Send inn-workers mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/inn-workers
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of inn-workers digest..."
Today's Topics:
1. Re: Openssl 3.0.0 (Julien ?LIE)
2. Re: Openssl 3.0.0 (Julien ?LIE)
----------------------------------------------------------------------
Message: 1
Date: Sat, 2 Oct 2021 17:59:01 +0200
From: Julien ?LIE <[email protected]>
To: [email protected]
Subject: Re: Openssl 3.0.0
Message-ID: <[email protected]>
Content-Type: text/plain; charset=utf-8; format=flowed
Hi all,
Seems like OpenSSL 3.0.0 has greatly improved its API!
> tls.c: In function 'load_dh_buffer':
> tls.c:167:9: warning: 'PEM_read_bio_DHparams' is deprecated: Since OpenSSL
> 3.0 [-Wdeprecated-declarations]
> 167 | dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
> | ^~
and
> tls.c: In function 'tls_init_serverengine':
> tls.c:571:5: warning: 'SSL_CTX_set_tmp_dh_callback' is deprecated:
Since OpenSSL 3.0 [-Wdeprecated-declarations]
> 571 | SSL_CTX_set_tmp_dh_callback(CTX, tmp_dh_cb);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~
"Applications may supply their own DH parameters instead of using the
built-in values. This approach is discouraged and applications should
in preference use the built-in parameter support described above."
Seems like all we now need is:
SSL_CTX_set_dh_auto(CTX, 1);
And we can just keep the callback as well as hard-coded DH groups in
tls.c only for previous versions of OpenSSL.
> tls.c: In function 'eckey_from_name':
> tls.c:473:5: warning: 'EC_KEY_new_by_curve_name' is deprecated: Since OpenSSL
> 3.0 [-Wdeprecated-declarations]
> 473 | eckey = EC_KEY_new_by_curve_name(builtin_curves[i].nid);
> | ^~~~~
The whole eckey_from_name() function in tls.c now seems irrelevant.
If OpenSSL >= 3.0.0, it looks like
eckey = eckey_from_name(tls_ec_curve);
can just be changed to something like
eckey = EVP_PKEY_get1_EC_KEY(EVP_EC_gen(tls_ec_curve));
Not yet tested though.
> tls.c: In function 'tls_start_servertls':
> tls.c:852:9: warning: 'BIO_set_callback' is deprecated: Since OpenSSL 3.0
> [-Wdeprecated-declarations]
> 852 | BIO_set_callback(SSL_get_rbio(tls_conn), bio_dump_cb);
> | ^~~~~~~~~~~~~~~~
BIO_set_callback_ex() should now be used.
There are 2 more arguments to deal with in the callback function.
Normally not difficult to take into account, I can have a look.
--
Julien ?LIE
??Soldats, du haut de ces pyramides, vingt si?cles nous contemplent.??
(Napol?on)
------------------------------
Message: 2
Date: Sun, 3 Oct 2021 00:32:44 +0200
From: Julien ?LIE <[email protected]>
To: [email protected]
Subject: Re: Openssl 3.0.0
Message-ID: <[email protected]>
Content-Type: text/plain; charset=utf-8; format=flowed
Hi all,
3 out of 4 of the deprecated functions are now fixed and committed to
the main branch.
>> tls.c: In function 'tls_start_servertls':
>> tls.c:852:9: warning: 'BIO_set_callback' is deprecated: Since OpenSSL
>> 3.0 [-Wdeprecated-declarations]
>> ?? 852 |???????? BIO_set_callback(SSL_get_rbio(tls_conn), bio_dump_cb);
>> ?????? |???????? ^~~~~~~~~~~~~~~~
> BIO_set_callback_ex() should now be used.
> There are 2 more arguments to deal with in the callback function.
> Normally not difficult to take into account, I can have a look.
Done, and while updating it I saw that we have a possibility to log
detailed TLS sessions (in hexadecimal) and more stuff: raise the
tls_loglevel variable in nnrpd/tls.c to 4 and rebuild INN (the value is
set to 0 in the source code).
I've added a comment to say the verbosity goes from 0 to 4.
This message is just to let you know in case you weren't aware.
I doubt users need it so I don't plan on making it configurable.
And I confirm it works well.
Oct 3 00:10:34 news nnrpd[256368]: starting TLS engine
Oct 3 00:10:34 news nnrpd[256368]: setting up TLS connection
Oct 3 00:10:34 news nnrpd[256368]: SSL_accept:before SSL initialization
Oct 3 00:10:34 news nnrpd[256368]: read from 55F514614640
[55F51461F823] (5 bytes => 5 (0x5))
Oct 3 00:10:34 news nnrpd[256368]: 0000 16 03 01 02 57
Oct 3 00:10:34 news nnrpd[256368]: read from 55F514614640
[55F51461F828] (599 bytes => 599 (0x257))
Oct 3 00:10:34 news nnrpd[256368]: 0000 01 00 02 53 03 03 f5 78|ac 91
58 d6 6a 61 c9 fe
[...]
Oct 3 00:10:34 news nnrpd[256368]: SSL_accept:TLSv1.3 early data
Oct 3 00:10:34 news nnrpd[256368]: SSL_accept:SSLv3/TLS read finished
Oct 3 00:10:34 news nnrpd[256368]: SSL_accept:SSLv3/TLS write session
ticket
Oct 3 00:10:34 news nnrpd[256368]: SSL_accept:SSLv3/TLS write session
ticket
Oct 3 00:10:34 news nnrpd[256368]: starttls: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) no authentication
Oct 3 00:10:34 news nnrpd[256368]: read from 55F514614640
[55F51461F823] (5 bytes => 5 (0x5))
Oct 3 00:10:34 news nnrpd[256368]: 0000 17 03 03 00 1e
[...]
--
Julien ?LIE
??Soldats, du haut de ces pyramides, vingt si?cles nous contemplent.??
(Napol?on)
------------------------------
Subject: Digest Footer
_______________________________________________
inn-workers mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/inn-workers
------------------------------
End of inn-workers Digest, Vol 134, Issue 2
*******************************************
