OpenSSL 1.1.0

classic Classic list List threaded Threaded
26 messages Options
12
Reply | Threaded
Open this post in threaded view
|

OpenSSL 1.1.0

Pierre Schmitz
Hi,

I'd like to propose a migration to OpenSSL 1.1. The update comes with
ABI and API changes. Every linked packages needs to be rebuild. There
will likely be broken packages. Once the protobuf* rebuild has left the
[staging] repo I would like to upload a first set of OpenSSL 1.1
packages.

I have created a todo list of packages that either have a direct
dependency on openssl or link to libssl.so.1.0.0 or libcrypto.so.1.0.0:
   https://www.archlinux.org/todo/openssl-110-rebuild/

Further reading:
* https://wiki.openssl.org/index.php/1.1_API_Changes
* https://wiki.debian.org/OpenSSL-1.1
* https://lists.debian.org/debian-devel-announce/2016/11/msg00001.html
* http://pkgs.fedoraproject.org/cgit/rpms/

*) https://www.archlinux.org/todo/protobuf-320/

Greetings,

Pierre

--
Pierre Schmitz, https://pierre-schmitz.com
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.1.0

Giancarlo Razzolini-2
Em janeiro 29, 2017 18:49 Pierre Schmitz escreveu:
> Hi,
>
> I'd like to propose a migration to OpenSSL 1.1. The update comes with
> ABI and API changes.

I don't know if it ever was discussed, but did we ever considered LibreSSL
instead? There are some distros out there using it already using, I think
the most recent convert was Alpine.

I know it would be a bigger step than simply adopting OpenSSL 1.1, but I
also think it would be a better move, since we need to rebuild everything
anyway. There will be breakage in both cases, but I think there is more to
gain by switching to LibreSSL.

Cheers,
Giancarlo Razzolini

attachment0 (887 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.1.0

Doug Newgard-2
On Sun, 29 Jan 2017 21:43:18 +0000
Giancarlo Razzolini <[hidden email]> wrote:

> Em janeiro 29, 2017 18:49 Pierre Schmitz escreveu:
> > Hi,
> >
> > I'd like to propose a migration to OpenSSL 1.1. The update comes with
> > ABI and API changes.  
>
> I don't know if it ever was discussed, but did we ever considered LibreSSL
> instead? There are some distros out there using it already using, I think
> the most recent convert was Alpine.
>
> I know it would be a bigger step than simply adopting OpenSSL 1.1, but I
> also think it would be a better move, since we need to rebuild everything
> anyway. There will be breakage in both cases, but I think there is more to
> gain by switching to LibreSSL.
>
> Cheers,
> Giancarlo Razzolini
I haven't heard all that much from/about LibreSSL since shortly after the fork.
Care to share what advantages it would bring, and at what cost?

attachment0 (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.1.0

Giancarlo Razzolini-2
Em janeiro 29, 2017 20:04 Doug Newgard escreveu:
>
> I haven't heard all that much from/about LibreSSL since shortly after the fork.
> Care to share what advantages it would bring, and at what cost?
>

The cost for rebuilding everything against OpenSSL 1.1 will probably be a big one.
For LibreSSL, it would be even bigger. I think the main advantage, right away, is
that LibreSSL has a considerably better security track, specially after their huge
flensing.

I can only dream about the bugs that might lurk on both OpenSSL 1.1 and LibreSSL.
But the defensive approach OpenBSD takes on LibreSSL already has paid off in terms
of CVE's that didn't affected it, but were high/critical issues on OpenSSL.

It would be a considerable effort, but since there will be some for 1.1, I thought
this to be the perfect opportunity for pushing an effort for LibreSSL instead.

I'm as of know searching Void and Alpine bug trackers for learning the issues they
faced (we should/could learn from theirs). We would probably need to bootstrap the
core tools like makepkg, pacman, curl, etc with static OpenSSL support for a while,
to make sure users can smoothly upgrade. Otherwise, I expect LibreSSL to be as much
compatible with the userland software as OpenSSL is.

Cheers,
Giancarlo Razzolini

attachment0 (887 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.1.0

Allan McRae
On 30/01/17 08:30, Giancarlo Razzolini wrote:

> Em janeiro 29, 2017 20:04 Doug Newgard escreveu:
>>
>> I haven't heard all that much from/about LibreSSL since shortly after
>> the fork.
>> Care to share what advantages it would bring, and at what cost?
>>
>
> The cost for rebuilding everything against OpenSSL 1.1 will probably be
> a big one.
> For LibreSSL, it would be even bigger. I think the main advantage, right
> away, is
> that LibreSSL has a considerably better security track, specially after
> their huge
> flensing.
>
> I can only dream about the bugs that might lurk on both OpenSSL 1.1 and
> LibreSSL.
> But the defensive approach OpenBSD takes on LibreSSL already has paid
> off in terms
> of CVE's that didn't affected it, but were high/critical issues on OpenSSL.
>

Please cite one example.   Every CVE I have seen that is of at least
high severity has affected both.  There have been some low severity ones
only affecting openssl.

Even worse, the fix time for libressl in the couple of issues I
monitored was worse than openssl.

A
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.1.0

Giancarlo Razzolini-2
Em janeiro 30, 2017 1:05 Allan McRae escreveu:
>
> Please cite one example.   Every CVE I have seen that is of at least
> high severity has affected both.  There have been some low severity ones
> only affecting openssl.
>
> Even worse, the fix time for libressl in the couple of issues I
> monitored was worse than openssl.
>

I don't have a ready list, but I can make one, sure. One thing I can say
is that it wasn't *every*[0] high/critical CVE that affected both libraries.

And yes, I presume fix time will be somewhat worse than OpenSSL's, because
it is a portable version of a library mainly focused on OpenBSD.

As I said, it is a suggestion for us to consider instead of going OpenSSL 1.1
way. Both will be hard, but I think in the end we would be better off using
LibreSSL.

Cheers,
Giancarlo Razzolini

[0] https://en.wikipedia.org/wiki/LibreSSL

attachment0 (887 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.1.0

Pierre Schmitz
In reply to this post by Pierre Schmitz
On 29.01.2017 21:49, Pierre Schmitz wrote:

> Hi,
>
> I'd like to propose a migration to OpenSSL 1.1. The update comes with
> ABI and API changes. Every linked packages needs to be rebuild. There
> will likely be broken packages. Once the protobuf* rebuild has left
> the [staging] repo I would like to upload a first set of OpenSSL 1.1
> packages.
>
> I have created a todo list of packages that either have a direct
> dependency on openssl or link to libssl.so.1.0.0 or
> libcrypto.so.1.0.0:
>   https://www.archlinux.org/todo/openssl-110-rebuild/

I will push the first set of packages to [staging]. Please avoid doing
other rebuilds until this one is done.

Greetings,

Pierre

--
Pierre Schmitz, https://pierre-schmitz.com
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.1.0

Pierre Schmitz
In reply to this post by Giancarlo Razzolini-2
On 30.01.2017 14:09, Giancarlo Razzolini wrote:

> Em janeiro 30, 2017 1:05 Allan McRae escreveu:
>>
>> Please cite one example.   Every CVE I have seen that is of at least
>> high severity has affected both.  There have been some low severity
>> ones
>> only affecting openssl.
>>
>> Even worse, the fix time for libressl in the couple of issues I
>> monitored was worse than openssl.
>>
>
> I don't have a ready list, but I can make one, sure. One thing I can
> say
> is that it wasn't *every*[0] high/critical CVE that affected both
> libraries.
>
> And yes, I presume fix time will be somewhat worse than OpenSSL's,
> because
> it is a portable version of a library mainly focused on OpenBSD.
>
> As I said, it is a suggestion for us to consider instead of going
> OpenSSL 1.1
> way. Both will be hard, but I think in the end we would be better off
> using
> LibreSSL.
>
> Cheers,
> Giancarlo Razzolini
>
> [0] https://en.wikipedia.org/wiki/LibreSSL

For now I'd like to keep openssl. This might change when upstream
projects might switch to libressl. ATM I do not see an objective reason
to do so. If it is a drop in replacement a separate package could be
provided.

Greetings,

Pierre

--
Pierre Schmitz, https://pierre-schmitz.com
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.1.0

Giancarlo Razzolini-2
Em fevereiro 11, 2017 6:36 Pierre Schmitz escreveu:
>
> For now I'd like to keep openssl. This might change when upstream
> projects might switch to libressl. ATM I do not see an objective reason
> to do so. If it is a drop in replacement a separate package could be
> provided.
>

Sure, as I said, it was just an idea. LibreSSL is mostly a drop-in replacement,
I was taking some time to analyze void and alpine switch and they had some issues
that they sorted out. OpenBSD had the same issue with their ports (several patches
were sent upstream) and they detected several poorly usage of the OpenSSL library.

Some of the poor usage was bad coding practices, and some was because the library
itself allowed. I think most upstream projects won't change to LibreSSL, either
OpenSSL compatible, or their libtls, for lack of interest in changing the status
quo. For some projects there is also money involved, but that's another issue
entirely.

I don't know if this is a chicken-egg issue, because downstream doesn't switch to
LibreSSL because upstream doesn't use LibreSSL, and so on. The main reason to switch
would be better security overall. But a secondary effect of that would be to force
upstream hand to either code properly or use a different library altogether.

If you are willing I could try to create a separate LibreSSL package, so individual
maintainers could build against either. I just don't see it being sustainable on the
long run.

Cheers,
Giancarlo Razzolini

attachment0 (887 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.1.0

Christian Hesse
In reply to this post by Pierre Schmitz
Pierre Schmitz <[hidden email]> on Sat, 2017/02/11 09:32:

> On 29.01.2017 21:49, Pierre Schmitz wrote:
> > Hi,
> >
> > I'd like to propose a migration to OpenSSL 1.1. The update comes with
> > ABI and API changes. Every linked packages needs to be rebuild. There
> > will likely be broken packages. Once the protobuf* rebuild has left
> > the [staging] repo I would like to upload a first set of OpenSSL 1.1
> > packages.
> >
> > I have created a todo list of packages that either have a direct
> > dependency on openssl or link to libssl.so.1.0.0 or
> > libcrypto.so.1.0.0:
> >   https://www.archlinux.org/todo/openssl-110-rebuild/ 
>
> I will push the first set of packages to [staging]. Please avoid doing
> other rebuilds until this one is done.
Are you interested in details?

I have a working version of openvpn, but it requires heavy patching. I will
wait for version 2.4.1 which has a lot of preparation (and with some luck is
ported completly). Will push an openssl rebuild then.
If anybody is interested... Raise your hands and let me know, I can provide
packages for testing.

Mariadb is still unsolved. There is a ticket in upstream jira [0] but it does
not carry anything useful. There's a reference for a review, but I could not
find the patch in mail archive. Will try to contact the developers and
express our interest...

Mupdf is a burden to maintain due to build system, bundled libraries and
static linking. Looks like upstream is not yet interested in openssl 1.1.0...
As I do not use it currently this will move to [community] if no one
steps up.

[0] https://jira.mariadb.org/browse/MDEV-10332
--
main(a){char*c=/*    Schoene Gruesse                         */"B?IJj;MEH"
"CX:;",b;for(a/*    Best regards             my address:    */=0;b=c[a++];)
putchar(b-1/(/*    Chris            cc -ox -xc - && ./x    */b/42*2-3)*42);}

attachment0 (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.1.0

Antonio Rojas-2
El Thu, 23 Feb 2017 22:29:17 +0100, Christian Hesse escribió:

> Mariadb is still unsolved. There is a ticket in upstream jira [0] but it
> does not carry anything useful. There's a reference for a review, but I
> could not find the patch in mail archive. Will try to contact the
> developers and express our interest...

In the meantime, is temporarily switching to internal yassl (as Debian
does) an option? This is blocking all Qt rebuilds (which will also be a
pain themselves), so it would be nice to have a build in staging soonish.
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.1.0

Baptiste Jonglez
In reply to this post by Christian Hesse
On Thu, Feb 23, 2017 at 10:29:17PM +0100, Christian Hesse wrote:
> > I will push the first set of packages to [staging]. Please avoid doing
> > other rebuilds until this one is done.
>
> Are you interested in details?

FWIW, Debian stretch has openssl 1.1.0, so I guess they had to adapt lots
of packages.

> Mariadb is still unsolved. There is a ticket in upstream jira [0] but it does
> not carry anything useful. There's a reference for a review, but I could not
> find the patch in mail archive. Will try to contact the developers and
> express our interest...

The debian package uses `-DWITH_SSL=bundled` [1] to avoid linking with the
system-wide openssl.  Not a great solution, though.

> Mupdf is a burden to maintain due to build system, bundled libraries and
> static linking. Looks like upstream is not yet interested in openssl 1.1.0...
> As I do not use it currently this will move to [community] if no one
> steps up.

Can't you just drop the dependency on openssl?  What is it used for?
As far as I can tell, Debian does not build mupdf against openssl:

root@stretch:~# apt show mupdf
Package: mupdf
Version: 1.9a+ds1-4
Depends: libc6 (>= 2.15), libfreetype6 (>= 2.6), libharfbuzz0b (>= 0.9.11), libjbig2dec0 (>= 0.11), libjpeg62-turbo (>= 1.3.1), libopenjp2-7 (>= 2.0.0), libx11-6, libxext6, zlib1g (>= 1:1.2.0)
root@stretch:~# ldd /usr/lib/mupdf/mupdf-x11 | grep ssl
root@stretch:~# ldd /usr/lib/mupdf/mupdf-x11 | grep crypto
root@stretch:~#

I just tested building the package without openssl support (I had to patch
out references to openssl and libcrypto from Makerules, since openssl is
part of the base chroot when building), and it seems to work fine.

Baptiste

[1] https://packages.debian.org/stretch/libmariadbclient18


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.1.0

Christian Hesse
In reply to this post by Antonio Rojas-2
Antonio Rojas <[hidden email]> on Thu, 2017/02/23 21:42:

> El Thu, 23 Feb 2017 22:29:17 +0100, Christian Hesse escribió:
>
> > Mariadb is still unsolved. There is a ticket in upstream jira [0] but it
> > does not carry anything useful. There's a reference for a review, but I
> > could not find the patch in mail archive. Will try to contact the
> > developers and express our interest...  
>
> In the meantime, is temporarily switching to internal yassl (as Debian
> does) an option? This is blocking all Qt rebuilds (which will also be a
> pain themselves), so it would be nice to have a build in staging soonish.
Ah, did not know this is a huge blocker. I will try.
--
main(a){char*c=/*    Schoene Gruesse                         */"B?IJj;MEH"
"CX:;",b;for(a/*    Best regards             my address:    */=0;b=c[a++];)
putchar(b-1/(/*    Chris            cc -ox -xc - && ./x    */b/42*2-3)*42);}

attachment0 (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.1.0

Christian Hesse
Christian Hesse <[hidden email]> on Fri, 2017/02/24 13:37:

> Antonio Rojas <[hidden email]> on Thu, 2017/02/23 21:42:
> > El Thu, 23 Feb 2017 22:29:17 +0100, Christian Hesse escribió:
> >  
> > > Mariadb is still unsolved. There is a ticket in upstream jira [0] but it
> > > does not carry anything useful. There's a reference for a review, but I
> > > could not find the patch in mail archive. Will try to contact the
> > > developers and express our interest...    
> >
> > In the meantime, is temporarily switching to internal yassl (as Debian
> > does) an option? This is blocking all Qt rebuilds (which will also be a
> > pain themselves), so it would be nice to have a build in staging
> > soonish.  
>
> Ah, did not know this is a huge blocker. I will try.
I pushed mariadb 10.1.21-2 to [testing]. Please give it a try...
--
main(a){char*c=/*    Schoene Gruesse                         */"B?IJj;MEH"
"CX:;",b;for(a/*    Best regards             my address:    */=0;b=c[a++];)
putchar(b-1/(/*    Chris            cc -ox -xc - && ./x    */b/42*2-3)*42);}

attachment0 (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.1.0

Christian Hesse
In reply to this post by Baptiste Jonglez
Baptiste Jonglez <[hidden email]> on Thu, 2017/02/23 23:36:
> > Mupdf is a burden to maintain due to build system, bundled libraries and
> > static linking. Looks like upstream is not yet interested in openssl
> > 1.1.0... As I do not use it currently this will move to [community] if no
> > one steps up.  
>
> Can't you just drop the dependency on openssl?  What is it used for?
> As far as I can tell, Debian does not build mupdf against openssl:

Just did that and pushed to [community-testing].

With mupdf linked against openssl you have support for PKCS#7 which is used
for digital signatures in PDF documents.
--
main(a){char*c=/*    Schoene Gruesse                         */"B?IJj;MEH"
"CX:;",b;for(a/*    Best regards             my address:    */=0;b=c[a++];)
putchar(b-1/(/*    Chris            cc -ox -xc - && ./x    */b/42*2-3)*42);}

attachment0 (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.1.0

Christian Hesse
In reply to this post by Christian Hesse
Christian Hesse <[hidden email]> on Thu, 2017/02/23 22:29:
> I have a working version of openvpn, but it requires heavy patching. I will
> wait for version 2.4.1 which has a lot of preparation (and with some luck is
> ported completly). Will push an openssl rebuild then.
> If anybody is interested... Raise your hands and let me know, I can provide
> packages for testing.

I am not sure about the amount of spare time I will have in about two weeks.
So I decided to push the patches now...
--
main(a){char*c=/*    Schoene Gruesse                         */"B?IJj;MEH"
"CX:;",b;for(a/*    Best regards             my address:    */=0;b=c[a++];)
putchar(b-1/(/*    Chris            cc -ox -xc - && ./x    */b/42*2-3)*42);}

attachment0 (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.1.0

Lukas Fleischer-2
In reply to this post by Pierre Schmitz
On Sun, 29 Jan 2017 at 21:49:51, Pierre Schmitz wrote:
> I'd like to propose a migration to OpenSSL 1.1. The update comes with
> ABI and API changes. Every linked packages needs to be rebuild. There
> will likely be broken packages. Once the protobuf* rebuild has left the
> [staging] repo I would like to upload a first set of OpenSSL 1.1
> packages.

What is the plan for packages where upstream is dead or reluctant to
migrate to OpenSSL 1.1.0 (see e.g. [1])? Are we going to ship a legacy
openssl-compat (or libressl) package for a while?

Regards,
Lukas

[1] https://github.com/OpenSMTPD/OpenSMTPD/issues/738
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.1.0

Lukas Fleischer-2
On Thu, 02 Mar 2017 at 07:05:44, Lukas Fleischer wrote:
> What is the plan for packages where upstream is dead or reluctant to
> migrate to OpenSSL 1.1.0 (see e.g. [1])? Are we going to ship a legacy
> openssl-compat (or libressl) package for a while?

It seems like there already is an openssl-1.0 package [1]. This makes
everything much easier. Thanks.

[1] https://www.archlinux.org/packages/?q=openssl-1.0
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.1.0

Jan de Groot
On Thu, 2017-03-02 at 20:06 +0100, Lukas Fleischer wrote:

> On Thu, 02 Mar 2017 at 07:05:44, Lukas Fleischer wrote:
> > What is the plan for packages where upstream is dead or reluctant
> > to
> > migrate to OpenSSL 1.1.0 (see e.g. [1])? Are we going to ship a
> > legacy
> > openssl-compat (or libressl) package for a while?
>
> It seems like there already is an openssl-1.0 package [1]. This makes
> everything much easier. Thanks.
>
> [1] https://www.archlinux.org/packages/?q=openssl-1.0

To use this package you need to set PKG_CONFIG_PATH=/usr/lib/openssl-
1.0/pkgconfig. If your package doesn't use PKG_CONFIG_PATH to look for
openssl you'll have to manually add -I/usr/include/openssl-1.0 to
CFLAGS and -L/usr/lib/openssl-1.0 to LDFLAGS.

Also, make sure that your resulting package uses the correct library.
You don't want to link to two different versions of OpenSSL. An example
 where this happens is ptlib/opal, Opal will happily compile against
OpenSSL 1.1 while ptlib is compiled against 1.0 if no changes are made
to opal.
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.1.0

Lukas Fleischer-2
In reply to this post by Pierre Schmitz
Hi,

I just moved the OpenSSL 1.1.0 and libgit2 0.25 rebuilds to [testing].
Please report issues to the bug tracker.

Regards,
Lukas
12