Re: ./config and -no-zlib
On Sat, Dec 29, 2012, Dr. Stephen Henson wrote: On Fri, Dec 28, 2012, Jeffrey Walton wrote: On Fri, Dec 28, 2012 at 3:23 PM, Michael Mueller abaci@gmail.com wrote: i was going to do this: SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION); Yeah, it looks like that's the option. I would prefer to remove the code paths all together though. If the code path does not exist, it cannot be executed. Unless OpenSSL has been build with the zlib or zlib-dynamic option it wont use zlib. Since that's the only compression method standardised for SSL/TLS it effectively disables compression for SSL/TLS as a side effect as there are no compression methods available. Ugh, that'll teach me not to do a make clean first. Correction: If you use no-comp it will remove the compression library from OpenSSL entirely but due to a bug (fix just committed) you'll get a linker error. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ./config and -no-zlib
On Sun, Dec 30, 2012 at 11:06 AM, Dr. Stephen Henson st...@openssl.org wrote: On Sat, Dec 29, 2012, Dr. Stephen Henson wrote: On Fri, Dec 28, 2012, Jeffrey Walton wrote: On Fri, Dec 28, 2012 at 3:23 PM, Michael Mueller abaci@gmail.com wrote: i was going to do this: SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION); Yeah, it looks like that's the option. I would prefer to remove the code paths all together though. If the code path does not exist, it cannot be executed. Unless OpenSSL has been build with the zlib or zlib-dynamic option it wont use zlib. Since that's the only compression method standardised for SSL/TLS it effectively disables compression for SSL/TLS as a side effect as there are no compression methods available. Ugh, that'll teach me not to do a make clean first. Correction: If you use no-comp it will remove the compression library from OpenSSL entirely but due to a bug (fix just committed) you'll get a linker error. Thanks Doctor. Does OpenSSL have a web front-end on its version control system so I can copy/paste the relevant changes for the commit? I'm trying avoid moving too far away from 1.0.1c proper (May 10, 2012) since it advertised on the download page (http://www.openssl.org/source/). Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ./config and -no-zlib
On Sun, Dec 30, 2012, Jeffrey Walton wrote: On Sun, Dec 30, 2012 at 11:06 AM, Dr. Stephen Henson st...@openssl.org wrote: On Sat, Dec 29, 2012, Dr. Stephen Henson wrote: On Fri, Dec 28, 2012, Jeffrey Walton wrote: On Fri, Dec 28, 2012 at 3:23 PM, Michael Mueller abaci@gmail.com wrote: i was going to do this: SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION); Yeah, it looks like that's the option. I would prefer to remove the code paths all together though. If the code path does not exist, it cannot be executed. Unless OpenSSL has been build with the zlib or zlib-dynamic option it wont use zlib. Since that's the only compression method standardised for SSL/TLS it effectively disables compression for SSL/TLS as a side effect as there are no compression methods available. Ugh, that'll teach me not to do a make clean first. Correction: If you use no-comp it will remove the compression library from OpenSSL entirely but due to a bug (fix just committed) you'll get a linker error. Thanks Doctor. Does OpenSSL have a web front-end on its version control system so I can copy/paste the relevant changes for the commit? I'm trying avoid moving too far away from 1.0.1c proper (May 10, 2012) since it advertised on the download page (http://www.openssl.org/source/). Yes you can use the CVS web interface. For this fix the URL is: http://cvs.openssl.org/chngview?cn=23221 The actual patch can be downloaded from: http://cvs.openssl.org/patchset?cn=23221 This should just work with patch -p1. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ./config and -no-zlib
i compiled openssl with no-zlib here is ldd of my client: ldd client linux-vdso.so.1 = (0x7fff059ff000) libssl.so.1.0.0 = /lib64/libssl.so.1.0.0 (0x7fefccdc9000) libcrypto.so.1.0.0 = /lib64/libcrypto.so.1.0.0 (0x7fefcca17000) libpthread.so.0 = /lib64/libpthread.so.0 (0x7fefcc7fa000) libc.so.6 = /lib64/libc.so.6 (0x7fefcc48d000) libdl.so.2 = /lib64/libdl.so.2 (0x7fefcc289000) libz.so.1 = /lib64/libz.so.1 (0x7fefcc071000) /lib64/ld-linux-x86-64.so.2 (0x7fefcd025000) it is still using the default libraries; when the client runs in this environment, it suggests 2 compression methods in the handshake (NULL, and ) then I change the LD_LIBRARY_PATH env and run again: export LD_LIBRARY_PATH=/home/mike02/wrk/openssl/lib ldd client linux-vdso.so.1 = (0x7fff42cfa000) libssl.so.1.0.0 = /home/mike02/wrk/openssl/lib/libssl.so.1.0.0 (0x7f76caf15000) libcrypto.so.1.0.0 = /home/mike02/wrk/openssl/lib/libcrypto.so.1.0.0 (0x7f76cab34000) libpthread.so.0 = /lib64/libpthread.so.0 (0x7f76ca917000) libc.so.6 = /lib64/libc.so.6 (0x7f76ca5aa000) libdl.so.2 = /lib64/libdl.so.2 (0x7f76ca3a6000) /lib64/ld-linux-x86-64.so.2 (0x7f76cb17f000) and in this environment (note that libz is missing), the client only suggests 1 compression method (NULL) in the handshake. So, compiling with no-zlib is not sufficient for turning off compression. It is also required to take specific actions to use the openssl libraries compiled with the no-zlib option at runtime. I expect that by using SSL_OP_NO_COMPRESSION, compression will suppressed regardless of the linkage of zlib, but I haven't tested that proposal yet. On Tue, Dec 25, 2012 at 12:27 PM, Jeffrey Walton noloa...@gmail.com wrote: Hi All, Is it sufficient to use -no-zlib to turn off SSL/TLS compression? Or is compression available through other libraries? Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ./config and -no-zlib
On Fri, Dec 28, 2012 at 7:48 AM, Michael Mueller abaci@gmail.com wrote: i compiled openssl with no-zlib ldd client linux-vdso.so.1 = (0x7fff059ff000) libssl.so.1.0.0 = /lib64/libssl.so.1.0.0 (0x7fefccdc9000) libcrypto.so.1.0.0 = /lib64/libcrypto.so.1.0.0 (0x7fefcca17000) libpthread.so.0 = /lib64/libpthread.so.0 (0x7fefcc7fa000) libc.so.6 = /lib64/libc.so.6 (0x7fefcc48d000) libdl.so.2 = /lib64/libdl.so.2 (0x7fefcc289000) libz.so.1 = /lib64/libz.so.1 (0x7fefcc071000) /lib64/ld-linux-x86-64.so.2 (0x7fefcd025000) it is still using the default libraries; when the client runs in this environment, it suggests 2 compression methods in the handshake (NULL, and ) then I change the LD_LIBRARY_PATH env and run again: export LD_LIBRARY_PATH=/home/mike02/wrk/openssl/lib ldd client linux-vdso.so.1 = (0x7fff42cfa000) libssl.so.1.0.0 = /home/mike02/wrk/openssl/lib/libssl.so.1.0.0 (0x7f76caf15000) libcrypto.so.1.0.0 = /home/mike02/wrk/openssl/lib/libcrypto.so.1.0.0 (0x7f76cab34000) libpthread.so.0 = /lib64/libpthread.so.0 (0x7f76ca917000) libc.so.6 = /lib64/libc.so.6 (0x7f76ca5aa000) libdl.so.2 = /lib64/libdl.so.2 (0x7f76ca3a6000) /lib64/ld-linux-x86-64.so.2 (0x7f76cb17f000) and in this environment (note that libz is missing), the client only suggests 1 compression method (NULL) in the handshake. So, compiling with no-zlib is not sufficient for turning off compression. It is also required to take specific actions to use the openssl libraries compiled with the no-zlib option at runtime. I expect that by using SSL_OP_NO_COMPRESSION, compression will suppressed regardless of the linkage of zlib, but I haven't tested that proposal yet. This is bad news I believe the redefinition is because I built the FIPS Object Module first according to the Security Policy (give or take). That meant no knob turning whatsoever, and I had to invoke 'configure' with no arguments. Then, when it came time for FIPS Capable OpenSSL: ./config --openssldir=/usr/local/ssl/iphoneos/ --with-fipsdir=/usr/local/ssl/iphoneos/ -no-dtls -no-hw -no-zlib -no-shared -no-dso -DSSL_OP_NO_COMPRESSION which eventually results in: ... ../../util/domd ../.. -MD /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/llvm-gcc -M -- -DOPENSSL_THREADS -D_REENTRANT -DSSL_OP_NO_COMPRESSION -arch armv7 -O3 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.0.sdk -fomit-frame-pointer -fno-common -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_DTLS -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE -- srp_lib.c srp_vfy.c making depend in crypto/cmac... ../../util/domd ../.. -MD /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/llvm-gcc -M -- -DOPENSSL_THREADS -D_REENTRANT -DSSL_OP_NO_COMPRESSION -arch armv7 -O3 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.0.sdk -fomit-frame-pointer -fno-common -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_DTLS -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE -- cmac.c cm_ameth.c cm_pmeth.c making depend in ssl... In file included from ssl_locl.h:165, from s2_meth.c:59: ../include/openssl/ssl.h:583:1: error: SSL_OP_NO_COMPRESSION redefined command-line: error: this is the location of the previous definition In file included from ssl_locl.h:165, from s2_srvr.c:112: ../include/openssl/ssl.h:583:1: error: SSL_OP_NO_COMPRESSION redefined command-line: error: this is the location of the previous definition In file included from ssl_locl.h:165, from s2_clnt.c:112: ../include/openssl/ssl.h:583:1: error: SSL_OP_NO_COMPRESSION redefined command-line: error: this is the location of the previous definition In file included from ssl_locl.h:165, from s2_lib.c:112: ../include/openssl/ssl.h:583:1: error: SSL_OP_NO_COMPRESSION redefined command-line: error: this is the location of the previous definition ... [30 or 50 or so duplicate errors removed] ... command-line: error: this is the location of the previous definition make[1]: *** [depend] Error 1 make: *** [depend] Error 1 On Tue, Dec 25, 2012 at 12:27 PM, Jeffrey Walton noloa...@gmail.com wrote: Is it sufficient to use -no-zlib to turn off SSL/TLS compression? Or is compression available through other libraries? __ OpenSSL
Re: ./config and -no-zlib
i was going to do this: SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION); On Fri, Dec 28, 2012 at 3:14 PM, Jeffrey Walton noloa...@gmail.com wrote: On Fri, Dec 28, 2012 at 7:48 AM, Michael Mueller abaci@gmail.com wrote: i compiled openssl with no-zlib ldd client linux-vdso.so.1 = (0x7fff059ff000) libssl.so.1.0.0 = /lib64/libssl.so.1.0.0 (0x7fefccdc9000) libcrypto.so.1.0.0 = /lib64/libcrypto.so.1.0.0 (0x7fefcca17000) libpthread.so.0 = /lib64/libpthread.so.0 (0x7fefcc7fa000) libc.so.6 = /lib64/libc.so.6 (0x7fefcc48d000) libdl.so.2 = /lib64/libdl.so.2 (0x7fefcc289000) libz.so.1 = /lib64/libz.so.1 (0x7fefcc071000) /lib64/ld-linux-x86-64.so.2 (0x7fefcd025000) it is still using the default libraries; when the client runs in this environment, it suggests 2 compression methods in the handshake (NULL, and ) then I change the LD_LIBRARY_PATH env and run again: export LD_LIBRARY_PATH=/home/mike02/wrk/openssl/lib ldd client linux-vdso.so.1 = (0x7fff42cfa000) libssl.so.1.0.0 = /home/mike02/wrk/openssl/lib/libssl.so.1.0.0 (0x7f76caf15000) libcrypto.so.1.0.0 = /home/mike02/wrk/openssl/lib/libcrypto.so.1.0.0 (0x7f76cab34000) libpthread.so.0 = /lib64/libpthread.so.0 (0x7f76ca917000) libc.so.6 = /lib64/libc.so.6 (0x7f76ca5aa000) libdl.so.2 = /lib64/libdl.so.2 (0x7f76ca3a6000) /lib64/ld-linux-x86-64.so.2 (0x7f76cb17f000) and in this environment (note that libz is missing), the client only suggests 1 compression method (NULL) in the handshake. So, compiling with no-zlib is not sufficient for turning off compression. It is also required to take specific actions to use the openssl libraries compiled with the no-zlib option at runtime. I expect that by using SSL_OP_NO_COMPRESSION, compression will suppressed regardless of the linkage of zlib, but I haven't tested that proposal yet. This is bad news I believe the redefinition is because I built the FIPS Object Module first according to the Security Policy (give or take). That meant no knob turning whatsoever, and I had to invoke 'configure' with no arguments. Then, when it came time for FIPS Capable OpenSSL: ./config --openssldir=/usr/local/ssl/iphoneos/ --with-fipsdir=/usr/local/ssl/iphoneos/ -no-dtls -no-hw -no-zlib -no-shared -no-dso -DSSL_OP_NO_COMPRESSION which eventually results in: ... ../../util/domd ../.. -MD /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/llvm-gcc -M -- -DOPENSSL_THREADS -D_REENTRANT -DSSL_OP_NO_COMPRESSION -arch armv7 -O3 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.0.sdk -fomit-frame-pointer -fno-common -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_DTLS -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE -- srp_lib.c srp_vfy.c making depend in crypto/cmac... ../../util/domd ../.. -MD /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/llvm-gcc -M -- -DOPENSSL_THREADS -D_REENTRANT -DSSL_OP_NO_COMPRESSION -arch armv7 -O3 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.0.sdk -fomit-frame-pointer -fno-common -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_DTLS -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE -- cmac.c cm_ameth.c cm_pmeth.c making depend in ssl... In file included from ssl_locl.h:165, from s2_meth.c:59: ../include/openssl/ssl.h:583:1: error: SSL_OP_NO_COMPRESSION redefined command-line: error: this is the location of the previous definition In file included from ssl_locl.h:165, from s2_srvr.c:112: ../include/openssl/ssl.h:583:1: error: SSL_OP_NO_COMPRESSION redefined command-line: error: this is the location of the previous definition In file included from ssl_locl.h:165, from s2_clnt.c:112: ../include/openssl/ssl.h:583:1: error: SSL_OP_NO_COMPRESSION redefined command-line: error: this is the location of the previous definition In file included from ssl_locl.h:165, from s2_lib.c:112: ../include/openssl/ssl.h:583:1: error: SSL_OP_NO_COMPRESSION redefined command-line: error: this is the location of the previous definition ... [30 or 50 or so duplicate errors removed] ... command-line: error: this is the location of the previous definition make[1]: *** [depend] Error 1 make: *** [depend] Error 1 On Tue,
Re: ./config and -no-zlib
On Fri, Dec 28, 2012 at 3:23 PM, Michael Mueller abaci@gmail.com wrote: i was going to do this: SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION); Yeah, it looks like that's the option. I would prefer to remove the code paths all together though. If the code path does not exist, it cannot be executed. Jeff On Fri, Dec 28, 2012 at 3:14 PM, Jeffrey Walton noloa...@gmail.com wrote: On Fri, Dec 28, 2012 at 7:48 AM, Michael Mueller abaci@gmail.com wrote: i compiled openssl with no-zlib ldd client linux-vdso.so.1 = (0x7fff059ff000) libssl.so.1.0.0 = /lib64/libssl.so.1.0.0 (0x7fefccdc9000) libcrypto.so.1.0.0 = /lib64/libcrypto.so.1.0.0 (0x7fefcca17000) libpthread.so.0 = /lib64/libpthread.so.0 (0x7fefcc7fa000) libc.so.6 = /lib64/libc.so.6 (0x7fefcc48d000) libdl.so.2 = /lib64/libdl.so.2 (0x7fefcc289000) libz.so.1 = /lib64/libz.so.1 (0x7fefcc071000) /lib64/ld-linux-x86-64.so.2 (0x7fefcd025000) it is still using the default libraries; when the client runs in this environment, it suggests 2 compression methods in the handshake (NULL, and ) then I change the LD_LIBRARY_PATH env and run again: export LD_LIBRARY_PATH=/home/mike02/wrk/openssl/lib ldd client linux-vdso.so.1 = (0x7fff42cfa000) libssl.so.1.0.0 = /home/mike02/wrk/openssl/lib/libssl.so.1.0.0 (0x7f76caf15000) libcrypto.so.1.0.0 = /home/mike02/wrk/openssl/lib/libcrypto.so.1.0.0 (0x7f76cab34000) libpthread.so.0 = /lib64/libpthread.so.0 (0x7f76ca917000) libc.so.6 = /lib64/libc.so.6 (0x7f76ca5aa000) libdl.so.2 = /lib64/libdl.so.2 (0x7f76ca3a6000) /lib64/ld-linux-x86-64.so.2 (0x7f76cb17f000) and in this environment (note that libz is missing), the client only suggests 1 compression method (NULL) in the handshake. So, compiling with no-zlib is not sufficient for turning off compression. It is also required to take specific actions to use the openssl libraries compiled with the no-zlib option at runtime. I expect that by using SSL_OP_NO_COMPRESSION, compression will suppressed regardless of the linkage of zlib, but I haven't tested that proposal yet. This is bad news I believe the redefinition is because I built the FIPS Object Module first according to the Security Policy (give or take). That meant no knob turning whatsoever, and I had to invoke 'configure' with no arguments. Then, when it came time for FIPS Capable OpenSSL: ./config --openssldir=/usr/local/ssl/iphoneos/ --with-fipsdir=/usr/local/ssl/iphoneos/ -no-dtls -no-hw -no-zlib -no-shared -no-dso -DSSL_OP_NO_COMPRESSION which eventually results in: ... ../../util/domd ../.. -MD /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/llvm-gcc -M -- -DOPENSSL_THREADS -D_REENTRANT -DSSL_OP_NO_COMPRESSION -arch armv7 -O3 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.0.sdk -fomit-frame-pointer -fno-common -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_DTLS -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE -- srp_lib.c srp_vfy.c making depend in crypto/cmac... ../../util/domd ../.. -MD /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/llvm-gcc -M -- -DOPENSSL_THREADS -D_REENTRANT -DSSL_OP_NO_COMPRESSION -arch armv7 -O3 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.0.sdk -fomit-frame-pointer -fno-common -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_DTLS -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE -- cmac.c cm_ameth.c cm_pmeth.c making depend in ssl... In file included from ssl_locl.h:165, from s2_meth.c:59: ../include/openssl/ssl.h:583:1: error: SSL_OP_NO_COMPRESSION redefined command-line: error: this is the location of the previous definition In file included from ssl_locl.h:165, from s2_srvr.c:112: ../include/openssl/ssl.h:583:1: error: SSL_OP_NO_COMPRESSION redefined command-line: error: this is the location of the previous definition In file included from ssl_locl.h:165, from s2_clnt.c:112: ../include/openssl/ssl.h:583:1: error: SSL_OP_NO_COMPRESSION redefined command-line: error: this is the location of the previous definition In file included from ssl_locl.h:165, from s2_lib.c:112: ../include/openssl/ssl.h:583:1: error: SSL_OP_NO_COMPRESSION redefined command-line:
Re: ./config and -no-zlib
On Fri, Dec 28, 2012 at 3:14 PM, Jeffrey Walton noloa...@gmail.com wrote: On Fri, Dec 28, 2012 at 7:48 AM, Michael Mueller abaci@gmail.com wrote: i compiled openssl with no-zlib ldd client linux-vdso.so.1 = (0x7fff059ff000) libssl.so.1.0.0 = /lib64/libssl.so.1.0.0 (0x7fefccdc9000) libcrypto.so.1.0.0 = /lib64/libcrypto.so.1.0.0 (0x7fefcca17000) libpthread.so.0 = /lib64/libpthread.so.0 (0x7fefcc7fa000) libc.so.6 = /lib64/libc.so.6 (0x7fefcc48d000) libdl.so.2 = /lib64/libdl.so.2 (0x7fefcc289000) libz.so.1 = /lib64/libz.so.1 (0x7fefcc071000) /lib64/ld-linux-x86-64.so.2 (0x7fefcd025000) it is still using the default libraries; when the client runs in this environment, it suggests 2 compression methods in the handshake (NULL, and ) then I change the LD_LIBRARY_PATH env and run again: export LD_LIBRARY_PATH=/home/mike02/wrk/openssl/lib ldd client linux-vdso.so.1 = (0x7fff42cfa000) libssl.so.1.0.0 = /home/mike02/wrk/openssl/lib/libssl.so.1.0.0 (0x7f76caf15000) libcrypto.so.1.0.0 = /home/mike02/wrk/openssl/lib/libcrypto.so.1.0.0 (0x7f76cab34000) libpthread.so.0 = /lib64/libpthread.so.0 (0x7f76ca917000) libc.so.6 = /lib64/libc.so.6 (0x7f76ca5aa000) libdl.so.2 = /lib64/libdl.so.2 (0x7f76ca3a6000) /lib64/ld-linux-x86-64.so.2 (0x7f76cb17f000) and in this environment (note that libz is missing), the client only suggests 1 compression method (NULL) in the handshake. So, compiling with no-zlib is not sufficient for turning off compression. It is also required to take specific actions to use the openssl libraries compiled with the no-zlib option at runtime. I expect that by using SSL_OP_NO_COMPRESSION, compression will suppressed regardless of the linkage of zlib, but I haven't tested that proposal yet. This is bad news I believe the redefinition is because I built the FIPS Object Module first according to the Security Policy (give or take). That meant no knob turning whatsoever, and I had to invoke 'configure' with no arguments. Then, when it came time for FIPS Capable OpenSSL: ./config --openssldir=/usr/local/ssl/iphoneos/ --with-fipsdir=/usr/local/ssl/iphoneos/ -no-dtls -no-hw -no-zlib -no-shared -no-dso -DSSL_OP_NO_COMPRESSION Doh, SSL_OP_NO_COMPRESSION is a bit masked option, not a preprocessor define. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ./config and -no-zlib
On Fri, Dec 28, 2012, Jeffrey Walton wrote: On Fri, Dec 28, 2012 at 3:23 PM, Michael Mueller abaci@gmail.com wrote: i was going to do this: SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION); Yeah, it looks like that's the option. I would prefer to remove the code paths all together though. If the code path does not exist, it cannot be executed. Unless OpenSSL has been build with the zlib or zlib-dynamic option it wont use zlib. Since that's the only compression method standardised for SSL/TLS it effectively disables compression for SSL/TLS as a side effect as there are no compression methods available. If you want to use zlib for other purposes (e.g. the command line option or CMS) but disable its use for SSL/TLS you'd compile OpenSSL with the no-comp option but include zlib or zlib-dynamic. All of the above options apply to the OpenSSL library only: so an application needs to be linked to that version of OpenSSL to disable compression. There is also the runtime option SSL_OP_NO_COMPRESSION. That will disable compression for SSL/TLS even if the application is linked against a version of OpenSSL with SSL/TLS compression enabled. If the linked version of OpenSSL already disables SSL/TLS compression that option has no effect. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ./config and -no-zlib
On Fri, Dec 28, 2012 at 6:32 PM, Dr. Stephen Henson st...@openssl.org wrote: On Fri, Dec 28, 2012, Jeffrey Walton wrote: On Fri, Dec 28, 2012 at 3:23 PM, Michael Mueller abaci@gmail.com wrote: i was going to do this: SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION); Yeah, it looks like that's the option. I would prefer to remove the code paths all together though. If the code path does not exist, it cannot be executed. Unless OpenSSL has been build with the zlib or zlib-dynamic option it wont use zlib. Since that's the only compression method standardised for SSL/TLS it effectively disables compression for SSL/TLS as a side effect as there are no compression methods available. If you want to use zlib for other purposes (e.g. the command line option or CMS) but disable its use for SSL/TLS you'd compile OpenSSL with the no-comp option but include zlib or zlib-dynamic. I think that's what I am looking for. -no-zlib was the proverbial cannon ball killing the fly. All of the above options apply to the OpenSSL library only: so an application needs to be linked to that version of OpenSSL to disable compression. There is also the runtime option SSL_OP_NO_COMPRESSION. That will disable compression for SSL/TLS even if the application is linked against a version of OpenSSL with SSL/TLS compression enabled. If the linked version of OpenSSL already disables SSL/TLS compression that option has no effect. Thanks Dr. Henson. I think I need to file a feature request to make SSL_OP_NO_COMPRESSION a macro too so I can use it during preprocessing :o Jeff Thanks Dr. Hesn. I think I need to file a feature request for __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
./config and -no-zlib
Hi All, Is it sufficient to use -no-zlib to turn off SSL/TLS compression? Or is compression available through other libraries? Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
