TLSv1.3 support in freeBSD 11.X
Dewayne Geraghty
dewayne.geraghty at heuristicsystems.com.au
Sun Jul 29 00:16:59 UTC 2018
On 26/07/2018 9:45 PM, PRAKASH RAI (prakrai) via freebsd-security wrote:
> Hi All,
>
> I was going through the https://wiki.freebsd.org/OpenSSL and found that openssl 1.1.1 support is planned for freeBSD 12.
> As TLSv1.3 is based on openssl 1.1.1, does it mean that freeBSD 11.X would not be having support for TLSv1.3?
>
> Basically I would like to understand if I can build openssl 1.1.1 (which is having support for TLSv1.3) with FreeBSD 11.2 without any issue and enable TLSv1.3 support?
>
> Regards,
> Prakash
>
Prakash,
You're very ambitious ;) TLSv1.3 is very different from 1.2 and
others. Additional ciphers are "nice", but the session controls are
quite different and will take a while for applications to settle into.
Quite a few applications are not yet at openssl 1.1.0, so surprise
yourself and try something like:
for interests in security www; do find /usr/ports/$interests/ -name
Makefile|xargs grep openssl-devel|grep BROKEN; done
And you should also note that the ports are only built on lowest
supported FreeBSD (#1), and on the 11 stream, that seems to be FreeBSD
11.1Release; so we should really work in unison to migrate to openssl
1.1.1 :) Drawn your own conclusions about what ports have been tested
on 11.2Release
FYI perhaps consider libressl which has some additional/useful ciphers,
might be worth a look if the ciphers are your driver.
Ref:
#1 Poke around here: http://beefy9.nyi.freebsd.org/data/latest-per-pkg/
Cheers.
More information about the freebsd-security
mailing list