From: ummeegge <ummeegge@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] OpenSSL_update: Update to version 1.1.1a
Date: Fri, 18 Jan 2019 18:35:33 +0100 [thread overview]
Message-ID: <cb66f01dba3a345b0f4e14621e9a793b8bc51447.camel@ipfire.org> (raw)
In-Reply-To: <a3044a33-1dff-be6a-621d-ebdbe4527900@link38.eu>
[-- Attachment #1: Type: text/plain, Size: 6660 bytes --]
Hi all,
Am Freitag, den 18.01.2019, 18:06 +0100 schrieb Peter Müller:
> Hello,
>
> just for the records some explanations on this patch:
> (a) Chacha/Poly is faster on devices without built-in AES
> acceleration.
> Since it provides the same strength as AES, I usually prefer it
> except
> for _very_ high bandwidth requirements.
> (b) At the moment, there seems to be little support of AESCCM, so I
> disabled it for now in order to keep our ciphersuite zoo smaller. :-)
> If there is any need to enable it, I will update the patch
> accordingly.
the new OpenSSL has implemented support for five new TLSv1.3
ciphersuites. We have already three activated (which is the default)
and the other two are CCM mode ciphers -->
https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites
. Am currently not sure about a concrete use case for this but it
appears that e.g. 'TLS_AES_128_CCM_8_SHA256' have a shorter
authentication tag and in combination with a short plaintext the
ciphertext are less than 16 bytes.
--> https://datatracker.ietf.org/meeting/102/agenda/tls-drafts.pdf
which can be in rare use cases (?) nice.
>
> I am happy this made its way into IPFire. :-)
Me too :-) .
>
> Updated add-on versions for Postfix and Tor will come soon, at the
> moment, I am somewhat busy with libloc, Suricata and the ORANGE
> default
> firewall behaviour.
There are some more OpenSSL patches for
elinks-0.12pre6-openssl11.patch
net-snmp-5.7.3-openssl.patch
openssh-7.8p1-openssl-1.1.0-1.patch
openssl-1.0.0-beta5-enginesdir.patch
openssl-1.0.2a-rpmbuild.patch
openssl-1.0.2a_disable_ssse3_for_amd.patch
openssl-1.0.2g-disable-sslv2v3.patch
ppp-2.4.7-openssl.patch
as far as i can see openssl-compat has been dropped ?
Best,
Erik
>
> Thanks, and best regards,
> Peter Müller
>
> >
> > Even i use the old patch i am a happy tester with 64 bit since one
> > month + :-).
> >
> > The difference between old and new patch (from Peter) are not that
> > vast
> > and they looks like this:
> >
> > --- OpenSSL-1.1.1a_old_patch 2019-01-13 18:15:33.316651666
> > +0100
> > +++ OpenSSL-1.1.1a-new_patch 2019-01-13 18:16:22.008650232
> > +0100
> > @@ -1,31 +1,23 @@
> > -TLS_AES_256_GCM_SHA384 TLSv1.3
> > Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
> > TLS_CHACHA20_POLY1305_SHA256 TLSv1.3
> > Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
> > +TLS_AES_256_GCM_SHA384 TLSv1.3
> > Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
> > TLS_AES_128_GCM_SHA256 TLSv1.3
> > Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
> > -ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA
> > Enc=AESGCM(256) Mac=AEAD
> > ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA
> > Enc=CHACHA20/POLY1305(256) Mac=AEAD
> > -ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=ECDH Au=ECDSA
> > Enc=AESCCM8(256) Mac=AEAD
> > -ECDHE-ECDSA-AES256-CCM TLSv1.2 Kx=ECDH Au=ECDSA
> > Enc=AESCCM(256) Mac=AEAD
> > +ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA
> > Enc=AESGCM(256) Mac=AEAD
> > ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA
> > Enc=AESGCM(128) Mac=AEAD
> > -ECDHE-ECDSA-AES128-CCM8 TLSv1.2 Kx=ECDH Au=ECDSA
> > Enc=AESCCM8(128) Mac=AEAD
> > -ECDHE-ECDSA-AES128-CCM TLSv1.2 Kx=ECDH Au=ECDSA
> > Enc=AESCCM(128) Mac=AEAD
> > ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA
> > Enc=AES(256) Mac=SHA384
> > ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA
> > Enc=Camellia(256) Mac=SHA384
> > ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA
> > Enc=AES(128) Mac=SHA256
> > ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA
> > Enc=Camellia(128) Mac=SHA256
> > -ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2
> > Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
> > ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2
> > Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
> > +ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2
> > Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
> > ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2
> > Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
> > ECDHE-RSA-AES256-SHA384 TLSv1.2
> > Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
> > ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2
> > Kx=ECDH Au=RSA Enc=Camellia(256) Mac=SHA384
> > ECDHE-RSA-AES128-SHA256 TLSv1.2
> > Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
> > ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2
> > Kx=ECDH Au=RSA Enc=Camellia(128) Mac=SHA256
> > -DHE-RSA-AES256-GCM-SHA384 TLSv1.2
> > Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
> > DHE-RSA-CHACHA20-POLY1305 TLSv1.2
> > Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
> > -DHE-RSA-AES256-CCM8 TLSv1.2
> > Kx=DH Au=RSA Enc=AESCCM8(256) Mac=AEAD
> > -DHE-RSA-AES256-CCM TLSv1.2
> > Kx=DH Au=RSA Enc=AESCCM(256) Mac=AEAD
> > +DHE-RSA-AES256-GCM-SHA384 TLSv1.2
> > Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
> > DHE-RSA-AES128-GCM-SHA256 TLSv1.2
> > Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
> > -DHE-RSA-AES128-CCM8 TLSv1.2
> > Kx=DH Au=RSA Enc=AESCCM8(128) Mac=AEAD
> > -DHE-RSA-AES128-CCM TLSv1.2
> > Kx=DH Au=RSA Enc=AESCCM(128) Mac=AEAD
> > DHE-RSA-AES256-SHA256 TLSv1.2
> > Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
> > DHE-RSA-CAMELLIA256-SHA256 TLSv1.2
> > Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA256
> > DHE-RSA-AES128-SHA256 TLSv1.2
> > Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
> > @@ -37,14 +29,9 @@
> > DHE-RSA-AES256-SHA SSLv3
> > Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
> > DHE-RSA-CAMELLIA256-SHA SSLv3
> > Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
> > DHE-RSA-AES128-SHA SSLv3
> > Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
> > -DHE-RSA-SEED-SHA SSLv3 Kx=DH Au=RSA Enc=SEED(128)
> > Mac=SHA1
> > DHE-RSA-CAMELLIA128-SHA SSLv3
> > Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
> > AES256-GCM-SHA384 TLSv1.2
> > Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
> > -AES256-CCM8 TLSv1.2
> > Kx=RSA Au=RSA Enc=AESCCM8(256) Mac=AEAD
> > -AES256-CCM TLSv1.2
> > Kx=RSA Au=RSA Enc=AESCCM(256) Mac=AEAD
> > AES128-GCM-SHA256 TLSv1.2
> > Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
> > -AES128-CCM8 TLSv1.2
> > Kx=RSA Au=RSA Enc=AESCCM8(128) Mac=AEAD
> > -AES128-CCM TLSv1.2
> > Kx=RSA Au=RSA Enc=AESCCM(128) Mac=AEAD
> > AES256-SHA256 TLSv1.2
> > Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
> > CAMELLIA256-SHA256 TLSv1.2
> > Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA256
> > AES128-SHA256 TLSv1.2
> > Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
> >
> > So mostly changes are causing by the disabled AES-CCM.
> >
> > Best,
> >
> > Erik
>
>
next prev parent reply other threads:[~2019-01-18 17:35 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-09 14:21 Erik Kapfer
2019-01-09 16:39 ` Michael Tremer
2019-01-09 16:59 ` ummeegge
2019-01-09 17:18 ` Michael Tremer
2019-01-09 18:33 ` ummeegge
2019-01-14 18:03 ` Peter Müller
2019-01-15 14:48 ` ummeegge
2019-01-18 15:09 ` Michael Tremer
2019-01-18 16:45 ` ummeegge
2019-01-18 17:06 ` Peter Müller
2019-01-18 17:35 ` ummeegge [this message]
2019-01-22 14:19 ` Michael Tremer
2019-02-11 8:52 ` ummeegge
2019-02-13 11:35 ` Michael Tremer
2019-01-13 17:44 ` [PATCH v2] OpenSSL: " Erik Kapfer
2019-01-15 14:43 ` [PATCH v3] openssl: " Erik Kapfer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cb66f01dba3a345b0f4e14621e9a793b8bc51447.camel@ipfire.org \
--to=ummeegge@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox