Link
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Apologies, I'm an idiot and forgot to include the discussion link in the previous email. That is here: https://github.com/Homebrew/homebrew/pull/31631 Dom - -- Sent from Thunderbird for OS X. My PGP public key is automatically attached to this email. -BEGIN PGP SIGNATURE- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJT7v5BAAoJEIclJNuddDJsBMsP/2z0H9bfjwIgOGuhB9rcdOVX 8tQrZWiPGOW+veXnNgOnekscBxApzjqrsMhpmyNR1z5BBb/zkm5IfH7Pq2jlNrfx uiFOCiB4L6eh6FPuqtgFQKu6+zPZkSJczdRlAnTCe80+v/2r7Po+6ueiv+8YF3NU H46zaV+eyT0QIcX8yRRgzqrJAhg6VImhUMN6uZxMouREecSkasVKh7YknlaXyQ9P NkiPEyqwgy+zWJYZPkNgHdp5Yg5oRRdLfWvWHQPS45V8MH7sty5ZFMOEtPRNyOYk WluRNsKRLcfkUnv7/KTa6GQtGhFJFbZ2CCK9BvLer52qIBY6nob772W4YQsBGDZ6 88dgYQWiOOU0Oxk3TDURZwGxwLb7HI04xQOFoIxMQDuSxlRc7YJTCfdCH+hf7AD1 G5CkGfJmn8tDEFjKFPSzzeRWmrBNZ4V85lUPQ8hpF20CvgwxG+jnghFcpCuS0XXJ cCvXWEVBdU0zDqdLGwSOK/5ObN7NLPzKRzaDFvZTr2Nfd8dAe4fZs6c1yCzPdAgb eoSnD1bEg9GqsLn9uRV41YoklPXoeIzWOGC1rH1LAw8+vD+nF2eFOtasiG7x8XSg A+Whia39GO+baz4u2DsXf8hVNyTX9DECVZwVkbWIolrcgnsePWlRTlLl5cnygE4+ sACHCH4gKXVZshryClNP =AULo -END PGP SIGNATURE- 0x9D74326C.asc Description: application/pgp-keys 0x9D74326C.asc.sig Description: Binary data
Default Security Level
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hey all, Over at Homebrew we're considering switching to a -no-ssl2 configuration, given the substantial issues with ssl2. I'm pretty sure I read somewhere in the OpenSSL documentation that the recommended default level for compile is level 1, which kills the ssl2 option, but effectively Homebrew has been building with level 0 default thus far. Did I completely hallucinate the documentation recommendation of default level 1 security or is that actually somewhere? Welcome all any opinions on Homebrew moving away from ssl2. Feel free to chip in on Github particularly if you feel strongly for or against this move. Cheers, Dom - -- Sent from Thunderbird for OS X. My PGP public key is automatically attached to this email. -BEGIN PGP SIGNATURE- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJT7v4WAAoJEIclJNuddDJsWqsP/0Eh5pneVf0izGQMICdCy4Nr LdqkSCyqve52LxMqXNRCpkt9KuSw4qTCGK0ZjrneV/trkfvXwFkBtpve0JoDhNuZ hBnfAX8F/rr2MpqVm9r+n2dCV/sO51yZPfW6yALO/97P2kMkRb5DWLskPmitqWDh QqEoC/g0Z0yfToQygVMkPdoMFeBtB5LbMILB4pcjvopaWh9aGh9yFyrORndYl49Y BgYq61PL3MOzfEFXRWGj+C41PoTPCHBWl/20W0Oo7tOpJwjtdGWmaVe9hzIRaOUY tG414UwMynUzy2GO8Elmi/keRQRd8qhFk3vqbsBXSSETfOwNrJaUYyeUe0PWtPvJ csp1qRirCpu3OB8619K6Pqv60+eCmrNoRSt//5J0TWNrEnSaDN1ggwn6AItbeN4k dGKF8yszVqUdlEMdXmjIW4+I0vGGwOs+Hq1OhAyqzRVHHvnh8ngHEgFJqsUUp9zN CtieE1LiiAxAES1tkbP104+b9VgmGCwsbVo03innfsCFbF7Vp7FZw4nxivqeHksI jiisEygyqAHDof3JndBeRIk5w6KFHQmkrPmq3RrqcMjIDqKM5ES49+odBV8bjJ7J DTxhEor/mI03+S2Lyh+HKSDjrM6K3CFh6SnF0tAt4XaG8UkznpctkvAcA0KoWTky twg819iJmGuC7VgpgUzG =1V7i -END PGP SIGNATURE- 0x9D74326C.asc Description: application/pgp-keys 0x9D74326C.asc.sig Description: Binary data
Re: Single-Makefile Build Experiment report
Mike Bland mbl...@acm.org wrote: Still, it does look like the single-Makefile results are a win. Yes, I agree. That's what I've done for years on Win32 (MSVC + MingW) with this single GNU makefile: http://www.watt-32.net/misc/openssl-windows.zip Actually 2 files; Options.Windows and Makefile.Windows. With an added apps/heartbleed.c test-program by Rob Stradling. Use as e.g.: make -f Makefile.Windows CC=gcc all --gv __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Default Security Level
On Sat, Aug 16, 2014 at 07:45:43AM +0100, Dominyk Tiller wrote: I'm pretty sure I read somewhere in the OpenSSL documentation that the recommended default level for compile is level 1, which kills the ssl2 option, but effectively Homebrew has been building with level 0 default thus far. SSLv2 is off by default (excluded by the DEFAULT cipherlist), even without disabling support for it at compile time. Security levels are only on the master development branch of OpenSSL, which has not been officially released. Homebrew users should be using 1.0.1 or soon 1.0.2 after than is released. So security levels, whose design IMHO is not yet entirely done, should not be in the picture at this time. Did I completely hallucinate the documentation recommendation of default level 1 security or is that actually somewhere? You may be confusing the master branch with stable releases. -- Viktor. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Default Security Level
Ah! That's where my confusion lies, I'm getting myself tied up between development stable. Thanks for the clarity on that. Homebrew is currently on 1.0.1i stable. These are the ssl2 ciphers active: /usr/local/cellar/openssl/*/bin/openssl ciphers -ssl2 IDEA-CBC-MD5:RC2-CBC-MD5:RC4-MD5:DES-CBC3-MD5:DES-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5 Is that a security concern? Would there be any active consequences to turning off those remaining -ssl2 ciphers? I tested the change with pretty much every dependent formula that ships from Homebrew and didn't encounter any issues. Would we gain any appreciable security by knocking out those last few ssl2 ciphers? Cheers, Dom On 16 August 2014 18:05, Viktor Dukhovni openssl-us...@dukhovni.org wrote: On Sat, Aug 16, 2014 at 07:45:43AM +0100, Dominyk Tiller wrote: I'm pretty sure I read somewhere in the OpenSSL documentation that the recommended default level for compile is level 1, which kills the ssl2 option, but effectively Homebrew has been building with level 0 default thus far. SSLv2 is off by default (excluded by the DEFAULT cipherlist), even without disabling support for it at compile time. Security levels are only on the master development branch of OpenSSL, which has not been officially released. Homebrew users should be using 1.0.1 or soon 1.0.2 after than is released. So security levels, whose design IMHO is not yet entirely done, should not be in the picture at this time. Did I completely hallucinate the documentation recommendation of default level 1 security or is that actually somewhere? You may be confusing the master branch with stable releases. -- Viktor. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Default Security Level
On 16 August 2014 19:50, Dominyk Tiller dominyktil...@gmail.com wrote: Ah! That's where my confusion lies, I'm getting myself tied up between development stable. Thanks for the clarity on that. Homebrew is currently on 1.0.1i stable. These are the ssl2 ciphers active: /usr/local/cellar/openssl/*/bin/openssl ciphers -ssl2 IDEA-CBC-MD5:RC2-CBC-MD5:RC4-MD5:DES-CBC3-MD5:DES-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5 Is that a security concern? Would there be any active consequences to turning off those remaining -ssl2 ciphers? I tested the change with pretty much every dependent formula that ships from Homebrew and didn't encounter any issues. Would we gain any appreciable security by knocking out those last few ssl2 ciphers? Err, yes. Almost all of them are weak and some are _very_ weak. Cheers, Dom On 16 August 2014 18:05, Viktor Dukhovni openssl-us...@dukhovni.org wrote: On Sat, Aug 16, 2014 at 07:45:43AM +0100, Dominyk Tiller wrote: I'm pretty sure I read somewhere in the OpenSSL documentation that the recommended default level for compile is level 1, which kills the ssl2 option, but effectively Homebrew has been building with level 0 default thus far. SSLv2 is off by default (excluded by the DEFAULT cipherlist), even without disabling support for it at compile time. Security levels are only on the master development branch of OpenSSL, which has not been officially released. Homebrew users should be using 1.0.1 or soon 1.0.2 after than is released. So security levels, whose design IMHO is not yet entirely done, should not be in the picture at this time. Did I completely hallucinate the documentation recommendation of default level 1 security or is that actually somewhere? You may be confusing the master branch with stable releases. -- Viktor. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
