On 12.07.2016 8:48, Kevin Oberman wrote: > >> May be need file PR for dns/bind910? > >> > >> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile > >> .include <bsd.port.pre.mk <http://bsd.port.pre.mk>> > >> > >> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && > ${SSL_DEFAULT} == base > >> BROKEN= OpenSSL from the base system does not support GOST, add \ > >> DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and > rebuild everything \ > >> that needs SSL. > >> .endif > >> > > > > I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC > > don't use GOST, so I vote for removing GOST option from there. > > > > I need to note that RFC exists, proposing GOST (old version) for DNSSEC: > https://tools.ietf.org/html/rfc5933 > but nobody really use it. > > In case people are not aware of it, Russian law now requires ALL > encrypted traffic must either be accessible by the FSB or that the > private keys must be available to the FSB.
It is not quite so. All traffic must be available for 6 months and they express intention to ask big companies for their private keys, but later is not required by the law (not yet...) > I have always assumed that > GOST has a hidden vulnerability/backdoor that the FSB is already using, I already answer this question elsewhere in this thread with the reference. > but this makes it mandatory. Putin gave the FSB 2 weeks to implement the > law, which is clearly impossible, but I suspect that there will be a > huge effort to pick all low-hanging fruit. As a result, I suspect no one > outside of Russia will touch GOST. (Not that they do now, either.) I'd > hate to see its support required for any protocol except in Russia as > someone will be silly enough to use it. I already explain required GOST usage pattern in this thread. _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
