Re: [PATCH] OpenSSL_update: Update to version 1.1.1a

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] OpenSSL_update: Update to version 1.1.1a
Date: Tue, 22 Jan 2019 14:19:51 +0000	[thread overview]
Message-ID: <CD376861-CD2B-48C8-8BBC-353749E85E2D@ipfire.org> (raw)
In-Reply-To: <cb66f01dba3a345b0f4e14621e9a793b8bc51447.camel@ipfire.org>

[-- Attachment #1: Type: text/plain, Size: 7189 bytes --]

Hello,

> On 18 Jan 2019, at 17:35, ummeegge <ummeegge(a)ipfire.org> wrote:
> 
> Hi all,
> 
> Am Freitag, den 18.01.2019, 18:06 +0100 schrieb Peter Müller:
>> Hello,
>> 
>> just for the records some explanations on this patch:
>> (a) Chacha/Poly is faster on devices without built-in AES
>> acceleration.
>> Since it provides the same strength as AES, I usually prefer it
>> except
>> for _very_ high bandwidth requirements.
>> (b) At the moment, there seems to be little support of AESCCM, so I
>> disabled it for now in order to keep our ciphersuite zoo smaller. :-)
>> If there is any need to enable it, I will update the patch
>> accordingly.
> the new OpenSSL has implemented support for five new TLSv1.3
> ciphersuites. We have already three activated (which is the default)
> and the other two are CCM mode ciphers --> 
> https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites 
> . Am currently not sure about a concrete use case for this but it
> appears that e.g. 'TLS_AES_128_CCM_8_SHA256' have a shorter
> authentication tag and in combination with a short plaintext the
> ciphertext are less than 16 bytes.
> --> https://datatracker.ietf.org/meeting/102/agenda/tls-drafts.pdf
> which can be in rare use cases (?) nice.
> 
> 
>> 
>> I am happy this made its way into IPFire. :-)
> Me too :-) .
> 
>> 
>> Updated add-on versions for Postfix and Tor will come soon, at the
>> moment, I am somewhat busy with libloc, Suricata and the ORANGE
>> default
>> firewall behaviour.
> There are some more OpenSSL patches for 
> 
> elinks-0.12pre6-openssl11.patch
> net-snmp-5.7.3-openssl.patch
> openssh-7.8p1-openssl-1.1.0-1.patch
> openssl-1.0.0-beta5-enginesdir.patch
> openssl-1.0.2a-rpmbuild.patch
> openssl-1.0.2a_disable_ssse3_for_amd.patch
> openssl-1.0.2g-disable-sslv2v3.patch
> ppp-2.4.7-openssl.patch
> 
> as far as i can see openssl-compat has been dropped ?

Please send a patch that cleans them up.

I suppose we need to keep the patches in delinks, net-snap and ppp so that those packages compile against the new versions of OpenSSL.

-Michael

> 
> 
> Best,
> 
> Erik
> 
>> 
>> Thanks, and best regards,
>> Peter Müller 
>> 
>>> 
>>> Even i use the old patch i am a happy tester with 64 bit since one
>>> month + :-).
>>> 
>>> The difference between old and new patch (from Peter) are not that
>>> vast
>>> and they looks like this:
>>> 
>>> --- OpenSSL-1.1.1a_old_patch	2019-01-13 18:15:33.316651666
>>> +0100
>>> +++ OpenSSL-1.1.1a-new_patch	2019-01-13 18:16:22.008650232
>>> +0100
>>> @@ -1,31 +1,23 @@
>>> -TLS_AES_256_GCM_SHA384  TLSv1.3
>>> Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
>>> TLS_CHACHA20_POLY1305_SHA256 TLSv1.3
>>> Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
>>> +TLS_AES_256_GCM_SHA384  TLSv1.3
>>> Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
>>> TLS_AES_128_GCM_SHA256  TLSv1.3
>>> Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
>>> -ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA
>>> Enc=AESGCM(256) Mac=AEAD
>>> ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA
>>> Enc=CHACHA20/POLY1305(256) Mac=AEAD
>>> -ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=ECDH     Au=ECDSA
>>> Enc=AESCCM8(256) Mac=AEAD
>>> -ECDHE-ECDSA-AES256-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA
>>> Enc=AESCCM(256) Mac=AEAD
>>> +ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA
>>> Enc=AESGCM(256) Mac=AEAD
>>> ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA
>>> Enc=AESGCM(128) Mac=AEAD
>>> -ECDHE-ECDSA-AES128-CCM8 TLSv1.2 Kx=ECDH     Au=ECDSA
>>> Enc=AESCCM8(128) Mac=AEAD
>>> -ECDHE-ECDSA-AES128-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA
>>> Enc=AESCCM(128) Mac=AEAD
>>> ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA
>>> Enc=AES(256)  Mac=SHA384
>>> ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA
>>> Enc=Camellia(256) Mac=SHA384
>>> ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA
>>> Enc=AES(128)  Mac=SHA256
>>> ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA
>>> Enc=Camellia(128) Mac=SHA256
>>> -ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2
>>> Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
>>> ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2
>>> Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
>>> +ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2
>>> Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
>>> ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2
>>> Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
>>> ECDHE-RSA-AES256-SHA384 TLSv1.2
>>> Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
>>> ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2
>>> Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384
>>> ECDHE-RSA-AES128-SHA256 TLSv1.2
>>> Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
>>> ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2
>>> Kx=ECDH     Au=RSA  Enc=Camellia(128) Mac=SHA256
>>> -DHE-RSA-AES256-GCM-SHA384 TLSv1.2
>>> Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
>>> DHE-RSA-CHACHA20-POLY1305 TLSv1.2
>>> Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
>>> -DHE-RSA-AES256-CCM8     TLSv1.2
>>> Kx=DH       Au=RSA  Enc=AESCCM8(256) Mac=AEAD
>>> -DHE-RSA-AES256-CCM      TLSv1.2
>>> Kx=DH       Au=RSA  Enc=AESCCM(256) Mac=AEAD
>>> +DHE-RSA-AES256-GCM-SHA384 TLSv1.2
>>> Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
>>> DHE-RSA-AES128-GCM-SHA256 TLSv1.2
>>> Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
>>> -DHE-RSA-AES128-CCM8     TLSv1.2
>>> Kx=DH       Au=RSA  Enc=AESCCM8(128) Mac=AEAD
>>> -DHE-RSA-AES128-CCM      TLSv1.2
>>> Kx=DH       Au=RSA  Enc=AESCCM(128) Mac=AEAD
>>> DHE-RSA-AES256-SHA256   TLSv1.2
>>> Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
>>> DHE-RSA-CAMELLIA256-SHA256 TLSv1.2
>>> Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
>>> DHE-RSA-AES128-SHA256   TLSv1.2
>>> Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
>>> @@ -37,14 +29,9 @@
>>> DHE-RSA-AES256-SHA      SSLv3
>>> Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
>>> DHE-RSA-CAMELLIA256-SHA SSLv3
>>> Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
>>> DHE-RSA-AES128-SHA      SSLv3
>>> Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
>>> -DHE-RSA-SEED-SHA        SSLv3 Kx=DH       Au=RSA  Enc=SEED(128)
>>> Mac=SHA1
>>> DHE-RSA-CAMELLIA128-SHA SSLv3
>>> Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
>>> AES256-GCM-SHA384       TLSv1.2
>>> Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
>>> -AES256-CCM8             TLSv1.2
>>> Kx=RSA      Au=RSA  Enc=AESCCM8(256) Mac=AEAD
>>> -AES256-CCM              TLSv1.2
>>> Kx=RSA      Au=RSA  Enc=AESCCM(256) Mac=AEAD
>>> AES128-GCM-SHA256       TLSv1.2
>>> Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
>>> -AES128-CCM8             TLSv1.2
>>> Kx=RSA      Au=RSA  Enc=AESCCM8(128) Mac=AEAD
>>> -AES128-CCM              TLSv1.2
>>> Kx=RSA      Au=RSA  Enc=AESCCM(128) Mac=AEAD
>>> AES256-SHA256           TLSv1.2
>>> Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
>>> CAMELLIA256-SHA256      TLSv1.2
>>> Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA256
>>> AES128-SHA256           TLSv1.2
>>> Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256 
>>> 
>>> So mostly changes are causing by the disabled AES-CCM.
>>> 
>>> Best,
>>> 
>>> Erik
>> 
>> 
>

next prev parent reply	other threads:[~2019-01-22 14:19 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-09 14:21 Erik Kapfer
2019-01-09 16:39 ` Michael Tremer
2019-01-09 16:59   ` ummeegge
2019-01-09 17:18     ` Michael Tremer
2019-01-09 18:33       ` ummeegge
2019-01-14 18:03         ` Peter Müller
2019-01-15 14:48           ` ummeegge
2019-01-18 15:09             ` Michael Tremer
2019-01-18 16:45               ` ummeegge
2019-01-18 17:06                 ` Peter Müller
2019-01-18 17:35                   ` ummeegge
2019-01-22 14:19                     ` Michael Tremer [this message]
2019-02-11  8:52                   ` ummeegge
2019-02-13 11:35                     ` Michael Tremer
2019-01-13 17:44 ` [PATCH v2] OpenSSL: " Erik Kapfer
2019-01-15 14:43   ` [PATCH v3] openssl: " Erik Kapfer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CD376861-CD2B-48C8-8BBC-353749E85E2D@ipfire.org \
    --to=michael.tremer@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox