Re: [Interest] Qt5 and libressl
On Saturday November 14 2015 01:49:16 Allan Sandfeld Jensen wrote: >> A question that came up in a parallel discussion: why does Qt still support >> SSL2 and SSL3, or why aren't the respective OPENSSL_NO_SSL* tokens defined >> by default? >> >Because those are defined by OpenSSL and not Qt? If you use an OpenSSL where OK, that explains why I couldn't find any trace of defining OPENSSL_NO_SSL* in Qt's code. >they are not defined Qt will still not used SSL2 or SSL3 by default unless you Yes, I saw that. What can be confusing is when you run a Qt with libraries built on a host where the methods are available but deployed on a host where they are not. You get a warning about missing methods which originates from the RESOLVE_FUNCTION macro, but apparently can be ambiguous. >force it. If you build with OpenSSL without (which is the most common), you >can't even force Qt to use it, but it still doesn't change the default. Still, the actual question was not about those tokens but the fact SSL2 and SSL3 support could still be built in, because (quoting in my own words) "it's been 20 years we know that no software should still be using those". I'm not a security expert but the answer interests me. R. ___ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest
Re: [Interest] Qt5 and libressl
On Friday 13 November 2015 21:55:41 René J. V. Bertin wrote: > Richard Moore wrote: > > On 12 November 2015 at 20:14, Diego Iastrubniwrote: > >> So... the official statement from Qt is that elliptic curves is a ... > >> "safe" encryption to be used in the wild...? > > > > We provide facilities that let you choose which ciphersuites are enabled. > > We also support plain text. > > A question that came up in a parallel discussion: why does Qt still support > SSL2 and SSL3, or why aren't the respective OPENSSL_NO_SSL* tokens defined > by default? Because there may be people with old (and insecure) protocols where this may be needed. We didn't remove the API. -- Thiago Macieira - thiago.macieira (AT) intel.com Software Architect - Intel Open Source Technology Center ___ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest
Re: [Interest] Qt5 and libressl
Richard Moore wrote: > On 12 November 2015 at 20:14, Diego Iastrubniwrote: > >> So... the official statement from Qt is that elliptic curves is a ... >> "safe" encryption to be used in the wild...? >> >> > We provide facilities that let you choose which ciphersuites are enabled. > We also support plain text. A question that came up in a parallel discussion: why does Qt still support SSL2 and SSL3, or why aren't the respective OPENSSL_NO_SSL* tokens defined by default? R. ___ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest
Re: [Interest] Qt5 and libressl
On Friday 13 November 2015, René J. V. Bertin wrote: > Richard Moore wrote: > > On 12 November 2015 at 20:14, Diego Iastrubniwrote: > >> So... the official statement from Qt is that elliptic curves is a ... > >> "safe" encryption to be used in the wild...? > > > > We provide facilities that let you choose which ciphersuites are > > enabled. We also support plain text. > > A question that came up in a parallel discussion: why does Qt still support > SSL2 and SSL3, or why aren't the respective OPENSSL_NO_SSL* tokens defined > by default? > Because those are defined by OpenSSL and not Qt? If you use an OpenSSL where they are not defined Qt will still not used SSL2 or SSL3 by default unless you force it. If you build with OpenSSL without (which is the most common), you can't even force Qt to use it, but it still doesn't change the default. `Allan ___ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest
Re: [Interest] Qt5 and libressl
So... the official statement from Qt is that elliptic curves is a ... "safe" encryption to be used in the wild...? (still remember in college how I was thought that this is a safe encryption because the NSA developed it... and it is fast...) If this was not clear: I think that Thiago meant to say: "yea, I know this sux, and we are looking for someone to give us a patch and remove that MIM code". I might be wrong. On Thu, Nov 12, 2015 at 8:20 PM, Thiago Macieirawrote: > On Thursday 12 November 2015 16:29:03 René J.V. Bertin wrote: > > Hello, > > > > Rebuilding Qt 5.5.0 with libressl 2.2.4 installed instead of openssl I > got > > this error: > > > > > qt-everywhere-opensource-src-5.5.0/qtbase/src/network/ssl/qsslcontext_openss > > l.cpp:347:33: error: ‘SSL_CTRL_SET_CURVES’ was not declared in this scope > > SSL_CTRL_SET_CURVES, > > ^ > > make[3]: *** [.obj/qsslcontext_openssl.o] Error 1 > > > > > > From the looks of it, libressl emulates a recent enough openssl version > to > > activate the code that refers to SSL_CTRL_SET_CURVES, but doesn't > actually > > provide the token. > > > > Is there an official position regarding building Qt 5 against libressl? > > Our current position is "our code is written for OpenSSL". If you want to > use > something that emulates OpenSSL, the burden is on you to make sure it's a > good > emulation. > > -- > Thiago Macieira - thiago.macieira (AT) intel.com > Software Architect - Intel Open Source Technology Center > > ___ > Interest mailing list > Interest@qt-project.org > http://lists.qt-project.org/mailman/listinfo/interest > ___ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest
Re: [Interest] Qt5 and libressl
On Thursday 12 November 2015 22:14:38 Diego Iastrubni wrote: > (still remember in college how I was thought that this is a safe encryption > because the NSA developed it... and it is fast...) The same NSA that made changes to the RSA algorithm in the 80s and made it stronger than random occurrence would have allowed for, even if they couldn't then explain how they came up with the parameters. The same NSA that gave us SELinux. Just because it's NSA, doesn't mean it's bad. > If this was not clear: > I think that Thiago meant to say: "yea, I know this sux, and we are looking > for someone to give us a patch and remove that MIM code". > > I might be wrong. The project has no position on supporting LibreSSL. If we want to do that, I'd like someone to work with Richard and say "we will test it to make sure it compiles and works". So volunteers are welcome. -- Thiago Macieira - thiago.macieira (AT) intel.com Software Architect - Intel Open Source Technology Center ___ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest
Re: [Interest] Qt5 and libressl
Thiago Macieira wrote: > Just because it's NSA, doesn't mean it's bad. Not the place to be opinionated about such topics here, but I'd say at least one verb in that statement should be in the past tense O:-) > The project has no position on supporting LibreSSL. If we want to do that, I'd > like someone to work with Richard and say "we will test it to make sure it > compiles and works". FWIW: When I swap out OpenSSL with LibreSSL (on Linux, and yes I know one shouldn't), I see the following when calling qtdiag: qt.network.ssl: QSslSocket: cannot resolve SSL_set_psk_client_callback qt.network.ssl: QSslSocket: cannot resolve SSLv2_client_method qt.network.ssl: QSslSocket: cannot resolve SSLv2_server_method I *think* those are unlikely to go away after building against LibreSSL unless there's a way to detect while compiling that the functions don't exist. R. ___ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest
Re: [Interest] Qt5 and libressl
On 12 November 2015 at 20:14, Diego Iastrubniwrote: > So... the official statement from Qt is that elliptic curves is a ... > "safe" encryption to be used in the wild...? > > We provide facilities that let you choose which ciphersuites are enabled. We also support plain text. > (still remember in college how I was thought that this is a safe > encryption because the NSA developed it... and it is fast...) > > Ironic that you're complaining about code that lets you choose if you want the curves the NSA standardised enabled, or just want those developed by others. > If this was not clear: > I think that Thiago meant to say: "yea, I know this sux, and we are > looking for someone to give us a patch and remove that MIM code". > > I might be wrong. > > You are. If you have a serious question ask it. Rich. > On Thu, Nov 12, 2015 at 8:20 PM, Thiago Macieira < > thiago.macie...@intel.com> wrote: > >> On Thursday 12 November 2015 16:29:03 René J.V. Bertin wrote: >> > Hello, >> > >> > Rebuilding Qt 5.5.0 with libressl 2.2.4 installed instead of openssl I >> got >> > this error: >> > >> > >> qt-everywhere-opensource-src-5.5.0/qtbase/src/network/ssl/qsslcontext_openss >> > l.cpp:347:33: error: ‘SSL_CTRL_SET_CURVES’ was not declared in this >> scope >> > SSL_CTRL_SET_CURVES, >> > ^ >> > make[3]: *** [.obj/qsslcontext_openssl.o] Error 1 >> > >> > >> > From the looks of it, libressl emulates a recent enough openssl version >> to >> > activate the code that refers to SSL_CTRL_SET_CURVES, but doesn't >> actually >> > provide the token. >> > >> > Is there an official position regarding building Qt 5 against libressl? >> >> Our current position is "our code is written for OpenSSL". If you want to >> use >> something that emulates OpenSSL, the burden is on you to make sure it's a >> good >> emulation. >> >> -- >> Thiago Macieira - thiago.macieira (AT) intel.com >> Software Architect - Intel Open Source Technology Center >> >> ___ >> Interest mailing list >> Interest@qt-project.org >> http://lists.qt-project.org/mailman/listinfo/interest >> > > > ___ > Interest mailing list > Interest@qt-project.org > http://lists.qt-project.org/mailman/listinfo/interest > > ___ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest
Re: [Interest] Qt5 and libressl
On Thu, Nov 12, 2015 at 9:14 PM, Diego Iastrubniwrote: > So... the official statement from Qt is that elliptic curves is a ... "safe" > encryption to be used in the wild...? Where did you get this quote from? -- Giuseppe D'Angelo ___ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest
[Interest] Qt5 and libressl
Hello, Rebuilding Qt 5.5.0 with libressl 2.2.4 installed instead of openssl I got this error: qt-everywhere-opensource-src-5.5.0/qtbase/src/network/ssl/qsslcontext_openssl.cpp:347:33: error: ‘SSL_CTRL_SET_CURVES’ was not declared in this scope SSL_CTRL_SET_CURVES, ^ make[3]: *** [.obj/qsslcontext_openssl.o] Error 1 From the looks of it, libressl emulates a recent enough openssl version to activate the code that refers to SSL_CTRL_SET_CURVES, but doesn't actually provide the token. Is there an official position regarding building Qt 5 against libressl? R. ___ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest
Re: [Interest] Qt5 and libressl
On Thursday 12 November 2015 16:29:03 René J.V. Bertin wrote: > Hello, > > Rebuilding Qt 5.5.0 with libressl 2.2.4 installed instead of openssl I got > this error: > > qt-everywhere-opensource-src-5.5.0/qtbase/src/network/ssl/qsslcontext_openss > l.cpp:347:33: error: ‘SSL_CTRL_SET_CURVES’ was not declared in this scope > SSL_CTRL_SET_CURVES, > ^ > make[3]: *** [.obj/qsslcontext_openssl.o] Error 1 > > > From the looks of it, libressl emulates a recent enough openssl version to > activate the code that refers to SSL_CTRL_SET_CURVES, but doesn't actually > provide the token. > > Is there an official position regarding building Qt 5 against libressl? Our current position is "our code is written for OpenSSL". If you want to use something that emulates OpenSSL, the burden is on you to make sure it's a good emulation. -- Thiago Macieira - thiago.macieira (AT) intel.com Software Architect - Intel Open Source Technology Center ___ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest