Re: [nmh-workers] Making OpenSSL 1.0.2 minimum version
Ken Hornstein wrote in <20190627175008.639987b...@pb-smtp21.pobox.com>: |>Thinking about it, the "ext" in SSL_set_tlsext_host_name |>could appear strange in five years from now. | |As opposed to the REST of the OpenSSL API? :-) ..seen that way.. But the problem is real: #?0|kent:$ grep -ri deprecated /usr/include/openssl/|wc -l 85 And this lists prominent things like and as new as TLSv1_2_XY(). --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) -- nmh-workers https://lists.nongnu.org/mailman/listinfo/nmh-workers
Re: [nmh-workers] Making OpenSSL 1.0.2 minimum version
>Thinking about it, the "ext" in SSL_set_tlsext_host_name >could appear strange in five years from now. As opposed to the REST of the OpenSSL API? :-) --Ken -- nmh-workers https://lists.nongnu.org/mailman/listinfo/nmh-workers
Re: [nmh-workers] Making OpenSSL 1.0.2 minimum version
Ken Hornstein wrote in <20190627171410.ea24e7b...@pb-smtp21.pobox.com>: |>I use that protected via |> |> #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME | |I did see that ... but I also was worried that since OpenSSL makes no |guarantees that this define will stick around in the future, depending |on that may come back to bite me. I'd rather simply just put it in |unconditionally and force everyone to be using 1.0.0 or newer. Fair enough. Though i am afraid that regarding OpenSSL bit rot will have to be expected; the _CTRL_ series looked the most stable to me. Thinking about it, the "ext" in SSL_set_tlsext_host_name could appear strange in five years from now. Btw. i was lazy and simply call this function, even if SSLv3 was still around by then (more than today): OpenSSL and derivates do not perform any checks, it is just that the hostname set will be used for SNI if possible, and not otherwise. Unlikely this has changed. (Despite that noone uses SSLv3 no more.) --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) -- nmh-workers https://lists.nongnu.org/mailman/listinfo/nmh-workers
Re: [nmh-workers] Making OpenSSL 1.0.2 minimum version
>I use that protected via > > #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME I did see that ... but I also was worried that since OpenSSL makes no guarantees that this define will stick around in the future, depending on that may come back to bite me. I'd rather simply just put it in unconditionally and force everyone to be using 1.0.0 or newer. --Ken -- nmh-workers https://lists.nongnu.org/mailman/listinfo/nmh-workers
Re: [nmh-workers] Making OpenSSL 1.0.2 minimum version
Ken Hornstein wrote: > When researching the issue Michael Richardson brought up today, it make > me realize we really should be calling SSL_set_tlsext_host_name() so we > send the TLS extension "server name indicator". Which is easy, it's > literally one line of code. But that makes me ask a larger question: we > have some autoconf goo to support older libraries (pre OpenSSL 1.0.2) > that didn't support the function X509_VERIFY_PARAM_set1_host(), and I > lack the energy to research if SSL_set_tlsext_host_name() exists in > pre-1.0.2 OpenSSL. I think at this point we should consider OpenSSL > 1.0.2 the minimum supported version of OpenSSL for nmh. This would > guarantee we are doing TLS 1.2 everywhere and clean up some #ifdefs. > Objections? I concur. If you have <1.0.2, then you probably don't have useful TLS, and should build without it. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works|IoT architect [ ] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[ signature.asc Description: PGP signature -- nmh-workers https://lists.nongnu.org/mailman/listinfo/nmh-workers
Re: [nmh-workers] Making OpenSSL 1.0.2 minimum version
>That would make RHEL6 users, at least, sad: > >$ rpm -q openssl >openssl-1.0.1e-57.el6.x86_64 >openssl-1.0.1e-57.el6.i686 I feel your pain since we use a lot of CentOS 6 at work, but you don't have much longer to use it, right? I think support for it only goes until next year, unless you pay for extended lifecycle support. Maybe we can come out with a newer release of nmh before then, but it's not like it's tomorrow. But you motivated me enough to look ... I see that 1.0.1 DOES actually include the necessary function (SSL_set_tlsext_host_name()). It looks like that was added for 1.0.0. >I am not exactly confident that replacing that with 1.0.2 or later would >be feasible --- didn't they break ABI to some extent in that revision? Ummm 'maybe'. There is no ABI compatibility guarantee, that is for sure. It looks like what bit us was that going from 1.0.2 to 1.1.0 a library function (SSL_library_init) was turned into a macro. But there is nothing stopping you from installing a newer OpenSSL into /usr/local and linking nmh against that; it wouldn't conflict with anything installed. I feel that since SSL_set_tlsext_host_name() has been around for approximately forever I'm fine with just adding it and assuming that everyone is at 1.0.0 or newer (but I just know someone will show up still using 0.9.8). But it does beg a larger question ... should we still force a minimum version of 1.0.2? The reason I ask is our current code has an #ifdef for the function X509_VERIFY_PARAM_set1_host() which controls the verification of the name of the server certificate against the passed-in hostname, which is pretty important; without that no hostname verification of the server certificate is done. I don't know if we think this is important enough that we require nmh have this functionality or not (you can always turn it off with a command line switch). --Ken -- nmh-workers https://lists.nongnu.org/mailman/listinfo/nmh-workers
Re: [nmh-workers] Making OpenSSL 1.0.2 minimum version
Ken Hornstein wrote in <20190627150420.4ff107a...@pb-smtp21.pobox.com>: |Everyone, | |When researching the issue Michael Richardson brought up today, it make |me realize we really should be calling SSL_set_tlsext_host_name() so we |send the TLS extension "server name indicator". Which is easy, it's |literally one line of code. But that makes me ask a larger question: we |have some autoconf goo to support older libraries (pre OpenSSL 1.0.2) |that didn't support the function X509_VERIFY_PARAM_set1_host(), and I |lack the energy to research if SSL_set_tlsext_host_name() exists in |pre-1.0.2 OpenSSL. I think at this point we should consider OpenSSL |1.0.2 the minimum supported version of OpenSSL for nmh. This would |guarantee we are doing TLS 1.2 everywhere and clean up some #ifdefs. |Objections? I use that protected via #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME which seems to work everywhere i tried. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) -- nmh-workers https://lists.nongnu.org/mailman/listinfo/nmh-workers
Re: [nmh-workers] Making OpenSSL 1.0.2 minimum version
Ken Hornstein writes: > I think at this point we should consider OpenSSL > 1.0.2 the minimum supported version of OpenSSL for nmh. This would > guarantee we are doing TLS 1.2 everywhere and clean up some #ifdefs. > Objections? That would make RHEL6 users, at least, sad: $ rpm -q openssl openssl-1.0.1e-57.el6.x86_64 openssl-1.0.1e-57.el6.i686 I am not exactly confident that replacing that with 1.0.2 or later would be feasible --- didn't they break ABI to some extent in that revision? regards, tom lane -- nmh-workers https://lists.nongnu.org/mailman/listinfo/nmh-workers
Re: [nmh-workers] Making OpenSSL 1.0.2 minimum version
>I think at this point we should consider OpenSSL >1.0.2 the minimum supported version of OpenSSL for nmh. This would >guarantee we are doing TLS 1.2 everywhere and clean up some #ifdefs. >Objections? One additional thing ... writing the code to check the version of OpenSSL is a mild to moderate pain. It seems like most people are slowly switching to pkg-config for things like this. What do people think of using pkg-config for this? Openssl 1.0.2 distributes a pkg-config file so it sure seems like every instance of it would include it (that would make pkg-config a build-time dependency if you wanted openssl support, though). --Ken -- nmh-workers https://lists.nongnu.org/mailman/listinfo/nmh-workers
