- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Advanced Search
Oct 2 2020
Sep 25 2020
Sep 18 2020
Sep 16 2020
Sep 15 2020
Sep 14 2020
Sep 13 2020
Sep 12 2020
Sep 11 2020
Sep 6 2020
Sep 3 2020
LGTM
Sep 2 2020
Aug 7 2020
Aug 5 2020
Jul 9 2020
Jul 8 2020
Jun 30 2020
I think this looks good to me. @kib, can you weigh in on the symbol versioning being used here? Should we also update the Symbol.map file as well? What's the protocol around that look like?
Jun 29 2020
In D25493#563650, @cem wrote:Do you intend to MFC OPENSSL_NO_SSL3?
In D25493#563618, @cem wrote:If you know of an example of some software that explicitly invokes every version it knows about (and tries SSLv3 before a TLS version), I've love to see an example.
I'd take returning NULL over the status quo, where we ship SSLv3 in 2020.
This feels heavy handed (abort and KILL). Would we be better to mirror the actual API and return NULL to indicate this doesn't work?
Jun 25 2020
Jun 23 2020
Jun 14 2020
Jun 9 2020
Per discussion with Kyle offline, we are going to defer this change until after the 11.4 release. We are just in a tough spot to inject a change of this size this late into the release process.
May 29 2020
May 28 2020
Adding releng. They would deal with in-progress releases, not secteam. We get to deal with them *after* release. :-)
May 22 2020
In D24965#549710, @brnrd wrote:Fix pkg-plist
- Add options for ktls and legacy
- Modules in an options group
In D24965#549680, @brnrd wrote:Thanks! The Modules are one of the big changes in 3.0, should've picked that up.
It is now enabled by default, good to make it an option!
Guess we're missing a change to pkg-plist here?=================================================================== --- pkg-plist (revision 535366) +++ pkg-plist (working copy) @@ -136,7 +136,7 @@ lib/libssl.a %%SHARED%%lib/libssl.so %%SHARED%%lib/libssl.so.%%SHLIBVER%% -%%SHARED%%lib/ossl-modules/fips.so +%%FIPS%%%%SHARED%%lib/ossl-modules/fips.so %%SHARED%%lib/ossl-modules/legacy.so libdata/pkgconfig/libcrypto.pc libdata/pkgconfig/libssl.pc
With OpenSSL 3.0, it includes a FIPS provider and appropriate switches for the build. Thought it would be good to hook this up.
May 21 2020
In D24945#549309, @jkim wrote:It's okay but we need to disable SSLv3 from fetch(3) first. Please see D24947.
In D24945#549197, @cem wrote:We should also disable SSL2, if we do not already. And perhaps TLS 1.0?
Secteam and jkim to review. Per a comment from jmg. we should turn of SSLv3 in the OpenSSL build. I did a quick build test with this an confirmed the symbols related to SSLv3 are not in the resulting libssl library.
May 15 2020
May 13 2020
May 12 2020
Ports secteam, can you please review and approve? Thanks!
May 11 2020
May 9 2020
Looks good to me. I haven't tested it, but seeing as it is the same patch as OpenBSD's it should do what is expected.
May 8 2020
Have we checked to see how often this is used in tree?