From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: Upgrading to OpenSSL 1.1.0
Date: Wed, 10 Jan 2018 17:08:39 +0000
Message-ID: <1515604119.2392.12.camel@ipfire.org>
In-Reply-To: <47B62510-51B5-4D21-A07F-F2483CFBABE9@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5969156953060644786=="
List-Id: <development.lists.ipfire.org>

--===============5969156953060644786==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

since we have recently had some bigger changes in next, we are now able
to pick this up again:

So various addons that are incompatible and not maintained upstream any
more have been dropped.

Some other packages that are therefore not needed any more have also
been dropped. We are slowly getting a smaller and cleaner distribution.

Erik: I am not sure why those packages won't build for you. I patched a
number of them in my branch:

  https://git.ipfire.org/?p=3Dpeople/ms/ipfire-2.x.git;a=3Dshortlog;h=3Drefs/
heads/openssl-11

I will rebase this branch now on where next currently is and build it
again. I only expect asterisk to crash then which we need to update. It
seems that Dirk has retired as maintainer for asterisk. I can try
switching Asterisk to gnutls instead, but generally I would like to
keep as much as we can on OpenSSL since that is our primary library.

So, again for me: What is the status of OpenVPN 2.4 now? I guess that
should build with OpenSSL 1.1 out of the box.

Would you be able to submit patches so that it builds already? Any
changes to the CGI files to add new ciphers can and should be a second
patch.

I am not sure if we should expect any problems with changed
configuration parameter where we need to migrate configuration files.
We are already using the new parameters where possible. So is there any
other work left to do?

On Thu, 2017-12-07 at 12:21 +0100, ummeegge wrote:
> Hi all,
> regarding a potential help for building PHP and Asterisk (linked wget to gn=
utls since it won=C2=B4t build here with the new OpenSSL) but also to go here=
 a step further to build IPFire with the new OpenSSL-1.1.0g i made a couple o=
f changes --> https://git.ipfire.org/?p=3Dpeople/ummeegge/ipfire-2.x.git;a=3D=
commit;h=3D2d940ba2187a53cf52d2191a36c3897636b9600c to facilitate this update=
, hope this is useful for someone.
>=20
> Have seen that PHP is about to be dropped --> https://wiki.ipfire.org/devel=
/telco/2017-12-04 in that case please forget the pushed ideas.
>=20
> I stuck currently to build
>=20
> - openvmtools
> - lcr
> - tor
> <-- in my humble opinion the problem with those packages seems to be someho=
w related to another (last log messages before the compilation stops are poin=
ting to a ENGINE problem ?).
> - crda
> <-- there seems to be some patches out there --> https://patchwork.openembe=
dded.org/patch/136794/  , https://github.com/graugans/meta-udoo/issues/10 whe=
re the same problem seems to be addressed.
>=20
>=20
> Regarding the OpenVPN update i was able to build OpenVPN-2.4.4 with OpenSSL=
-1.1.0g
>=20
> ipfire build chroot (x86_64) root:/$ openvpn --version
> OpenVPN 2.4.4 i586-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKT=
INFO] [AEAD] built on Dec  4 2017
> library versions: OpenSSL 1.1.0g  2 Nov 2017, LZO 2.09
> Originally developed by James Yonan
> Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales(a)openvpn.net>
> Compile time defines: enable_async_push=3Dno enable_comp_stub=3Dno enable_c=
rypto=3Dyes enable_crypto_ofb_cfb=3Dyes enable_debug=3Dyes enable_def_auth=3D=
yes enable_dlopen=3Dunknown enable_dlopen_self=3Dunknown enable_dlopen_self_s=
tatic=3Dunknown enable_fast_install=3Dyes enable_fragment=3Dyes enable_iprout=
e2=3Dyes enable_libtool_lock=3Dyes enable_lz4=3Dyes enable_lzo=3Dyes enable_m=
anagement=3Dyes enable_multihome=3Dyes enable_pam_dlopen=3Dno enable_pedantic=
=3Dno enable_pf=3Dyes enable_pkcs11=3Dno enable_plugin_auth_pam=3Dyes enable_=
plugin_down_root=3Dyes enable_plugins=3Dyes enable_port_share=3Dyes enable_se=
linux=3Dno enable_server=3Dyes enable_shared=3Dyes enable_shared_with_static_=
runtimes=3Dno enable_small=3Dno enable_static=3Dyes enable_strict=3Dno enable=
_strict_options=3Dno enable_systemd=3Dno enable_werror=3Dno enable_win32_dll=
=3Dyes enable_x509_alt_username=3Dno with_crypto_library=3Dopenssl with_gnu_l=
d=3Dyes with_mem_check=3Dno with_sysroot=3Dno
>=20
> whereby a lot of things has been changed for OpenVPNs digests, tls and ciph=
ers:
>=20
> ipfire build chroot (x86_64) root:/$ openvpn --show-digests && openvpn --sh=
ow-tls && openvpn --show-ciphers
> The following message digests are available for use with
> OpenVPN.  A message digest is used in conjunction with
> the HMAC function, to authenticate received packets.
> You can specify a message digest as parameter to
> the --auth option.
>=20
> MD5 128 bit digest size
> RSA-MD5 128 bit digest size
> SHA1 160 bit digest size
> RSA-SHA1 160 bit digest size
> MD5-SHA1 288 bit digest size
> RSA-SHA1-2 160 bit digest size
> RIPEMD160 160 bit digest size
> RSA-RIPEMD160 160 bit digest size
> MD4 128 bit digest size
> RSA-MD4 128 bit digest size
> RSA-SHA256 256 bit digest size
> RSA-SHA384 384 bit digest size
> RSA-SHA512 512 bit digest size
> RSA-SHA224 224 bit digest size
> SHA256 256 bit digest size
> SHA384 384 bit digest size
> SHA512 512 bit digest size
> SHA224 224 bit digest size
> whirlpool 512 bit digest size
> BLAKE2b512 512 bit digest size
> BLAKE2s256 256 bit digest size
>=20
> Available TLS Ciphers,
> listed in order of preference:
>=20
> TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
> TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
> TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
> TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
> TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256
> TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256
> TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
> TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
> TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
> TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
> TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
> TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
> TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
> TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
> TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
> TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA
> TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
> TLS-DHE-RSA-WITH-AES-256-CBC-SHA
> TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
> TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
> TLS-DHE-RSA-WITH-AES-128-CBC-SHA
>=20
> Be aware that that whether a cipher suite in this list can actually work
> depends on the specific setup of both peers. See the man page entries of
> --tls-cipher and --show-tls for more details.
>=20
> The following ciphers and cipher modes are available for use
> with OpenVPN.  Each cipher shown below may be use as a
> parameter to the --cipher option.  The default key size is
> shown as well as whether or not it can be changed with the
> --keysize directive.  Using a CBC or GCM mode is recommended.
> In static key mode only CBC mode is allowed.
>=20
> AES-128-CBC  (128 bit key, 128 bit block)
> AES-128-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
> AES-128-CFB1  (128 bit key, 128 bit block, TLS client/server mode only)
> AES-128-CFB8  (128 bit key, 128 bit block, TLS client/server mode only)
> AES-128-GCM  (128 bit key, 128 bit block, TLS client/server mode only)
> AES-128-OFB  (128 bit key, 128 bit block, TLS client/server mode only)
> AES-192-CBC  (192 bit key, 128 bit block)
> AES-192-CFB  (192 bit key, 128 bit block, TLS client/server mode only)
> AES-192-CFB1  (192 bit key, 128 bit block, TLS client/server mode only)
> AES-192-CFB8  (192 bit key, 128 bit block, TLS client/server mode only)
> AES-192-GCM  (192 bit key, 128 bit block, TLS client/server mode only)
> AES-192-OFB  (192 bit key, 128 bit block, TLS client/server mode only)
> AES-256-CBC  (256 bit key, 128 bit block)
> AES-256-CFB  (256 bit key, 128 bit block, TLS client/server mode only)
> AES-256-CFB1  (256 bit key, 128 bit block, TLS client/server mode only)
> AES-256-CFB8  (256 bit key, 128 bit block, TLS client/server mode only)
> AES-256-GCM  (256 bit key, 128 bit block, TLS client/server mode only)
> AES-256-OFB  (256 bit key, 128 bit block, TLS client/server mode only)
> CAMELLIA-128-CBC  (128 bit key, 128 bit block)
> CAMELLIA-128-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
> CAMELLIA-128-CFB1  (128 bit key, 128 bit block, TLS client/server mode only)
> CAMELLIA-128-CFB8  (128 bit key, 128 bit block, TLS client/server mode only)
> CAMELLIA-128-OFB  (128 bit key, 128 bit block, TLS client/server mode only)
> CAMELLIA-192-CBC  (192 bit key, 128 bit block)
> CAMELLIA-192-CFB  (192 bit key, 128 bit block, TLS client/server mode only)
> CAMELLIA-192-CFB1  (192 bit key, 128 bit block, TLS client/server mode only)
> CAMELLIA-192-CFB8  (192 bit key, 128 bit block, TLS client/server mode only)
> CAMELLIA-192-OFB  (192 bit key, 128 bit block, TLS client/server mode only)
> CAMELLIA-256-CBC  (256 bit key, 128 bit block)
> CAMELLIA-256-CFB  (256 bit key, 128 bit block, TLS client/server mode only)
> CAMELLIA-256-CFB1  (256 bit key, 128 bit block, TLS client/server mode only)
> CAMELLIA-256-CFB8  (256 bit key, 128 bit block, TLS client/server mode only)
> CAMELLIA-256-OFB  (256 bit key, 128 bit block, TLS client/server mode only)
> SEED-CBC  (128 bit key, 128 bit block)
> SEED-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
> SEED-OFB  (128 bit key, 128 bit block, TLS client/server mode only)
>=20
> The following ciphers have a block size of less than 128 bits,=20
> and are therefore deprecated.  Do not use unless you have to.
>=20
> BF-CBC  (128 bit key by default, 64 bit block)
> BF-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
> BF-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
> CAST5-CBC  (128 bit key by default, 64 bit block)
> CAST5-CFB  (128 bit key by default, 64 bit block, TLS client/server mode on=
ly)
> CAST5-OFB  (128 bit key by default, 64 bit block, TLS client/server mode on=
ly)
> DES-CBC  (64 bit key, 64 bit block)
> DES-CFB  (64 bit key, 64 bit block, TLS client/server mode only)
> DES-CFB1  (64 bit key, 64 bit block, TLS client/server mode only)
> DES-CFB8  (64 bit key, 64 bit block, TLS client/server mode only)
> DES-EDE-CBC  (128 bit key, 64 bit block)
> DES-EDE-CFB  (128 bit key, 64 bit block, TLS client/server mode only)
> DES-EDE-OFB  (128 bit key, 64 bit block, TLS client/server mode only)
> DES-EDE3-CBC  (192 bit key, 64 bit block)
> DES-EDE3-CFB  (192 bit key, 64 bit block, TLS client/server mode only)
> DES-EDE3-CFB1  (192 bit key, 64 bit block, TLS client/server mode only)
> DES-EDE3-CFB8  (192 bit key, 64 bit block, TLS client/server mode only)
> DES-EDE3-OFB  (192 bit key, 64 bit block, TLS client/server mode only)
> DES-OFB  (64 bit key, 64 bit block, TLS client/server mode only)
> DESX-CBC  (192 bit key, 64 bit block)
> RC2-40-CBC  (40 bit key by default, 64 bit block)
> RC2-64-CBC  (64 bit key by default, 64 bit block)
> RC2-CBC  (128 bit key by default, 64 bit block)
> RC2-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
> RC2-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
>=20
>=20
> also causing the "Sweet32 Birthday attacks" --> https://sweet32.info/ a lot=
 of ciphers which are used in IPFires OpenVPN are marked as deprecated and sh=
ould. in my opinion, marked in the WUI as such. A potential new digest "BLAKE=
2b" has also been introduced which i=C2=B4am not sure if it works properly an=
d if it works, if it should be integrated into the menu of IPFires OpenVPN WU=
I.

Not sure if we should support something experimental. Might become a
headache later...

> My main problem currently is that i can not test all that cause the install=
ation process interrupts "Unable to install the language cache" , message com=
es from here --> https://github.com/ipfire/ipfire-2.x/blob/cf361ef4b551342541=
50b5070069f9d25b201bd1/src/installer/po/de.po#L272 i think.
> Some help in there might be great to proceed further with the OpenVPN updat=
e.

Are you still stuck at this?

Best,
-Michael

>=20
> Best,
>=20
> Erik
>=20
>=20
>=20

--===============5969156953060644786==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl
Mnlwa3R4Z0hudy8yK1FDUWNGQWxwV1NKY0FDZ2tRZ0hudy8yK1EKQ1FjRHNSQUFncVZNRkVDaVVC
ZTZzMTlRQ0FKNkhiT0FPMGZ5bVRmNjRLaHpQRUNXbnZ1RFdEK2dyOHVrSEo3SwpCVlJDTzZIcTg5
Z2RDekdKVDBZdHk4V0Fmb2MwSEpaRnNsSFl3MDY5eExHQmVhZHNLUWpQR1pmclQrWEp3WnFwCnBE
RnlTcWlPeFM4eVBlQ1NLc2FRekViRVRueElKc3JpdlU4T3Y3YzZab3YxTy85VUg0aU81ZkFDTmFD
RjVjdE0KZ1RoUXNsTk05QUxQMDloNUQyc25pUHVqN0ZQZ09RRGNJS3lhSzhXUElobko4VHNkQkd3
Z0VOYm5CNWdrMWdDQQplQ3Z2cUZpWUFGWkNRZ3pDUFpxTWpjUlIrbVFqcDdiSGpsVWFIQWNNWXhM
TDdvdlFjbEI3Ym1JUTRvSmxmYlJGClVqT2NqTVBOWDdGTTRySzFWRjFoU0E1cDYwVGlWNkJpMlJ2
dDZvQ3JNRU0xUit1MStpRmpqUzlpWGdyQmRsRG4KVUhhN0lLWDA0dk42ak1ZRytiWitSM0dMdzQ0
Vm9JWlFvNERVMHJ6SjlwMmFjTjJCTXZFWFFZNk9Pd1gyajkzVQp0bGdoWEZRck5KUldhZzdhRHB0
c1diNjNIa3JUSlNVVHM5L0IxSHNNMmVETzNhYVRJM1lCMkdTbzkxUFhIWHdUCjgwVE51TVc2bVNz
Sm1NcC9RVE1aSi9mbUJaT0l2cnJZeDJOd3BFTzBrUXVoMXlWd0prTVpEMUJRaEVJWXRtT20KTUNy
RnhYazVlVHpkRGl2eVhUZzJ2T0NmNk9OVFVCNkM1Y3FwTHdhdUROT2F3dUc2WklxS2JHZy9lODNx
OGZuaQpKNUVCMWFHalRhRmVydEVTRmVJeG5ta1pEWWJDYjdhYTVCU0NGRUFTOGpVOUtwSzE3d009
Cj1QeWwrCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=

--===============5969156953060644786==--