On Mon, Mar 28, 2016 at 10:59 PM, Don Lewis <truck...@apache.org> wrote: > On 28 Mar, Pedro Giffuni wrote: >> Hi Don; >> >>> On 28 Mar, Pedro Giffuni wrote: >>> > In reply to Don, >>> >>> >> The versions of openssl and curl badly need updating for the same >>> >> reason, and there is one CVE for serf. >>> > >>> > FreeBSD casually keeps some backported updates for the same openssl >>> > version AOO uses: >>> > >>> > https://svnweb.freebsd.org/base/stable/9/crypto/openssl/?view=log >>> > >>> > It should be pretty straightforward to take them from there and use >>> them >>> > into >>> > main/openssl with minor adaptions. >>> >>> That would fix only part of the problem. The other part of the problem >>> is that the version of openssl that we currently bundle doesn't >>> implement the newer and more secure protocols and ciphers. The older >>> and less secure ones are gradually getting disabled on the server side. >>> >>> For instance, my only copy of Windows is XP, and the last version of IE >>> released for XP can no longer connect to some web sites because they >>> have disabled all of the protocols that IE supports. >>> >> >> That is a valid concern, however I am unsure about what in OpenOffice >> uses the new cyphers. I think OpenSSL is used for signing documents: >> when we update OpenSSL will AOO automatically accept more signing >> options? I would expect browsers will bring their own SSL >> implementations. > > I don't know what OpenOffice uses it for, either, but I would expect > that it also gets used for downloading extensions. I hadn't even > thought about signatures. That's something I haven't exercised it at > all.
Let's rather research where AOO uses openssl instead of guessing. I find the use of openssl for document encryption and signing highly unlikely, as NSS was used there to make use of Firefox's root CA certificates, and allow configuring personal digital signatures using the Firefox GUI. So which modules use openssl? $ grep openssl */prj/build.lst oox/prj/build.lst:oox oox : vos cppu cppuhelper comphelper sal offapi sax basegfx xmlscript tools vcl BOOST:boost OPENSSL:openssl LIBXSLT:libxslt NULL openssl/prj/build.lst:ssl openssl : soltools external EXPAT:expat NULL openssl/prj/build.lst:ssl openssl usr1 - all ssl_mkout NULL openssl/prj/build.lst:ssl openssl nmake - all ssl_openssl NULL python/prj/build.lst:py python : SO:so_prereq solenv OPENSSL:openssl NULL redland/prj/build.lst:rld redland : stlport soltools LIBXML2:libxml2 LIBXSLT:libxslt OPENSSL:openssl NULL ucb/prj/build.lst:uc ucb : cppuhelper CURL:curl OPENSSL:openssl LIBXML2:libxml2 LIBXSLT:libxslt offapi sal salhelper ucbhelper udkapi comphelper SERF:serf tools NULL Eliminating the openssl module itself from the above results, we have dependencies to it in oox, python, redland, and ucb. Oox (used for OOXML, not ODF) uses it in the short lclCheckEncryptionData() function to detect encryption. It uses it exclusively for AES crypto. Python could use it for just about anything, but we don't care because Python is itself optional. Redland is an RDF library. It is used by unoxml. Not sure for what. Ucb apparently uses it for webdav. It doesn't call openssl APIs, but links to openssl because it uses serf. Serf needs openssl and is only used by ucb. Damjan --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
