Good morning,
On Fri, 2018-01-12 at 12:02 +0100, ummeegge wrote:
Hi Michael,
Erik: I am not sure why those packages won't build for you. I patched a number of them in my branch:
https://git.ipfire.org/?p=people/ms/ipfire-2.x.git;a=shortlog;h=refs/ heads/openssl-11
Have loaded the current Core 118
I fetched your changes via:
git remote add openssl-11 ssh://ummeegge@git.ipfire.org/pub/git/people/ms/ipfi re-2.x.git git fetch openssl-11 git checkout openssl-11
and have build it with the same issues then mentioned before.
Hmm, okay. I have no idea how I forgot about all these things.
Please pull the branch again and everything except openvpn will build now.
I will rebase this branch now on where next currently is and build it again.
Haven´t found it, can you point out how to get it ?
Same branch...
I only expect asterisk to crash then which we need to update. It seems that Dirk has retired as maintainer for asterisk. I can try switching Asterisk to gnutls instead, but generally I would like to keep as much as we can on OpenSSL since that is our primary library.
I think an update of Asterisk and his components should work also with the new OpenSSL. At least in my environment Asterisk has build with OpenSSL-1.1.0g, but there was one more dependency (jansson) needed. Changes can be found in here --> https://git.ipfire.org/?p=people/ummeegge/ipfire- 2.x.git;a=commit;h=2d940ba2187a53cf52d2191a36c3897636b9600c .
I actually updated that myself before you sent your email, but please review my changes.
So, again for me: What is the status of OpenVPN 2.4 now? I guess that should build with OpenSSL 1.1 out of the box.
OpenVPN-2.4.4 has build with OpenSSL-1.1.0g have included also the LZ4 compression lib but otherwise it builds out of the box but OpenVPN won´t start without some changes in ovpnmain.cgi. In here --> https://github.com/ummeegge/OpenVPN_30.08.2017/commit/7460cead169ea919f66ad7... 8e764fef37bf8f8b#diff-2011d5d928fd214cacb83844729c65cc a little more then needed has been done but it describes very closely the needed changes.
Hmm, I am not sure if we will have a lot of client support. But it should be a small library so that it wouldn't hurt too much to include it as well.
The most important are:
- The script-security flag 'system' can not be used anymore the server won´t
start if this isn´t fixed.
Where do we use that?
- OpenVPN have added an automatic cipher negotiation with 2.4.x which should
be manageable in my opinion. If someone needs to have other ciphers then the strongest defaults e.g. for the usage of HWRNG this option should be switchable with an OFF/ON checkbox.
Who would want to switch off a HWRNG? OpenVPN should only use entropy from the kernel and nothing else. Never directly read from any HWRNGs.
And about the negotiation, that would be nice, but does that work with older clients?
This option is also pushable so it can be used individually per client so it can be managed via the global section but also over the CCD section for each client.
Would you be able to submit patches so that it builds already? Any changes to the CGI files to add new ciphers can and should be a second patch.
I can do this but it might be great if i can make before some tests with the new OpenSSL lib. Would it be OK for you if i push the first part as in the Github example ? Have already changed the language file description and left Camellia out the --ncp-ciphers list (which is equal to OpenVPN manpage).
Please send any proposed changes as patches to the list.
I am not sure if we should expect any problems with changed configuration parameter where we need to migrate configuration files. We are already using the new parameters where possible. So is there any other work left to do?
The main work is described above, OpenVPN-2.4.x checks the version of the clients, if they are <= 2.4 OpenVPN uses the already presant --cipher ALG, if the client are >= 2.4 it will negotiate the best cipher which is normally AES- 256-GCM which is also a complete new algorithm for OpenVPN (no cipher block chaining).
Cool.
also causing the "Sweet32 Birthday attacks" --> https://sweet32.info/ a lot of ciphers which are used in IPFires OpenVPN are marked as deprecated and should. in my opinion, marked in the WUI as such. A potential new digest "BLAKE2b" has also been introduced which i´am not sure if it works properly and if it works, if it should be integrated into the menu of IPFires OpenVPN WUI.
Not sure if we should support something experimental. Might become a headache later…
Yes i think so too. Nevertheless i think we should introduce at least the new Galois/Counter Mode (available with 128, 196 and 256 bit) which is somehow the default of the new OpenVPN if possible. Would do this with a second patch where it might also be an idea to list all the deprecated ciphers as such (via optgroup label) ?
Certainly GCM and all the other ones that include MAC.
Peter has proposed a patch recently with improved crypto, please work together with him.
My main problem currently is that i can not test all that cause the installation process interrupts "Unable to install the language cache" , message comes from here --> https://github.com/ipfire/ipfire- 2.x/blob/cf361ef4b55134254150b5070069f9d25b201bd1/src/installer/po/de.po#L 272 i think. Some help in there might be great to proceed further with the OpenVPN update.
Are you still stuck at this?
Yes as above mentioned have loaded Core118 and fetched your branch but stuck with the exact same problems as described in here --> https://lists.ipfire.org /pipermail/development/2017-December/003831.html . If i get something wrong here it might be great if you can point me to the right direction.
By the way, i wish you all a happy new year and all the best for 2018 :-) .
Happy new year to you, too!
-Michael
Greetings,
Erik