Re: Upgrading to OpenSSL 1.1.0

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 11696 bytes --]

Hi,

since we have recently had some bigger changes in next, we are now able
to pick this up again:

So various addons that are incompatible and not maintained upstream any
more have been dropped.

Some other packages that are therefore not needed any more have also
been dropped. We are slowly getting a smaller and cleaner distribution.

Erik: I am not sure why those packages won't build for you. I patched a
number of them in my branch:

  https://git.ipfire.org/?p=people/ms/ipfire-2.x.git;a=shortlog;h=refs/
heads/openssl-11

I will rebase this branch now on where next currently is and build it
again. I only expect asterisk to crash then which we need to update. It
seems that Dirk has retired as maintainer for asterisk. I can try
switching Asterisk to gnutls instead, but generally I would like to
keep as much as we can on OpenSSL since that is our primary library.

So, again for me: What is the status of OpenVPN 2.4 now? I guess that
should build with OpenSSL 1.1 out of the box.

Would you be able to submit patches so that it builds already? Any
changes to the CGI files to add new ciphers can and should be a second
patch.

I am not sure if we should expect any problems with changed
configuration parameter where we need to migrate configuration files.
We are already using the new parameters where possible. So is there any
other work left to do?

On Thu, 2017-12-07 at 12:21 +0100, ummeegge wrote:
> Hi all,
> regarding a potential help for building PHP and Asterisk (linked wget to gnutls since it won´t build here with the new OpenSSL) but also to go here a step further to build IPFire with the new OpenSSL-1.1.0g i made a couple of changes --> https://git.ipfire.org/?p=people/ummeegge/ipfire-2.x.git;a=commit;h=2d940ba2187a53cf52d2191a36c3897636b9600c to facilitate this update, hope this is useful for someone.
> 
> Have seen that PHP is about to be dropped --> https://wiki.ipfire.org/devel/telco/2017-12-04 in that case please forget the pushed ideas.
> 
> I stuck currently to build
> 
> - openvmtools
> - lcr
> - tor
> <-- in my humble opinion the problem with those packages seems to be somehow related to another (last log messages before the compilation stops are pointing to a ENGINE problem ?).
> - crda
> <-- there seems to be some patches out there --> https://patchwork.openembedded.org/patch/136794/  , https://github.com/graugans/meta-udoo/issues/10 where the same problem seems to be addressed.
> 
> 
> Regarding the OpenVPN update i was able to build OpenVPN-2.4.4 with OpenSSL-1.1.0g
> 
> ipfire build chroot (x86_64) root:/$ openvpn --version
> OpenVPN 2.4.4 i586-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec  4 2017
> library versions: OpenSSL 1.1.0g  2 Nov 2017, LZO 2.09
> Originally developed by James Yonan
> Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales(a)openvpn.net>
> Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no
> 
> whereby a lot of things has been changed for OpenVPNs digests, tls and ciphers:
> 
> ipfire build chroot (x86_64) root:/$ openvpn --show-digests && openvpn --show-tls && openvpn --show-ciphers
> The following message digests are available for use with
> OpenVPN.  A message digest is used in conjunction with
> the HMAC function, to authenticate received packets.
> You can specify a message digest as parameter to
> the --auth option.
> 
> MD5 128 bit digest size
> RSA-MD5 128 bit digest size
> SHA1 160 bit digest size
> RSA-SHA1 160 bit digest size
> MD5-SHA1 288 bit digest size
> RSA-SHA1-2 160 bit digest size
> RIPEMD160 160 bit digest size
> RSA-RIPEMD160 160 bit digest size
> MD4 128 bit digest size
> RSA-MD4 128 bit digest size
> RSA-SHA256 256 bit digest size
> RSA-SHA384 384 bit digest size
> RSA-SHA512 512 bit digest size
> RSA-SHA224 224 bit digest size
> SHA256 256 bit digest size
> SHA384 384 bit digest size
> SHA512 512 bit digest size
> SHA224 224 bit digest size
> whirlpool 512 bit digest size
> BLAKE2b512 512 bit digest size
> BLAKE2s256 256 bit digest size
> 
> Available TLS Ciphers,
> listed in order of preference:
> 
> TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
> TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
> TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
> TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
> TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256
> TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256
> TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
> TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
> TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
> TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
> TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
> TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
> TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
> TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
> TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
> TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA
> TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
> TLS-DHE-RSA-WITH-AES-256-CBC-SHA
> TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
> TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
> TLS-DHE-RSA-WITH-AES-128-CBC-SHA
> 
> Be aware that that whether a cipher suite in this list can actually work
> depends on the specific setup of both peers. See the man page entries of
> --tls-cipher and --show-tls for more details.
> 
> The following ciphers and cipher modes are available for use
> with OpenVPN.  Each cipher shown below may be use as a
> parameter to the --cipher option.  The default key size is
> shown as well as whether or not it can be changed with the
> --keysize directive.  Using a CBC or GCM mode is recommended.
> In static key mode only CBC mode is allowed.
> 
> AES-128-CBC  (128 bit key, 128 bit block)
> AES-128-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
> AES-128-CFB1  (128 bit key, 128 bit block, TLS client/server mode only)
> AES-128-CFB8  (128 bit key, 128 bit block, TLS client/server mode only)
> AES-128-GCM  (128 bit key, 128 bit block, TLS client/server mode only)
> AES-128-OFB  (128 bit key, 128 bit block, TLS client/server mode only)
> AES-192-CBC  (192 bit key, 128 bit block)
> AES-192-CFB  (192 bit key, 128 bit block, TLS client/server mode only)
> AES-192-CFB1  (192 bit key, 128 bit block, TLS client/server mode only)
> AES-192-CFB8  (192 bit key, 128 bit block, TLS client/server mode only)
> AES-192-GCM  (192 bit key, 128 bit block, TLS client/server mode only)
> AES-192-OFB  (192 bit key, 128 bit block, TLS client/server mode only)
> AES-256-CBC  (256 bit key, 128 bit block)
> AES-256-CFB  (256 bit key, 128 bit block, TLS client/server mode only)
> AES-256-CFB1  (256 bit key, 128 bit block, TLS client/server mode only)
> AES-256-CFB8  (256 bit key, 128 bit block, TLS client/server mode only)
> AES-256-GCM  (256 bit key, 128 bit block, TLS client/server mode only)
> AES-256-OFB  (256 bit key, 128 bit block, TLS client/server mode only)
> CAMELLIA-128-CBC  (128 bit key, 128 bit block)
> CAMELLIA-128-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
> CAMELLIA-128-CFB1  (128 bit key, 128 bit block, TLS client/server mode only)
> CAMELLIA-128-CFB8  (128 bit key, 128 bit block, TLS client/server mode only)
> CAMELLIA-128-OFB  (128 bit key, 128 bit block, TLS client/server mode only)
> CAMELLIA-192-CBC  (192 bit key, 128 bit block)
> CAMELLIA-192-CFB  (192 bit key, 128 bit block, TLS client/server mode only)
> CAMELLIA-192-CFB1  (192 bit key, 128 bit block, TLS client/server mode only)
> CAMELLIA-192-CFB8  (192 bit key, 128 bit block, TLS client/server mode only)
> CAMELLIA-192-OFB  (192 bit key, 128 bit block, TLS client/server mode only)
> CAMELLIA-256-CBC  (256 bit key, 128 bit block)
> CAMELLIA-256-CFB  (256 bit key, 128 bit block, TLS client/server mode only)
> CAMELLIA-256-CFB1  (256 bit key, 128 bit block, TLS client/server mode only)
> CAMELLIA-256-CFB8  (256 bit key, 128 bit block, TLS client/server mode only)
> CAMELLIA-256-OFB  (256 bit key, 128 bit block, TLS client/server mode only)
> SEED-CBC  (128 bit key, 128 bit block)
> SEED-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
> SEED-OFB  (128 bit key, 128 bit block, TLS client/server mode only)
> 
> The following ciphers have a block size of less than 128 bits, 
> and are therefore deprecated.  Do not use unless you have to.
> 
> BF-CBC  (128 bit key by default, 64 bit block)
> BF-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
> BF-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
> CAST5-CBC  (128 bit key by default, 64 bit block)
> CAST5-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
> CAST5-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
> DES-CBC  (64 bit key, 64 bit block)
> DES-CFB  (64 bit key, 64 bit block, TLS client/server mode only)
> DES-CFB1  (64 bit key, 64 bit block, TLS client/server mode only)
> DES-CFB8  (64 bit key, 64 bit block, TLS client/server mode only)
> DES-EDE-CBC  (128 bit key, 64 bit block)
> DES-EDE-CFB  (128 bit key, 64 bit block, TLS client/server mode only)
> DES-EDE-OFB  (128 bit key, 64 bit block, TLS client/server mode only)
> DES-EDE3-CBC  (192 bit key, 64 bit block)
> DES-EDE3-CFB  (192 bit key, 64 bit block, TLS client/server mode only)
> DES-EDE3-CFB1  (192 bit key, 64 bit block, TLS client/server mode only)
> DES-EDE3-CFB8  (192 bit key, 64 bit block, TLS client/server mode only)
> DES-EDE3-OFB  (192 bit key, 64 bit block, TLS client/server mode only)
> DES-OFB  (64 bit key, 64 bit block, TLS client/server mode only)
> DESX-CBC  (192 bit key, 64 bit block)
> RC2-40-CBC  (40 bit key by default, 64 bit block)
> RC2-64-CBC  (64 bit key by default, 64 bit block)
> RC2-CBC  (128 bit key by default, 64 bit block)
> RC2-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
> RC2-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
> 
> 
> also causing the "Sweet32 Birthday attacks" --> https://sweet32.info/ a lot of ciphers which are used in IPFires OpenVPN are marked as deprecated and should. in my opinion, marked in the WUI as such. A potential new digest "BLAKE2b" has also been introduced which i´am not sure if it works properly and if it works, if it should be integrated into the menu of IPFires OpenVPN WUI.

Not sure if we should support something experimental. Might become a
headache later...

> My main problem currently is that i can not test all that cause the installation process interrupts "Unable to install the language cache" , message comes from here --> https://github.com/ipfire/ipfire-2.x/blob/cf361ef4b55134254150b5070069f9d25b201bd1/src/installer/po/de.po#L272 i think.
> Some help in there might be great to proceed further with the OpenVPN update.

Are you still stuck at this?

Best,
-Michael

> 
> Best,
> 
> Erik
> 
> 
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]