GOST in OPENSSL_BASE

Tue Jul 12 09:16:06 UTC 2016

On 12.07.2016 8:48, Kevin Oberman wrote:
>     >> May be need file PR for dns/bind910?
>     >>
>     >> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile
>     >> .include <bsd.port.pre.mk <http://bsd.port.pre.mk>>
>     >>
>     >> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) &&
>     ${SSL_DEFAULT} == base
>     >> BROKEN= OpenSSL from the base system does not support GOST, add \
>     >>         DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and
>     rebuild everything \
>     >>         that needs SSL.
>     >> .endif
>     >>
>     >
>     > I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC
>     > don't use GOST, so I vote for removing GOST option from there.
>     >
> 
>     I need to note that RFC exists, proposing GOST (old version) for DNSSEC:
>     https://tools.ietf.org/html/rfc5933
>     but nobody really use it.
> 
> In case people are not aware of it, Russian law now requires ALL
> encrypted traffic must either be accessible by the FSB or that the
> private keys must be available to the FSB. 

It is not quite so. All traffic must be available for 6 months and they
express intention to ask big companies for their private keys, but later
is not required by the law (not yet...)

> I have always assumed that
> GOST has a hidden vulnerability/backdoor that the FSB is already using,

I already answer this question elsewhere in this thread with the reference.

> but this makes it mandatory. Putin gave the FSB 2 weeks to implement the
> law, which is clearly impossible, but I suspect that there will be a
> huge effort to pick all low-hanging fruit. As a result, I suspect no one
> outside of Russia will touch GOST. (Not that they do now, either.) I'd
> hate to see its support required for any protocol except in Russia as
> someone will be silly enough to use it.

I already explain required GOST usage pattern in this thread.