From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH] OpenSSL_update: Update to version 1.1.1a Date: Fri, 18 Jan 2019 18:06:07 +0100 Message-ID: In-Reply-To: <8e6eaf262ee614eef511525dc6b6f5c8b9f05474.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8982116962207598672==" List-Id: --===============8982116962207598672== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, just for the records some explanations on this patch: (a) Chacha/Poly is faster on devices without built-in AES acceleration. Since it provides the same strength as AES, I usually prefer it except for _very_ high bandwidth requirements. (b) At the moment, there seems to be little support of AESCCM, so I disabled it for now in order to keep our ciphersuite zoo smaller. :-) If there is any need to enable it, I will update the patch accordingly. I am happy this made its way into IPFire. :-) Updated add-on versions for Postfix and Tor will come soon, at the moment, I am somewhat busy with libloc, Suricata and the ORANGE default firewall behaviour. Thanks, and best regards, Peter M=C3=BCller=20 >=20 > Even i use the old patch i am a happy tester with 64 bit since one > month + :-). >=20 > The difference between old and new patch (from Peter) are not that vast > and they looks like this: >=20 > --- OpenSSL-1.1.1a_old_patch 2019-01-13 18:15:33.316651666 +0100 > +++ OpenSSL-1.1.1a-new_patch 2019-01-13 18:16:22.008650232 +0100 > @@ -1,31 +1,23 @@ > -TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=3Dany Au=3Dany Enc=3DAESGCM(256) = Mac=3DAEAD > TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=3Dany Au=3Dany Enc=3DCHACHA2= 0/POLY1305(256) Mac=3DAEAD > +TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=3Dany Au=3Dany Enc=3DAESGCM(256) = Mac=3DAEAD > TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=3Dany Au=3Dany Enc=3DAESGCM(128) = Mac=3DAEAD > -ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAESGC= M(256) Mac=3DAEAD > ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DCHACH= A20/POLY1305(256) Mac=3DAEAD > -ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAESCCM8(256= ) Mac=3DAEAD > -ECDHE-ECDSA-AES256-CCM TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAESCCM(256)= Mac=3DAEAD > +ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAESGC= M(256) Mac=3DAEAD > ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAESGC= M(128) Mac=3DAEAD > -ECDHE-ECDSA-AES128-CCM8 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAESCCM8(128= ) Mac=3DAEAD > -ECDHE-ECDSA-AES128-CCM TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAESCCM(128)= Mac=3DAEAD > ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAES(256) = Mac=3DSHA384 > ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DCame= llia(256) Mac=3DSHA384 > ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAES(128) = Mac=3DSHA256 > ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DCame= llia(128) Mac=3DSHA256 > -ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DAESGCM(2= 56) Mac=3DAEAD > ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DCHACHA20= /POLY1305(256) Mac=3DAEAD > +ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DAESGCM(2= 56) Mac=3DAEAD > ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DAESGCM(1= 28) Mac=3DAEAD > ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DAES(256) Ma= c=3DSHA384 > ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DCamelli= a(256) Mac=3DSHA384 > ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DAES(128) Ma= c=3DSHA256 > ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DCamelli= a(128) Mac=3DSHA256 > -DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DAESGCM(256= ) Mac=3DAEAD > DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DCHACHA20/P= OLY1305(256) Mac=3DAEAD > -DHE-RSA-AES256-CCM8 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DAESCCM8(256)= Mac=3DAEAD > -DHE-RSA-AES256-CCM TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DAESCCM(256) = Mac=3DAEAD > +DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DAESGCM(256= ) Mac=3DAEAD > DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DAESGCM(128= ) Mac=3DAEAD > -DHE-RSA-AES128-CCM8 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DAESCCM8(128)= Mac=3DAEAD > -DHE-RSA-AES128-CCM TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DAESCCM(128) = Mac=3DAEAD > DHE-RSA-AES256-SHA256 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DAES(256) Ma= c=3DSHA256 > DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DCamellia(= 256) Mac=3DSHA256 > DHE-RSA-AES128-SHA256 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DAES(128) Ma= c=3DSHA256 > @@ -37,14 +29,9 @@ > DHE-RSA-AES256-SHA SSLv3 Kx=3DDH Au=3DRSA Enc=3DAES(256) Mac= =3DSHA1 > DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=3DDH Au=3DRSA Enc=3DCamellia(256) = Mac=3DSHA1 > DHE-RSA-AES128-SHA SSLv3 Kx=3DDH Au=3DRSA Enc=3DAES(128) Mac= =3DSHA1 > -DHE-RSA-SEED-SHA SSLv3 Kx=3DDH Au=3DRSA Enc=3DSEED(128) Mac= =3DSHA1 > DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=3DDH Au=3DRSA Enc=3DCamellia(128) = Mac=3DSHA1 > AES256-GCM-SHA384 TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DAESGCM(256) = Mac=3DAEAD > -AES256-CCM8 TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DAESCCM8(256)= Mac=3DAEAD > -AES256-CCM TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DAESCCM(256) = Mac=3DAEAD > AES128-GCM-SHA256 TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DAESGCM(128) = Mac=3DAEAD > -AES128-CCM8 TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DAESCCM8(128)= Mac=3DAEAD > -AES128-CCM TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DAESCCM(128) = Mac=3DAEAD > AES256-SHA256 TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DAES(256) Ma= c=3DSHA256 > CAMELLIA256-SHA256 TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DCamellia(256= ) Mac=3DSHA256 > AES128-SHA256 TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DAES(128) Ma= c=3DSHA256=20 >=20 > So mostly changes are causing by the disabled AES-CCM. >=20 > Best, >=20 > Erik --=20 Microsoft DNS service terminates abnormally when it recieves a response to a DNS query that was never made. Fix Information: Run your DNS service on a different platform. -- bugtraq --===============8982116962207598672==--