From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Upgrading to OpenSSL 1.1.0 Date: Sat, 13 Jan 2018 12:17:57 +0000 Message-ID: <1515845877.3647.61.camel@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2151460508356773416==" List-Id: --===============2151460508356773416== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Good morning, On Fri, 2018-01-12 at 12:02 +0100, ummeegge wrote: > Hi Michael, >=20 > > Erik: I am not sure why those packages won't build for you. I patched a > > number of them in my branch: > >=20 > > https://git.ipfire.org/?p=3Dpeople/ms/ipfire-2.x.git;a=3Dshortlog;h=3Dre= fs/ > > heads/openssl-11 >=20 > Have loaded the current Core 118 >=20 > I fetched your changes via: >=20 > git remote add openssl-11 ssh://ummeegge(a)git.ipfire.org/pub/git/people/ms= /ipfi > re-2.x.git > git fetch openssl-11 > git checkout openssl-11 >=20 > and have build it with the same issues then mentioned before.=20 Hmm, okay. I have no idea how I forgot about all these things. Please pull the branch again and everything except openvpn will build now. > > I will rebase this branch now on where next currently is and build it > > again. >=20 > Haven=C2=B4t found it, can you point out how to get it ? Same branch... > > I only expect asterisk to crash then which we need to update. It > > seems that Dirk has retired as maintainer for asterisk. I can try > > switching Asterisk to gnutls instead, but generally I would like to > > keep as much as we can on OpenSSL since that is our primary library. >=20 > I think an update of Asterisk and his components should work also with the = new > OpenSSL.=20 > At least in my environment Asterisk has build with OpenSSL-1.1.0g, but there > was one more dependency (jansson) needed. Changes can be found in here --> > https://git.ipfire.org/?p=3Dpeople/ummeegge/ipfire- > 2.x.git;a=3Dcommit;h=3D2d940ba2187a53cf52d2191a36c3897636b9600c . I actually updated that myself before you sent your email, but please review = my changes. > > So, again for me: What is the status of OpenVPN 2.4 now? I guess that > > should build with OpenSSL 1.1 out of the box. >=20 > OpenVPN-2.4.4 has build with OpenSSL-1.1.0g have included also the LZ4 > compression lib but otherwise it builds out of the box but OpenVPN won=C2= =B4t start > without some changes in ovpnmain.cgi. In here --> > https://github.com/ummeegge/OpenVPN_30.08.2017/commit/7460cead169ea919f66ad= 706 > 8e764fef37bf8f8b#diff-2011d5d928fd214cacb83844729c65cc a little more then > needed has been done but it describes very closely the needed changes. Hmm, I am not sure if we will have a lot of client support. But it should be a small library so that it wouldn't hurt too much to include it as well. > The most important are: > 1) The script-security flag 'system' can not be used anymore the server won= =C2=B4t > start if this isn=C2=B4t fixed. Where do we use that? > 2) OpenVPN have added an automatic cipher negotiation with 2.4.x which shou= ld > be manageable in my opinion. If someone needs to have other ciphers then the > strongest defaults e.g. for the usage of HWRNG this option should be > switchable with an OFF/ON checkbox.=20 Who would want to switch off a HWRNG? OpenVPN should only use entropy from the kernel and nothing else. Never directly read from any HWRNGs. And about the negotiation, that would be nice, but does that work with older clients? > This option is also pushable so it can be used individually per client so it > can be managed via the global section but also over the CCD section for each > client. >=20 > >=20 > > Would you be able to submit patches so that it builds already? Any > > changes to the CGI files to add new ciphers can and should be a second > > patch. >=20 > I can do this but it might be great if i can make before some tests with the > new OpenSSL lib. Would it be OK for you if i push the first part as in the > Github example ? Have already changed the language file description and left > Camellia out the --ncp-ciphers list (which is equal to OpenVPN manpage). Please send any proposed changes as patches to the list. > > I am not sure if we should expect any problems with changed > > configuration parameter where we need to migrate configuration files. > > We are already using the new parameters where possible. So is there any > > other work left to do? >=20 > The main work is described above, OpenVPN-2.4.x checks the version of the > clients, if they are <=3D 2.4 OpenVPN uses the already presant --cipher ALG= , if > the client are >=3D 2.4 it will negotiate the best cipher which is normally= AES- > 256-GCM which is also a complete new algorithm for OpenVPN (no cipher block > chaining). Cool. > > >=20 > > > also causing the "Sweet32 Birthday attacks" --> https://sweet32.info/ a > > > lot of ciphers which are used in IPFires OpenVPN are marked as deprecat= ed > > > and should. in my opinion, marked in the WUI as such. A potential new > > > digest "BLAKE2b" has also been introduced which i=C2=B4am not sure if i= t works > > > properly and if it works, if it should be integrated into the menu of > > > IPFires OpenVPN WUI. > >=20 > > Not sure if we should support something experimental. Might become a > > headache later=E2=80=A6 >=20 > Yes i think so too. Nevertheless i think we should introduce at least the n= ew > Galois/Counter Mode (available with 128, 196 and 256 bit) which is somehow = the > default of the new OpenVPN if possible. Would do this with a second patch > where it might also be an idea to list all the deprecated ciphers as such > (via optgroup label) ? Certainly GCM and all the other ones that include MAC. Peter has proposed a patch recently with improved crypto, please work together with him. > > > My main problem currently is that i can not test all that cause the > > > installation process interrupts "Unable to install the language cache" , > > > message comes from here --> https://github.com/ipfire/ipfire- > > > 2.x/blob/cf361ef4b55134254150b5070069f9d25b201bd1/src/installer/po/de.p= o#L > > > 272 i think. > > > Some help in there might be great to proceed further with the OpenVPN > > > update. > >=20 > > Are you still stuck at this? >=20 > Yes as above mentioned have loaded Core118 and fetched your branch but stuck > with the exact same problems as described in here --> https://lists.ipfire.= org > /pipermail/development/2017-December/003831.html . If i get something wrong > here it might be great if you can point me to the right direction. >=20 >=20 > By the way, i wish you all a happy new year and all the best for 2018 :-) . Happy new year to you, too! -Michael >=20 > Greetings, >=20 > Erik >=20 >=20 > >=20 >=20 >=20 --===============2151460508356773416== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl Mnlwa3R4Z0hudy8yK1FDUWNGQWxwWitQVUFDZ2tRZ0hudy8yK1EKQ1FkWWZ3LzhERDRKZ29rbmE4 cUkyWkY3bzF3ZUhBOU5vKzdGOGJYUXA1SmlZTnNhbDlrUlRZK3B6KzZpaHA2aAo4WUFCNlFpdWls Wm5mVGQ5Q0VXMDFQL0c4bWR3ajY5R3RIaXFzVUN2MXE5WC9CbW0wMVFpcEJ0eTRtTGYvc092CkRZ ODhZTVBqNHA1Z1ZHa0praXllUDM2YXZKdU0zTFJKWWdBaEs4bk96ZDRFRXIxQkU1dUx2d1g5alJi SW5HQ3YKcnlER2kyU0cwZHdLcHQycVpxMmVLNTFacExRaUZvWDY3WWJrL2ZTTG1wa0RXbXY3N1Bm T0RvOGVESFJDdS9FTQpqMWZZODhISHQvbWJUY25tNGtVcDdtNFFGdU5xYnhqRjFuc2VhWkpLeGh3 aGVQbit1S09HOGpaVVdpK0hsWXc3Cmtad3hFenFKYlFDTDVacjhmRWcvMTFnbUJZV0d6Q1gzU3FD SlBNYjJ1ZGM3MnJvMWo4NU5XWGRWakJsb1pFYmQKb0pTMXBHQTJZejNaRkpEV2ZNZC9qQ0JVTXM3 ZGNpanc2K0ZMc2pqZmhLSWJuY2VhYWZTVitKN0piMndqbHZydgpVcUQvRm9yUDVqRkYzRGIyRjhu dzNnSWNzdDhGMnhINE1wVzloMnZlV3hTZlkySkJBOVhNSW1WR2VuejAvOEMwCmdlbjk2SVptZWc4 MkxndDF4d09ycmpjZGV0aWpUbjh5NEU4dDJvbDRMZldNMURSQ2doRm51dXMrUXlBRzVzWGIKaTJo c3QvTE5rWHFvYS95SjcxcC8vNGZQUjJZMElpTVdBZkViWnAxaDlvaEZEOFZuL2VLVk9zMHRZVFcy WVJsbApjY3FCS0VMSVdWbGVlVkY2VHBVanNWaEUxaFBmUTM5anA5WUR0VW40eVZjVkZFNzhHQ0E9 Cj1NMC9aCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============2151460508356773416==--