberman, Part time kid herder and retired Network Engineer
E-mail: rkoberman_at_gmail.com
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
Received on Tue Jul 12 2016 - 06:47:48 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:06 UTC