From mboxrd@z Thu Jan 1 00:00:00 1970 From: ummeegge To: development@lists.ipfire.org Subject: Re: Upgrading to OpenSSL 1.1.0 Date: Thu, 07 Dec 2017 12:21:22 +0100 Message-ID: <47B62510-51B5-4D21-A07F-F2483CFBABE9@ipfire.org> In-Reply-To: <029666F0-07E0-4CF3-BAAF-4D94E1F29A1A@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4810077238802344754==" List-Id: --===============4810077238802344754== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi all, regarding a potential help for building PHP and Asterisk (linked wget to gnut= ls since it won=C2=B4t build here with the new OpenSSL) but also to go here a= step further to build IPFire with the new OpenSSL-1.1.0g i made a couple of = changes --> https://git.ipfire.org/?p=3Dpeople/ummeegge/ipfire-2.x.git;a=3Dco= mmit;h=3D2d940ba2187a53cf52d2191a36c3897636b9600c to facilitate this update, = hope this is useful for someone. Have seen that PHP is about to be dropped --> https://wiki.ipfire.org/devel/t= elco/2017-12-04 in that case please forget the pushed ideas. I stuck currently to build - openvmtools - lcr - tor <-- in my humble opinion the problem with those packages seems to be somehow = related to another (last log messages before the compilation stops are pointi= ng to a ENGINE problem ?). - crda <-- there seems to be some patches out there --> https://patchwork.openembedd= ed.org/patch/136794/ , https://github.com/graugans/meta-udoo/issues/10 where= the same problem seems to be addressed. Regarding the OpenVPN update i was able to build OpenVPN-2.4.4 with OpenSSL-1= .1.0g ipfire build chroot (x86_64) root:/$ openvpn --version OpenVPN 2.4.4 i586-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTIN= FO] [AEAD] built on Dec 4 2017 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.09 Originally developed by James Yonan Copyright (C) 2002-2017 OpenVPN Technologies, Inc. Compile time defines: enable_async_push=3Dno enable_comp_stub=3Dno enable_cry= pto=3Dyes enable_crypto_ofb_cfb=3Dyes enable_debug=3Dyes enable_def_auth=3Dye= s enable_dlopen=3Dunknown enable_dlopen_self=3Dunknown enable_dlopen_self_sta= tic=3Dunknown enable_fast_install=3Dyes enable_fragment=3Dyes enable_iproute2= =3Dyes enable_libtool_lock=3Dyes enable_lz4=3Dyes enable_lzo=3Dyes enable_man= agement=3Dyes enable_multihome=3Dyes enable_pam_dlopen=3Dno enable_pedantic= =3Dno enable_pf=3Dyes enable_pkcs11=3Dno enable_plugin_auth_pam=3Dyes enable_= plugin_down_root=3Dyes enable_plugins=3Dyes enable_port_share=3Dyes enable_se= linux=3Dno enable_server=3Dyes enable_shared=3Dyes enable_shared_with_static_= runtimes=3Dno enable_small=3Dno enable_static=3Dyes enable_strict=3Dno enable= _strict_options=3Dno enable_systemd=3Dno enable_werror=3Dno enable_win32_dll= =3Dyes enable_x509_alt_username=3Dno with_crypto_library=3Dopenssl with_gnu_l= d=3Dyes with_mem_check=3Dno with_sysroot=3Dno whereby a lot of things has been changed for OpenVPNs digests, tls and cipher= s: ipfire build chroot (x86_64) root:/$ openvpn --show-digests && openvpn --show= -tls && openvpn --show-ciphers The following message digests are available for use with OpenVPN. A message digest is used in conjunction with the HMAC function, to authenticate received packets. You can specify a message digest as parameter to the --auth option. MD5 128 bit digest size RSA-MD5 128 bit digest size SHA1 160 bit digest size RSA-SHA1 160 bit digest size MD5-SHA1 288 bit digest size RSA-SHA1-2 160 bit digest size RIPEMD160 160 bit digest size RSA-RIPEMD160 160 bit digest size MD4 128 bit digest size RSA-MD4 128 bit digest size RSA-SHA256 256 bit digest size RSA-SHA384 384 bit digest size RSA-SHA512 512 bit digest size RSA-SHA224 224 bit digest size SHA256 256 bit digest size SHA384 384 bit digest size SHA512 512 bit digest size SHA224 224 bit digest size whirlpool 512 bit digest size BLAKE2b512 512 bit digest size BLAKE2s256 256 bit digest size Available TLS Ciphers, listed in order of preference: TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384 TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256 TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA TLS-DHE-RSA-WITH-AES-256-CBC-SHA TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA TLS-DHE-RSA-WITH-AES-128-CBC-SHA Be aware that that whether a cipher suite in this list can actually work depends on the specific setup of both peers. See the man page entries of --tls-cipher and --show-tls for more details. The following ciphers and cipher modes are available for use with OpenVPN. Each cipher shown below may be use as a parameter to the --cipher option. The default key size is shown as well as whether or not it can be changed with the --keysize directive. Using a CBC or GCM mode is recommended. In static key mode only CBC mode is allowed. AES-128-CBC (128 bit key, 128 bit block) AES-128-CFB (128 bit key, 128 bit block, TLS client/server mode only) AES-128-CFB1 (128 bit key, 128 bit block, TLS client/server mode only) AES-128-CFB8 (128 bit key, 128 bit block, TLS client/server mode only) AES-128-GCM (128 bit key, 128 bit block, TLS client/server mode only) AES-128-OFB (128 bit key, 128 bit block, TLS client/server mode only) AES-192-CBC (192 bit key, 128 bit block) AES-192-CFB (192 bit key, 128 bit block, TLS client/server mode only) AES-192-CFB1 (192 bit key, 128 bit block, TLS client/server mode only) AES-192-CFB8 (192 bit key, 128 bit block, TLS client/server mode only) AES-192-GCM (192 bit key, 128 bit block, TLS client/server mode only) AES-192-OFB (192 bit key, 128 bit block, TLS client/server mode only) AES-256-CBC (256 bit key, 128 bit block) AES-256-CFB (256 bit key, 128 bit block, TLS client/server mode only) AES-256-CFB1 (256 bit key, 128 bit block, TLS client/server mode only) AES-256-CFB8 (256 bit key, 128 bit block, TLS client/server mode only) AES-256-GCM (256 bit key, 128 bit block, TLS client/server mode only) AES-256-OFB (256 bit key, 128 bit block, TLS client/server mode only) CAMELLIA-128-CBC (128 bit key, 128 bit block) CAMELLIA-128-CFB (128 bit key, 128 bit block, TLS client/server mode only) CAMELLIA-128-CFB1 (128 bit key, 128 bit block, TLS client/server mode only) CAMELLIA-128-CFB8 (128 bit key, 128 bit block, TLS client/server mode only) CAMELLIA-128-OFB (128 bit key, 128 bit block, TLS client/server mode only) CAMELLIA-192-CBC (192 bit key, 128 bit block) CAMELLIA-192-CFB (192 bit key, 128 bit block, TLS client/server mode only) CAMELLIA-192-CFB1 (192 bit key, 128 bit block, TLS client/server mode only) CAMELLIA-192-CFB8 (192 bit key, 128 bit block, TLS client/server mode only) CAMELLIA-192-OFB (192 bit key, 128 bit block, TLS client/server mode only) CAMELLIA-256-CBC (256 bit key, 128 bit block) CAMELLIA-256-CFB (256 bit key, 128 bit block, TLS client/server mode only) CAMELLIA-256-CFB1 (256 bit key, 128 bit block, TLS client/server mode only) CAMELLIA-256-CFB8 (256 bit key, 128 bit block, TLS client/server mode only) CAMELLIA-256-OFB (256 bit key, 128 bit block, TLS client/server mode only) SEED-CBC (128 bit key, 128 bit block) SEED-CFB (128 bit key, 128 bit block, TLS client/server mode only) SEED-OFB (128 bit key, 128 bit block, TLS client/server mode only) The following ciphers have a block size of less than 128 bits,=20 and are therefore deprecated. Do not use unless you have to. BF-CBC (128 bit key by default, 64 bit block) BF-CFB (128 bit key by default, 64 bit block, TLS client/server mode only) BF-OFB (128 bit key by default, 64 bit block, TLS client/server mode only) CAST5-CBC (128 bit key by default, 64 bit block) CAST5-CFB (128 bit key by default, 64 bit block, TLS client/server mode only) CAST5-OFB (128 bit key by default, 64 bit block, TLS client/server mode only) DES-CBC (64 bit key, 64 bit block) DES-CFB (64 bit key, 64 bit block, TLS client/server mode only) DES-CFB1 (64 bit key, 64 bit block, TLS client/server mode only) DES-CFB8 (64 bit key, 64 bit block, TLS client/server mode only) DES-EDE-CBC (128 bit key, 64 bit block) DES-EDE-CFB (128 bit key, 64 bit block, TLS client/server mode only) DES-EDE-OFB (128 bit key, 64 bit block, TLS client/server mode only) DES-EDE3-CBC (192 bit key, 64 bit block) DES-EDE3-CFB (192 bit key, 64 bit block, TLS client/server mode only) DES-EDE3-CFB1 (192 bit key, 64 bit block, TLS client/server mode only) DES-EDE3-CFB8 (192 bit key, 64 bit block, TLS client/server mode only) DES-EDE3-OFB (192 bit key, 64 bit block, TLS client/server mode only) DES-OFB (64 bit key, 64 bit block, TLS client/server mode only) DESX-CBC (192 bit key, 64 bit block) RC2-40-CBC (40 bit key by default, 64 bit block) RC2-64-CBC (64 bit key by default, 64 bit block) RC2-CBC (128 bit key by default, 64 bit block) RC2-CFB (128 bit key by default, 64 bit block, TLS client/server mode only) RC2-OFB (128 bit key by default, 64 bit block, TLS client/server mode only) also causing the "Sweet32 Birthday attacks" --> https://sweet32.info/ a lot o= f ciphers which are used in IPFires OpenVPN are marked as deprecated and shou= ld. in my opinion, marked in the WUI as such. A potential new digest "BLAKE2b= " has also been introduced which i=C2=B4am not sure if it works properly and = if it works, if it should be integrated into the menu of IPFires OpenVPN WUI. My main problem currently is that i can not test all that cause the installat= ion process interrupts "Unable to install the language cache" , message comes= from here --> https://github.com/ipfire/ipfire-2.x/blob/cf361ef4b55134254150= b5070069f9d25b201bd1/src/installer/po/de.po#L272 i think. Some help in there might be great to proceed further with the OpenVPN update. Best, Erik --===============4810077238802344754==--