From nobody Wed Apr 19 16:50:59 2023 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q1myW3DWQz46BsB for ; Wed, 19 Apr 2023 16:51:15 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-lj1-f173.google.com (mail-lj1-f173.google.com [209.85.208.173]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Q1myT4CmDz3MxP for ; Wed, 19 Apr 2023 16:51:13 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.208.173 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com; dmarc=none Received: by mail-lj1-f173.google.com with SMTP id r9so21272263ljp.9 for ; Wed, 19 Apr 2023 09:51:13 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681923071; x=1684515071; h=content-transfer-encoding:to:subject:message-id:date:from :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=RtD1bevRtfYxAK64XnVi8afTYZXqW12Ui63UcE7GGmo=; b=H6dMlbxs7bAxEpwqySJJhG81s2MgMu7HA+0VBvI2S7wpMoUAsS5tjS79968Q4b1tav Wi6nPZJlNL7j8XG+qO1gdwXwoAI1FqbGEPZm8Qmj0ggalDTuOaMEm42jiZlVnuPwQcEd 34SUzXkeSPoxPoeys1BZPQK2TDmmGPpLWY0kU/6fhNejt3qPKJmrYg19atW8W6va8QX4 dX+DE9YVKPi4JUc+U9dx6rYbun8EPRKBqnnSX6BnRodCpunCYUDqUiYXsZzq1Hhjltcj ZvS1El/pazprpHEmtuLAHnexGN2YZMSVC6dSAMPGZYMldWADFlHXwl5gRJj0U/UnxvaE VD6g== X-Gm-Message-State: AAQBX9dk4VgRI5yYV8oeEy4RFPP3YTU6CXizOXbX+rWItptDs9/Fd2of twYzt+M07mA5QJJbgHSeaPLrfYxyM9DcWVBnckV3dyfoFwU= X-Google-Smtp-Source: AKy350YRC/0zNUtDN5W7Y2GV8z6v0BLaH4PE9d3Yxf0Ok5MzCHtPEgR+YTOWF0MubPoo8tnvJJ7F89Iew5Z/QKV1bKE= X-Received: by 2002:a2e:8788:0:b0:29a:9053:ed21 with SMTP id n8-20020a2e8788000000b0029a9053ed21mr2141744lji.8.1681923070790; Wed, 19 Apr 2023 09:51:10 -0700 (PDT) List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org MIME-Version: 1.0 From: Ed Maste Date: Wed, 19 Apr 2023 12:50:59 -0400 Message-ID: Subject: OpenSSL in the FreeBSD base system / FreeBSD 14 To: freebsd-arch Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spamd-Result: default: False [2.77 / 15.00]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_SPAM_SHORT(0.77)[0.770]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_NONE(0.00)[209.85.208.173:from]; MLMMJ_DEST(0.00)[freebsd-arch@freebsd.org]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.208.173:from]; R_DKIM_NA(0.00)[]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; TO_DN_ALL(0.00)[]; RCVD_TLS_LAST(0.00)[]; FROM_HAS_DN(0.00)[]; FREEFALL_USER(0.00)[carpeddiem]; ARC_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DMARC_NA(0.00)[freebsd.org]; PREVIOUSLY_DELIVERED(0.00)[freebsd-arch@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; TO_DOM_EQ_FROM_DOM(0.00)[] X-Rspamd-Queue-Id: 4Q1myT4CmDz3MxP X-Spamd-Bar: ++ X-ThisMailContainsUnwantedMimeParts: N There have been a few discussions on this topic in different venues, but we should consolidate the discussion on a public mailing list. This email represents a summary of the issues and the current state; we=E2=80=99ll discuss next steps in follow-up mail. FreeBSD 14 is coming soon, and one outstanding task is dealing with OpenSSL in the base system. The base system currently has OpenSSL 1.1.1, and it will be EOL as of 2023-09-11. There are two related issues: - The base system needs to migrate from OpenSSL 1.1.1. - The ports collection currently makes use of OpenSSL provided by the base system by default, with some exceptions. Changing the base system OpenSSL into a privatelib would decouple these two, so that the base system and ports can migrate to OpenSSL 3 (or even to other implementations) on their own schedules. We have a number of privatelibs today, like libevent, that are used by the base system but not by ports. All OpenSSL-using ports will need security/openssl (or another openssl port). A related issue is base system libraries that depend on OpenSSL would also need to be made private. This includes gssapi, heimdal, and libfetch. This leaves the actual task of updating OpenSSL in the base system, which is complicated because we use bespoke build infrastructure in crypto/openssl/ rather than the upstream build bits. For better or worse this is the typical case for all of our contrib software, but OpenSSL is particularly tricky as it makes use of a large number of generated files, and those files are generated using Perl and perhaps other tools that are not available in the FreeBSD base system. Porting this to the base system is not insurmountable, but requires a fairly large amount of tedious work. This should serve as a snapshot of where we are today and a starting point for discussion; we=E2=80=99ll formulate a list of specific tasks in a follow-up.