Re: [Interest] Qt5 and libressl

2015-11-14 Thread René J . V . Bertin 
On Saturday November 14 2015 01:49:16 Allan Sandfeld Jensen wrote:

>> A question that came up in a parallel discussion: why does Qt still support
>> SSL2 and SSL3, or why aren't the respective OPENSSL_NO_SSL* tokens defined
>> by default?
>> 
>Because those are defined by OpenSSL and not Qt? If you use an OpenSSL where 

OK, that explains why I couldn't find any trace of defining OPENSSL_NO_SSL* in 
Qt's code.

>they are not defined Qt will still not used SSL2 or SSL3 by default unless you 

Yes, I saw that. What can be confusing is when you run a Qt with libraries 
built on a host where the methods are available but deployed on a host where 
they are not. You get a warning about missing methods which originates from the 
RESOLVE_FUNCTION macro, but apparently can be ambiguous.

>force it. If you build with OpenSSL without (which is the most common), you 
>can't even force Qt to use it, but it still doesn't change the default.

Still, the actual question was not about those tokens but the fact SSL2 and 
SSL3 support could still be built in, because (quoting in my own words) "it's 
been 20 years we know that no software should still be using those".
I'm not a security expert but the answer interests me.

R.
___
Interest mailing list
Interest@qt-project.org
http://lists.qt-project.org/mailman/listinfo/interest

Re: [Interest] Qt5 and libressl

2015-11-13 Thread Thiago Macieira 
On Friday 13 November 2015 21:55:41 René J. V. Bertin wrote:
> Richard Moore wrote:
> > On 12 November 2015 at 20:14, Diego Iastrubni  wrote:
> >> So... the official statement from Qt is that elliptic curves is a ...
> >> "safe" encryption to be used in the wild...?
> > 
> > ​We provide facilities that let you choose which ciphersuites are enabled.
> > We also support plain text. ​
> 
> A question that came up in a parallel discussion: why does Qt still support
> SSL2 and SSL3, or why aren't the respective OPENSSL_NO_SSL* tokens defined
> by default?

Because there may be people with old (and insecure) protocols where this may 
be needed. We didn't remove the API.

-- 
Thiago Macieira - thiago.macieira (AT) intel.com
  Software Architect - Intel Open Source Technology Center

___
Interest mailing list
Interest@qt-project.org
http://lists.qt-project.org/mailman/listinfo/interest

Re: [Interest] Qt5 and libressl

2015-11-13 Thread René J . V . Bertin 
Richard Moore wrote:

> On 12 November 2015 at 20:14, Diego Iastrubni  wrote:
> 
>> So... the official statement from Qt is that elliptic curves is a ...
>> "safe" encryption to be used in the wild...?
>>
>>
> ​We provide facilities that let you choose which ciphersuites are enabled.
> We also support plain text. ​

A question that came up in a parallel discussion: why does Qt still support 
SSL2 
and SSL3, or why aren't the respective OPENSSL_NO_SSL* tokens defined by 
default?

R.

___
Interest mailing list
Interest@qt-project.org
http://lists.qt-project.org/mailman/listinfo/interest

Re: [Interest] Qt5 and libressl

2015-11-13 Thread Allan Sandfeld Jensen 
On Friday 13 November 2015, René J. V. Bertin wrote:
> Richard Moore wrote:
> > On 12 November 2015 at 20:14, Diego Iastrubni  wrote:
> >> So... the official statement from Qt is that elliptic curves is a ...
> >> "safe" encryption to be used in the wild...?
> > 
> > ​We provide facilities that let you choose which ciphersuites are
> > enabled. We also support plain text. ​
> 
> A question that came up in a parallel discussion: why does Qt still support
> SSL2 and SSL3, or why aren't the respective OPENSSL_NO_SSL* tokens defined
> by default?
> 
Because those are defined by OpenSSL and not Qt? If you use an OpenSSL where 
they are not defined Qt will still not used SSL2 or SSL3 by default unless you 
force it. If you build with OpenSSL without (which is the most common), you 
can't even force Qt to use it, but it still doesn't change the default.

`Allan
___
Interest mailing list
Interest@qt-project.org
http://lists.qt-project.org/mailman/listinfo/interest

Re: [Interest] Qt5 and libressl

2015-11-12 Thread Diego Iastrubni 
So... the official statement from Qt is that elliptic curves is a ...
"safe" encryption to be used in the wild...?

(still remember in college how I was thought that this is a safe encryption
because the NSA developed it... and it is fast...)

If this was not clear:
I think that Thiago meant to say: "yea, I know this sux, and we are looking
for someone to give us a patch and remove that MIM code".

I might be wrong.

On Thu, Nov 12, 2015 at 8:20 PM, Thiago Macieira 
wrote:

> On Thursday 12 November 2015 16:29:03 René J.V. Bertin wrote:
> > Hello,
> >
> > Rebuilding Qt 5.5.0 with libressl 2.2.4 installed instead of openssl I
> got
> > this error:
> >
> >
> qt-everywhere-opensource-src-5.5.0/qtbase/src/network/ssl/qsslcontext_openss
> > l.cpp:347:33: error: ‘SSL_CTRL_SET_CURVES’ was not declared in this scope
> > SSL_CTRL_SET_CURVES,
> >  ^
> > make[3]: *** [.obj/qsslcontext_openssl.o] Error 1
> >
> >
> > From the looks of it, libressl emulates a recent enough openssl version
> to
> > activate the code that refers to SSL_CTRL_SET_CURVES, but doesn't
> actually
> > provide the token.
> >
> > Is there an official position regarding building Qt 5 against libressl?
>
> Our current position is "our code is written for OpenSSL". If you want to
> use
> something that emulates OpenSSL, the burden is on you to make sure it's a
> good
> emulation.
>
> --
> Thiago Macieira - thiago.macieira (AT) intel.com
>   Software Architect - Intel Open Source Technology Center
>
> ___
> Interest mailing list
> Interest@qt-project.org
> http://lists.qt-project.org/mailman/listinfo/interest
>
___
Interest mailing list
Interest@qt-project.org
http://lists.qt-project.org/mailman/listinfo/interest

Re: [Interest] Qt5 and libressl

2015-11-12 Thread Thiago Macieira 
On Thursday 12 November 2015 22:14:38 Diego Iastrubni wrote:
> (still remember in college how I was thought that this is a safe encryption
> because the NSA developed it... and it is fast...)

The same NSA that made changes to the RSA algorithm in the 80s and made it 
stronger than random occurrence would have allowed for, even if they couldn't 
then explain how they came up with the parameters. The same NSA that gave us 
SELinux.

Just because it's NSA, doesn't mean it's bad.

> If this was not clear:
> I think that Thiago meant to say: "yea, I know this sux, and we are looking
> for someone to give us a patch and remove that MIM code".
> 
> I might be wrong.

The project has no position on supporting LibreSSL. If we want to do that, I'd 
like someone to work with Richard and say "we will test it to make sure it 
compiles and works".

So volunteers are welcome.
-- 
Thiago Macieira - thiago.macieira (AT) intel.com
  Software Architect - Intel Open Source Technology Center

___
Interest mailing list
Interest@qt-project.org
http://lists.qt-project.org/mailman/listinfo/interest

Re: [Interest] Qt5 and libressl

2015-11-12 Thread René J . V . Bertin 
Thiago Macieira wrote:

> Just because it's NSA, doesn't mean it's bad.

Not the place to be opinionated about such topics here, but I'd say at least 
one 
verb in that statement should be in the past tense O:-)

> The project has no position on supporting LibreSSL. If we want to do that, I'd
> like someone to work with Richard and say "we will test it to make sure it
> compiles and works".

FWIW:
When I swap out OpenSSL with LibreSSL (on Linux, and yes I know one shouldn't), 
I see the following when calling qtdiag:

qt.network.ssl: QSslSocket: cannot resolve SSL_set_psk_client_callback
qt.network.ssl: QSslSocket: cannot resolve SSLv2_client_method
qt.network.ssl: QSslSocket: cannot resolve SSLv2_server_method

I *think* those are unlikely to go away after building against LibreSSL unless 
there's a way to detect while compiling that the functions don't exist.

R.

___
Interest mailing list
Interest@qt-project.org
http://lists.qt-project.org/mailman/listinfo/interest

Re: [Interest] Qt5 and libressl

2015-11-12 Thread Richard Moore 
On 12 November 2015 at 20:14, Diego Iastrubni  wrote:

> So... the official statement from Qt is that elliptic curves is a ...
> "safe" encryption to be used in the wild...?
>
>
​We provide facilities that let you choose which ciphersuites are enabled.
We also support plain text. ​



> (still remember in college how I was thought that this is a safe
> encryption because the NSA developed it... and it is fast...)
>
>
​Ironic that you're complaining about code that lets you choose if you want
the curves the NSA standardised enabled, or just want those developed by
others.​



> If this was not clear:
> I think that Thiago meant to say: "yea, I know this sux, and we are
> looking for someone to give us a patch and remove that MIM code".
>
> I might be wrong.
>
>
​You are.​ If you have a serious question ask it.

​Rich.​



> On Thu, Nov 12, 2015 at 8:20 PM, Thiago Macieira <
> thiago.macie...@intel.com> wrote:
>
>> On Thursday 12 November 2015 16:29:03 René J.V. Bertin wrote:
>> > Hello,
>> >
>> > Rebuilding Qt 5.5.0 with libressl 2.2.4 installed instead of openssl I
>> got
>> > this error:
>> >
>> >
>> qt-everywhere-opensource-src-5.5.0/qtbase/src/network/ssl/qsslcontext_openss
>> > l.cpp:347:33: error: ‘SSL_CTRL_SET_CURVES’ was not declared in this
>> scope
>> > SSL_CTRL_SET_CURVES,
>> >  ^
>> > make[3]: *** [.obj/qsslcontext_openssl.o] Error 1
>> >
>> >
>> > From the looks of it, libressl emulates a recent enough openssl version
>> to
>> > activate the code that refers to SSL_CTRL_SET_CURVES, but doesn't
>> actually
>> > provide the token.
>> >
>> > Is there an official position regarding building Qt 5 against libressl?
>>
>> Our current position is "our code is written for OpenSSL". If you want to
>> use
>> something that emulates OpenSSL, the burden is on you to make sure it's a
>> good
>> emulation.
>>
>> --
>> Thiago Macieira - thiago.macieira (AT) intel.com
>>   Software Architect - Intel Open Source Technology Center
>>
>> ___
>> Interest mailing list
>> Interest@qt-project.org
>> http://lists.qt-project.org/mailman/listinfo/interest
>>
>
>
> ___
> Interest mailing list
> Interest@qt-project.org
> http://lists.qt-project.org/mailman/listinfo/interest
>
>
___
Interest mailing list
Interest@qt-project.org
http://lists.qt-project.org/mailman/listinfo/interest

Re: [Interest] Qt5 and libressl

2015-11-12 Thread Giuseppe D'Angelo 
On Thu, Nov 12, 2015 at 9:14 PM, Diego Iastrubni  wrote:
> So... the official statement from Qt is that elliptic curves is a ... "safe"
> encryption to be used in the wild...?

Where did you get this quote from?

-- 
Giuseppe D'Angelo
___
Interest mailing list
Interest@qt-project.org
http://lists.qt-project.org/mailman/listinfo/interest

[Interest] Qt5 and libressl

2015-11-12 Thread René J . V . Bertin 
Hello,

Rebuilding Qt 5.5.0 with libressl 2.2.4 installed instead of openssl I got this 
error:

qt-everywhere-opensource-src-5.5.0/qtbase/src/network/ssl/qsslcontext_openssl.cpp:347:33:
 error: ‘SSL_CTRL_SET_CURVES’ was not declared in this scope
 SSL_CTRL_SET_CURVES,
 ^
make[3]: *** [.obj/qsslcontext_openssl.o] Error 1


From the looks of it, libressl emulates a recent enough openssl version to 
activate the code that refers to SSL_CTRL_SET_CURVES, but doesn't actually 
provide the token.

Is there an official position regarding building Qt 5 against libressl?

R.
___
Interest mailing list
Interest@qt-project.org
http://lists.qt-project.org/mailman/listinfo/interest

Re: [Interest] Qt5 and libressl

2015-11-12 Thread Thiago Macieira 
On Thursday 12 November 2015 16:29:03 René J.V. Bertin wrote:
> Hello,
> 
> Rebuilding Qt 5.5.0 with libressl 2.2.4 installed instead of openssl I got
> this error:
> 
> qt-everywhere-opensource-src-5.5.0/qtbase/src/network/ssl/qsslcontext_openss
> l.cpp:347:33: error: ‘SSL_CTRL_SET_CURVES’ was not declared in this scope
> SSL_CTRL_SET_CURVES,
>  ^
> make[3]: *** [.obj/qsslcontext_openssl.o] Error 1
> 
> 
> From the looks of it, libressl emulates a recent enough openssl version to
> activate the code that refers to SSL_CTRL_SET_CURVES, but doesn't actually
> provide the token.
> 
> Is there an official position regarding building Qt 5 against libressl?

Our current position is "our code is written for OpenSSL". If you want to use 
something that emulates OpenSSL, the burden is on you to make sure it's a good 
emulation.

-- 
Thiago Macieira - thiago.macieira (AT) intel.com
  Software Architect - Intel Open Source Technology Center

___
Interest mailing list
Interest@qt-project.org
http://lists.qt-project.org/mailman/listinfo/interest