From mboxrd@z Thu Jan 1 00:00:00 1970 From: ummeegge To: development@lists.ipfire.org Subject: Re: Upgrading to OpenSSL 1.1.0 Date: Fri, 12 Jan 2018 12:02:15 +0100 Message-ID: In-Reply-To: <1515604119.2392.12.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0043224805548065913==" List-Id: --===============0043224805548065913== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Michael, > Erik: I am not sure why those packages won't build for you. I patched a > number of them in my branch: >=20 > https://git.ipfire.org/?p=3Dpeople/ms/ipfire-2.x.git;a=3Dshortlog;h=3Drefs/ > heads/openssl-11 Have loaded the current Core 118 I fetched your changes via: git remote add openssl-11 ssh://ummeegge(a)git.ipfire.org/pub/git/people/ms/i= pfire-2.x.git git fetch openssl-11 git checkout openssl-11 and have build it with the same issues then mentioned before.=20 >=20 > I will rebase this branch now on where next currently is and build it > again. Haven=C2=B4t found it, can you point out how to get it ? > I only expect asterisk to crash then which we need to update. It > seems that Dirk has retired as maintainer for asterisk. I can try > switching Asterisk to gnutls instead, but generally I would like to > keep as much as we can on OpenSSL since that is our primary library. I think an update of Asterisk and his components should work also with the ne= w OpenSSL.=20 At least in my environment Asterisk has build with OpenSSL-1.1.0g, but there = was one more dependency (jansson) needed. Changes can be found in here --> ht= tps://git.ipfire.org/?p=3Dpeople/ummeegge/ipfire-2.x.git;a=3Dcommit;h=3D2d940= ba2187a53cf52d2191a36c3897636b9600c . >=20 > So, again for me: What is the status of OpenVPN 2.4 now? I guess that > should build with OpenSSL 1.1 out of the box. OpenVPN-2.4.4 has build with OpenSSL-1.1.0g have included also the LZ4 compre= ssion lib but otherwise it builds out of the box but OpenVPN won=C2=B4t start= without some changes in ovpnmain.cgi. In here --> https://github.com/ummeegg= e/OpenVPN_30.08.2017/commit/7460cead169ea919f66ad7068e764fef37bf8f8b#diff-201= 1d5d928fd214cacb83844729c65cc a little more then needed has been done but it = describes very closely the needed changes. The most important are: 1) The script-security flag 'system' can not be used anymore the server won= =C2=B4t start if this isn=C2=B4t fixed. 2) OpenVPN have added an automatic cipher negotiation with 2.4.x which should= be manageable in my opinion. If someone needs to have other ciphers then the= strongest defaults e.g. for the usage of HWRNG this option should be switcha= ble with an OFF/ON checkbox.=20 This option is also pushable so it can be used individually per client so it = can be managed via the global section but also over the CCD section for each = client. >=20 > Would you be able to submit patches so that it builds already? Any > changes to the CGI files to add new ciphers can and should be a second > patch. I can do this but it might be great if i can make before some tests with the = new OpenSSL lib. Would it be OK for you if i push the first part as in the Gi= thub example ? Have already changed the language file description and left Ca= mellia out the --ncp-ciphers list (which is equal to OpenVPN manpage).=20 >=20 > I am not sure if we should expect any problems with changed > configuration parameter where we need to migrate configuration files. > We are already using the new parameters where possible. So is there any > other work left to do? The main work is described above, OpenVPN-2.4.x checks the version of the cli= ents, if they are <=3D 2.4 OpenVPN uses the already presant --cipher ALG, if = the client are >=3D 2.4 it will negotiate the best cipher which is normally A= ES-256-GCM which is also a complete new algorithm for OpenVPN (no cipher bloc= k chaining). >>=20 >> also causing the "Sweet32 Birthday attacks" --> https://sweet32.info/ a lo= t of ciphers which are used in IPFires OpenVPN are marked as deprecated and s= hould. in my opinion, marked in the WUI as such. A potential new digest "BLAK= E2b" has also been introduced which i=C2=B4am not sure if it works properly a= nd if it works, if it should be integrated into the menu of IPFires OpenVPN W= UI. >=20 > Not sure if we should support something experimental. Might become a > headache later=E2=80=A6 Yes i think so too. Nevertheless i think we should introduce at least the new= Galois/Counter Mode (available with 128, 196 and 256 bit) which is somehow t= he default of the new OpenVPN if possible. Would do this with a second patch = where it might also be an idea to list all the deprecated ciphers as such (v= ia optgroup label) ? >=20 >> My main problem currently is that i can not test all that cause the instal= lation process interrupts "Unable to install the language cache" , message co= mes from here --> https://github.com/ipfire/ipfire-2.x/blob/cf361ef4b55134254= 150b5070069f9d25b201bd1/src/installer/po/de.po#L272 i think. >> Some help in there might be great to proceed further with the OpenVPN upda= te. >=20 > Are you still stuck at this? Yes as above mentioned have loaded Core118 and fetched your branch but stuck = with the exact same problems as described in here --> https://lists.ipfire.or= g/pipermail/development/2017-December/003831.html . If i get something wrong = here it might be great if you can point me to the right direction. By the way, i wish you all a happy new year and all the best for 2018 :-) . Greetings, Erik >=20 --===============0043224805548065913==--