Re: [openssl-dev] Fwd: OpenSSL fails to connect to Google on OS X 10.10.3 (Bug Report)
Hi Matt, Thanks for the reply on this, and for backporting the fix to 1.0.2! Having it available to 1.0.1 would be great too, but appreciate the OpenSSL team isn't huge. Is there any timetable on the 1.0.2b release? It seems pulling the following three commits into the 1.0.2a branch and patching: 47daa155a31b0a54ce09ad2ed4d55fad74096dab dfd3322d72a2d49f597b86dab6f37a8cf0f26dbf 6281abc79623419eae6a64768c478272d5d3a426 Does the job. Verification against Google domains with an OS X 10.10.3+ Keychain-generated PEM works great. Usually pretty reluctant to cherry-pick patches on security tools but given the trouble this is causing, am I safe to do so in this situation? Thanks, Dominyk Sent from OS X. If you wish to communicate more securely my PGP Public Key is 0x872524db9d74326c. On 20/04/2015 23:52, Matt Caswell wrote: On 18/04/15 14:30, Dominyk Tiller wrote: Apologies. Either I'm an idiot or autocorrect is feeling amusing today. I meant https://gist.github.com/DomT4/f86618bdfe2f27c8d66a rather than https://gist.github.cok/DomT4/f86618bdfe2f27c8d66a. Sent from OS X. If you wish to communicate more securely my PGP Public Key is 0x872524db9d74326c. Forwarded Message Subject: OpenSSL fails to connect to Google on OS X 10.10.3 (Bug Report) Date: Sat, 18 Apr 2015 14:16:14 +0100 From: Dominyk Tiller dominyktil...@gmail.com To: openssl-dev@openssl.org Apologies that this is kinda badly written. Detailed bug reports aren't my forte. Feel free to ping back questions if detail isn't clear/useful/etc. OS X 10.10.3’s release changed some certs in the Keychain. There’s a full list of changes here: https://gist.github.cok/DomT4/f86618bdfe2f27c8d66a This has caused some chaos with OpenSSL and LibreSSL, in things built against them, using a .pem generated from OS X’s Keychains. The biggest, most popular affected sites are the whole range of Google domains. Google cross-sign their GeoTrust root with an old Equifax root (Equifax Secure Certificate Authority) because a lot of the older clients don’t have the GeoTrust root on their system and would just error out. Have emailed with Adam Langley on the cert errors and essentially Google aren’t going to be able to stop that cross-signing any time soon. According to Adam most SSL clients should go through the cert chain of the domain and hit the GeoTrust cert and verify at that point, if the GeoTrust root exists in a .pem file OpenSSL can find and use, which does exist when generating a PEM from the system Keychains. It’s not supposed to carry on to the Equifax root, but it is, and this is causing breakage on OS X 10.10.3 onwards. Hi Dominyk This is a known issue. It has been fixed in git master for a while. Technically speaking this is not a bug at all. OpenSSL's verification algorithm is working exactly as designed. For that reason a decision was taken not to backport this to existing releases (which only receives bug fixes). However, due to the real problems that this is causing for users, we have changed our mind on this and we have now backported this to 1.0.2. It's in git now and will become available as part of 1.0.2b. Discussions are ongoing with regards to 1.0.1. Regards Matt This problem only exists in OpenSSL and LibreSSL as far as testing goes. It isn’t reproducible with Apple’s Security Framework, or GnuTLS. Interestingly, Apple have done something to their shipped OpenSSL 0.9.8x to fix the problem - If I build OpenSSL 0.9.8x from source and use it, failure, but if I use the one Apple installs the connection verifies and succeeds. Here’s hoping they’ve punted whatever those changes were upstream to you. This is the error you get: == —2015-04-10 16:58:58— https://google.com/ Resolving google.com… 216.58.210.46, 2a00:1450:4009:800::200e Connecting to google.com|216.58.210.46|:443… connected. ERROR: cannot verify google.com’s certificate, issued by ‘CN=Google Internet Authority G2,O=Google Inc,C=US’: Unable to locally verify the issuer’s authority. To connect to google.com insecurely, use `—no-check-certificate’. == How to reproduce: * Install OpenSSL on OS X 10.10.3 or above. I have it installed to /usr/local/opt/openssl - With the sysconfdir in /usr/local/etc. * Generate a PEM file from OS X’s Security Keychain: * security find-certificate -a -p /Library/Keychains/System.keychain sys.pem * security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain sysroot.pem * cat sys.pem sysroot.pem * mv sysroot.pem /usr/local/etc/openssl * Download and install cURL: * Pass “—with-ssl=/path/to/openssl/dir” and “--with-ca-bundle=/path/to/sysconfdir/openssl/sysroot.pem” to configure. * Run “/path/to/your/installed/curl -I https://google.com” It reproduces with wget, mutt, various other tools
[openssl-dev] OpenSSL fails to connect to Google on OS X 10.10.3 (Bug Report)
Apologies that this is kinda badly written. Detailed bug reports aren't my forte. Feel free to ping back questions if detail isn't clear/useful/etc. OS X 10.10.3’s release changed some certs in the Keychain. There’s a full list of changes here: https://gist.github.cok/DomT4/f86618bdfe2f27c8d66a This has caused some chaos with OpenSSL and LibreSSL, in things built against them, using a .pem generated from OS X’s Keychains. The biggest, most popular affected sites are the whole range of Google domains. Google cross-sign their GeoTrust root with an old Equifax root (Equifax Secure Certificate Authority) because a lot of the older clients don’t have the GeoTrust root on their system and would just error out. Have emailed with Adam Langley on the cert errors and essentially Google aren’t going to be able to stop that cross-signing any time soon. According to Adam most SSL clients should go through the cert chain of the domain and hit the GeoTrust cert and verify at that point, if the GeoTrust root exists in a .pem file OpenSSL can find and use, which does exist when generating a PEM from the system Keychains. It’s not supposed to carry on to the Equifax root, but it is, and this is causing breakage on OS X 10.10.3 onwards. This problem only exists in OpenSSL and LibreSSL as far as testing goes. It isn’t reproducible with Apple’s Security Framework, or GnuTLS. Interestingly, Apple have done something to their shipped OpenSSL 0.9.8x to fix the problem - If I build OpenSSL 0.9.8x from source and use it, failure, but if I use the one Apple installs the connection verifies and succeeds. Here’s hoping they’ve punted whatever those changes were upstream to you. This is the error you get: == —2015-04-10 16:58:58— https://google.com/ Resolving google.com… 216.58.210.46, 2a00:1450:4009:800::200e Connecting to google.com|216.58.210.46|:443… connected. ERROR: cannot verify google.com’s certificate, issued by ‘CN=Google Internet Authority G2,O=Google Inc,C=US’: Unable to locally verify the issuer’s authority. To connect to google.com insecurely, use `—no-check-certificate’. == How to reproduce: * Install OpenSSL on OS X 10.10.3 or above. I have it installed to /usr/local/opt/openssl - With the sysconfdir in /usr/local/etc. * Generate a PEM file from OS X’s Security Keychain: * security find-certificate -a -p /Library/Keychains/System.keychain sys.pem * security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain sysroot.pem * cat sys.pem sysroot.pem * mv sysroot.pem /usr/local/etc/openssl * Download and install cURL: * Pass “—with-ssl=/path/to/openssl/dir” and “--with-ca-bundle=/path/to/sysconfdir/openssl/sysroot.pem” to configure. * Run “/path/to/your/installed/curl -I https://google.com” It reproduces with wget, mutt, various other tools. If you put the Equifax certificate back, and then rehash, you can make the connection. But the Equifax cert is old, and weak, and Apple aren’t likely to return it to the Keychain. So this problem connecting to Google will persist until the reason for not stopping at and verifying on the GeoTrust root are narrowed down and hopefully fixed. Mozilla are also pressing ahead with removing that Equifax root from their certs, so it’s not a simple case of working around it by switching PEM. -- Sent from OS X. If you wish to communicate more securely my PGP Public Key is 0x872524db9d74326c. signature.asc Description: OpenPGP digital signature ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] Fwd: OpenSSL fails to connect to Google on OS X 10.10.3 (Bug Report)
Apologies. Either I'm an idiot or autocorrect is feeling amusing today. I meant https://gist.github.com/DomT4/f86618bdfe2f27c8d66a rather than https://gist.github.cok/DomT4/f86618bdfe2f27c8d66a. Sent from OS X. If you wish to communicate more securely my PGP Public Key is 0x872524db9d74326c. Forwarded Message Subject: OpenSSL fails to connect to Google on OS X 10.10.3 (Bug Report) Date: Sat, 18 Apr 2015 14:16:14 +0100 From: Dominyk Tiller dominyktil...@gmail.com To: openssl-dev@openssl.org Apologies that this is kinda badly written. Detailed bug reports aren't my forte. Feel free to ping back questions if detail isn't clear/useful/etc. OS X 10.10.3’s release changed some certs in the Keychain. There’s a full list of changes here: https://gist.github.cok/DomT4/f86618bdfe2f27c8d66a This has caused some chaos with OpenSSL and LibreSSL, in things built against them, using a .pem generated from OS X’s Keychains. The biggest, most popular affected sites are the whole range of Google domains. Google cross-sign their GeoTrust root with an old Equifax root (Equifax Secure Certificate Authority) because a lot of the older clients don’t have the GeoTrust root on their system and would just error out. Have emailed with Adam Langley on the cert errors and essentially Google aren’t going to be able to stop that cross-signing any time soon. According to Adam most SSL clients should go through the cert chain of the domain and hit the GeoTrust cert and verify at that point, if the GeoTrust root exists in a .pem file OpenSSL can find and use, which does exist when generating a PEM from the system Keychains. It’s not supposed to carry on to the Equifax root, but it is, and this is causing breakage on OS X 10.10.3 onwards. This problem only exists in OpenSSL and LibreSSL as far as testing goes. It isn’t reproducible with Apple’s Security Framework, or GnuTLS. Interestingly, Apple have done something to their shipped OpenSSL 0.9.8x to fix the problem - If I build OpenSSL 0.9.8x from source and use it, failure, but if I use the one Apple installs the connection verifies and succeeds. Here’s hoping they’ve punted whatever those changes were upstream to you. This is the error you get: == —2015-04-10 16:58:58— https://google.com/ Resolving google.com… 216.58.210.46, 2a00:1450:4009:800::200e Connecting to google.com|216.58.210.46|:443… connected. ERROR: cannot verify google.com’s certificate, issued by ‘CN=Google Internet Authority G2,O=Google Inc,C=US’: Unable to locally verify the issuer’s authority. To connect to google.com insecurely, use `—no-check-certificate’. == How to reproduce: * Install OpenSSL on OS X 10.10.3 or above. I have it installed to /usr/local/opt/openssl - With the sysconfdir in /usr/local/etc. * Generate a PEM file from OS X’s Security Keychain: * security find-certificate -a -p /Library/Keychains/System.keychain sys.pem * security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain sysroot.pem * cat sys.pem sysroot.pem * mv sysroot.pem /usr/local/etc/openssl * Download and install cURL: * Pass “—with-ssl=/path/to/openssl/dir” and “--with-ca-bundle=/path/to/sysconfdir/openssl/sysroot.pem” to configure. * Run “/path/to/your/installed/curl -I https://google.com” It reproduces with wget, mutt, various other tools. If you put the Equifax certificate back, and then rehash, you can make the connection. But the Equifax cert is old, and weak, and Apple aren’t likely to return it to the Keychain. So this problem connecting to Google will persist until the reason for not stopping at and verifying on the GeoTrust root are narrowed down and hopefully fixed. Mozilla are also pressing ahead with removing that Equifax root from their certs, so it’s not a simple case of working around it by switching PEM. -- Sent from OS X. If you wish to communicate more securely my PGP Public Key is 0x872524db9d74326c. signature.asc Description: OpenPGP digital signature ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] Release Checksums
Hey guys, Is there any chance OpenSSL can start issuing SHA256 checksums with OpenSSL Releases as well as/instead of MD5/SHA1? MD5 isn't great these days, to say the least, and SHA1 has some potential long-term issues. Both MacPorts and Homebrew on OS X use SHA256 to verify downloads, and not displaying the SHA256 upstream makes it harder for OS X package-manager users to verify the checksum independently as desired. Would be appreciated if possible, Cheers, Dom -- Sent from OS X. If you wish to communicate more securely my PGP Public Key is 0x872524db9d74326c. signature.asc Description: OpenPGP digital signature ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] ChaCha20 Poly1305
Hey guys, I wanted to check the status of the two ciphers referenced in the subject in OpenSSL. I thought, for some reason, the ChaCha and Poly cipher support was landing in the 1.0.2 branch, but I can't find the respective folders/headers/etc in the git branch. Was I wildly mistaken in that thought? If it hasn't landed, does anyone know the status of the patch AGL provided a while back? https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a8646510b Cheers, Dom -- Sent from OS X. If you wish to communicate more securely my PGP Public Key is 0x872524db9d74326c. signature.asc Description: OpenPGP digital signature ___ openssl-dev mailing list openssl-dev@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL Release Strategy and Blog
Yup, Seems to be working fine now. Part of the message signed. Key ID 0x0E604491/ Signed on 25/12/2014 00:02. Cheers, and Merry Christmas, Dom Sent from OS X. If you wish to communicate more securely my PGP Public Key is 0x872524db9d74326c. On 25/12/2014 00:02, Matt Caswell wrote: On 24/12/14 11:37, Yuriy Kaminskiy wrote: Dominyk Tiller wrote: Hey Matt, For some reason, this email is getting flagged as a bad signature by Enigmail. All of your previous emails checked out fine, but this one checked in with a big purple banner on it. His user-agent messed up with line ending (wrapped overly long lines). Signature matched after replacing \n with space at end of lines 10, 9, 5, 4. Ahhh...thanks. I've been trying to figure out what on earth happened. Seems to be a bug in Enigmail. I recently moved my email account to the new OpenSSL infrastructure. With my previous account I had Thunderbird set up to do plain text only email. With my new account I had neglected to untick the HTML option. Thunderbird seems to automatically break long lines in the composition editor when using plaintext, but not with HTML. I suspect that's why I've never had the problem before. Signing this email to check its working ok! Matt ___ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev signature.asc Description: OpenPGP digital signature ___ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL Release Strategy and Blog
Hey Matt, For some reason, this email is getting flagged as a bad signature by Enigmail. All of your previous emails checked out fine, but this one checked in with a big purple banner on it. Dom Sent from OS X. If you wish to communicate more securely my PGP Public Key is 0x872524db9d74326c. On 23/12/2014 23:49, Matt Caswell wrote: You will have noticed that the OpenSSL 1.0.0 End Of Life Announcement contained a link to the recently published OpenSSL Release Strategy that is available here: https://www.openssl.org/about/releasestrat.html I have put up a blog post on the thinking behind this strategy on the newly created OpenSSL Blog that you may (or may not!) find interesting. It can be found here: https://www.openssl.org/blog/blog/2014/12/23/the-new-release-strategy/ Matt ___ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev signature.asc Description: OpenPGP digital signature ___ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev
Query
Hey guys, I wanted to query something I saw pop up on the Git earlier: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=961d2ddb4b48e0e857a704b0cc6b475d63372419 Does that change imply that right now, without that commit, building without SSLv2 and SSLv3 would remove SSL/TLS support for a connection entirely? Or am I completely misinterpreting that? It's about 5 in the morning here, so forgive me if I'm being a little slow here, heh. Have CC'd in Kurt, as it's his commit. Cheers, Dom -- Sent from OS X. If you wish to communicate more securely my PGP Public Key is 0x872524db9d74326c. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Vuln in SSL 3.0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 If there is a threat in SSLv3 it seems almost certain to affect OpenSSL. The upstream dev team not commenting on this is probably fairly standard protocol; I believe they don't comment on anything critical that could be exploited before patches are imminent or available. I guess the situation is Watch this space. Sent from Thunderbird for OS X. My PGP public key is automatically attached to this email. On 14/10/2014 15:19, Krzysztof Kwiatkowski wrote: Hi, Any idea what this is about? Is it a threat for OpenSSL users: http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_tomorrow/ Regards, Kris __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org -BEGIN PGP SIGNATURE- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJUPU0UAAoJEIclJNuddDJsNYUP/A00vuZ/PUsoIG/rORgw9yvj Gg9IIfybSodxdVpeQeI98z1wxEh4+6p99MYmZTvJ3RnRATrMn2ymjrYbJz4Jj43q 0d3kg3QQCPnPimFkgCo2IwdT/K2TCZl2pAwIOJn5Mo25nGnVL7WpH62PXjtBLpvz Im7WME5W8qzhZ+cHQJA3A+P5ow9q+aS++/bNk/dq80EON4/gyxRvu/BNl+/DmCfw 2SKP57k8huHj5F0voziNPKLPd2RBtgxS9iAEVZ9bmWLLTxdfTfTs19+VZRm2yyXw KFM2DbeWJORrWkxO0yDPS5FNVv54brkmvu8Iu7Ge3fbYNXSAe5SKJMhmwiXone7S XZFLY9KceZjj1jrX9JLDE8Ivp/gp+9W2LrafguZhYnSeZ2SRtx/vDloPDKrv1V/N ny2EudnX+vN6KRMqfpcGc/NR3/ODfkHkXfKVuZ056oPxsSBCFJSzlVl2gDfMTCDV fH+emZEN2lN9okRIbZadNlGy8Ef34ZvX52CzBonA1u30YI/PiSjiC+8l8HxjEDJv VhZSJb2dwMJX/7AtXGcEL9C9avRmfzjFullbaCM5HDnKlwvUC/04HkYuydft66XW VrILhscdrGiBOIiQTaJuiJPBavSQEt8LCYpZOS74icvlB5RzI8Mk8I6V976XzBoS QAGulIxAp/+CYisBYr6j =3vi3 -END PGP SIGNATURE- 0x9D74326C.asc Description: application/pgp-keys 0x9D74326C.asc.sig Description: Binary data
Link
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Apologies, I'm an idiot and forgot to include the discussion link in the previous email. That is here: https://github.com/Homebrew/homebrew/pull/31631 Dom - -- Sent from Thunderbird for OS X. My PGP public key is automatically attached to this email. -BEGIN PGP SIGNATURE- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJT7v5BAAoJEIclJNuddDJsBMsP/2z0H9bfjwIgOGuhB9rcdOVX 8tQrZWiPGOW+veXnNgOnekscBxApzjqrsMhpmyNR1z5BBb/zkm5IfH7Pq2jlNrfx uiFOCiB4L6eh6FPuqtgFQKu6+zPZkSJczdRlAnTCe80+v/2r7Po+6ueiv+8YF3NU H46zaV+eyT0QIcX8yRRgzqrJAhg6VImhUMN6uZxMouREecSkasVKh7YknlaXyQ9P NkiPEyqwgy+zWJYZPkNgHdp5Yg5oRRdLfWvWHQPS45V8MH7sty5ZFMOEtPRNyOYk WluRNsKRLcfkUnv7/KTa6GQtGhFJFbZ2CCK9BvLer52qIBY6nob772W4YQsBGDZ6 88dgYQWiOOU0Oxk3TDURZwGxwLb7HI04xQOFoIxMQDuSxlRc7YJTCfdCH+hf7AD1 G5CkGfJmn8tDEFjKFPSzzeRWmrBNZ4V85lUPQ8hpF20CvgwxG+jnghFcpCuS0XXJ cCvXWEVBdU0zDqdLGwSOK/5ObN7NLPzKRzaDFvZTr2Nfd8dAe4fZs6c1yCzPdAgb eoSnD1bEg9GqsLn9uRV41YoklPXoeIzWOGC1rH1LAw8+vD+nF2eFOtasiG7x8XSg A+Whia39GO+baz4u2DsXf8hVNyTX9DECVZwVkbWIolrcgnsePWlRTlLl5cnygE4+ sACHCH4gKXVZshryClNP =AULo -END PGP SIGNATURE- 0x9D74326C.asc Description: application/pgp-keys 0x9D74326C.asc.sig Description: Binary data
Default Security Level
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hey all, Over at Homebrew we're considering switching to a -no-ssl2 configuration, given the substantial issues with ssl2. I'm pretty sure I read somewhere in the OpenSSL documentation that the recommended default level for compile is level 1, which kills the ssl2 option, but effectively Homebrew has been building with level 0 default thus far. Did I completely hallucinate the documentation recommendation of default level 1 security or is that actually somewhere? Welcome all any opinions on Homebrew moving away from ssl2. Feel free to chip in on Github particularly if you feel strongly for or against this move. Cheers, Dom - -- Sent from Thunderbird for OS X. My PGP public key is automatically attached to this email. -BEGIN PGP SIGNATURE- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJT7v4WAAoJEIclJNuddDJsWqsP/0Eh5pneVf0izGQMICdCy4Nr LdqkSCyqve52LxMqXNRCpkt9KuSw4qTCGK0ZjrneV/trkfvXwFkBtpve0JoDhNuZ hBnfAX8F/rr2MpqVm9r+n2dCV/sO51yZPfW6yALO/97P2kMkRb5DWLskPmitqWDh QqEoC/g0Z0yfToQygVMkPdoMFeBtB5LbMILB4pcjvopaWh9aGh9yFyrORndYl49Y BgYq61PL3MOzfEFXRWGj+C41PoTPCHBWl/20W0Oo7tOpJwjtdGWmaVe9hzIRaOUY tG414UwMynUzy2GO8Elmi/keRQRd8qhFk3vqbsBXSSETfOwNrJaUYyeUe0PWtPvJ csp1qRirCpu3OB8619K6Pqv60+eCmrNoRSt//5J0TWNrEnSaDN1ggwn6AItbeN4k dGKF8yszVqUdlEMdXmjIW4+I0vGGwOs+Hq1OhAyqzRVHHvnh8ngHEgFJqsUUp9zN CtieE1LiiAxAES1tkbP104+b9VgmGCwsbVo03innfsCFbF7Vp7FZw4nxivqeHksI jiisEygyqAHDof3JndBeRIk5w6KFHQmkrPmq3RrqcMjIDqKM5ES49+odBV8bjJ7J DTxhEor/mI03+S2Lyh+HKSDjrM6K3CFh6SnF0tAt4XaG8UkznpctkvAcA0KoWTky twg819iJmGuC7VgpgUzG =1V7i -END PGP SIGNATURE- 0x9D74326C.asc Description: application/pgp-keys 0x9D74326C.asc.sig Description: Binary data
Re: Default Security Level
Ah! That's where my confusion lies, I'm getting myself tied up between development stable. Thanks for the clarity on that. Homebrew is currently on 1.0.1i stable. These are the ssl2 ciphers active: /usr/local/cellar/openssl/*/bin/openssl ciphers -ssl2 IDEA-CBC-MD5:RC2-CBC-MD5:RC4-MD5:DES-CBC3-MD5:DES-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5 Is that a security concern? Would there be any active consequences to turning off those remaining -ssl2 ciphers? I tested the change with pretty much every dependent formula that ships from Homebrew and didn't encounter any issues. Would we gain any appreciable security by knocking out those last few ssl2 ciphers? Cheers, Dom On 16 August 2014 18:05, Viktor Dukhovni openssl-us...@dukhovni.org wrote: On Sat, Aug 16, 2014 at 07:45:43AM +0100, Dominyk Tiller wrote: I'm pretty sure I read somewhere in the OpenSSL documentation that the recommended default level for compile is level 1, which kills the ssl2 option, but effectively Homebrew has been building with level 0 default thus far. SSLv2 is off by default (excluded by the DEFAULT cipherlist), even without disabling support for it at compile time. Security levels are only on the master development branch of OpenSSL, which has not been officially released. Homebrew users should be using 1.0.1 or soon 1.0.2 after than is released. So security levels, whose design IMHO is not yet entirely done, should not be in the picture at this time. Did I completely hallucinate the documentation recommendation of default level 1 security or is that actually somewhere? You may be confusing the master branch with stable releases. -- Viktor. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: OS X OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Thanks for the reply! Curious they've issued the fix for Yosemite but still left Mavericks potentially vulnerable to the issues disclosed early last month. Sent from Thunderbird for OS X. My PGP public key is automatically attached to this email. On 24/07/2014 17:15, Jason Beck wrote: I'm running the latest updates on 10.9 and I get 0.9.8y. On 7/24/2014 11:09 AM, Dominyk Tiller wrote: Hey all, I noticed something in the latest Yosemite developer preview - Apple has finally updated the OpenSSL that ships with OS X. We remain on the 0.9.8 branch, but 'Openssl version' now gets the response 'OpenSSL 0.9.8za 5 Jun 2014'. I guess this confirms that OS X was vulnerable to the security issues OpenSSL patched and announced in early June, given Apple's extreme reluctance to update OpenSSL at any point other than when absolutely necessary. I don't know however if Mavericks has been patched in the same way. Can anyone on OS X 10.9-10.9.3/10.9.4 run the 'openssl version' command and see what the response is? Curious if only Yosemite has received this fix Mavericks remains vulnerable. It should seem unlikely, but given Apple's history with OpenSSL updates I'm not quite certain either way. I'd still prefer to be using the 1.0.1 branch but at least this seems to close the vulnerabilities exposed last month. Dominyk -BEGIN PGP SIGNATURE- Comment: GPGTools - https://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJT0mZNAAoJEIclJNuddDJsc6kP/2VIZqrzWpa3q3E+K/T3he/S y26N+TvZe8wzjYIDOBE08+m9zs3BMqlpJB2vs15n+fhMuHXxLV30DXN/3+kCm+Ne 8C+QDPKSorSwekQMrJ/ZvqnXZikz/8PYMDw0bu+vV7a8p9l+aIX6Q8uF3UJPlPfG UHY5pVvGWta9Wwl33d5DFjfwMXoISqjuGzgKeLU14oGKCFUEWn773zweMARQ1Q/v zwNylkdoyFKRbqo8SVLly+ops0p70FIAXBVUR6rcCy60wMvs6qdOrkqgfv9QmhsA Vu78hGprai86WbxrAKPmkXNnrbdaBacXwUiBsouCkoJ2BCF3gC3hLG7ZT0H4Cihm +gE5h5wY6G3zX1bNUdiBSZ0eqg9yQdinGBHJQucvYHpFq/D4Al8M8/+kMh4d/iHe n7nEfOqFVmQGmZy+lfkR2iAnzk2l0YcH8VSF+IG1/qoA3/G994J8g0zsnEcu/MyQ TUfMfXZh+BUE5xnVu2nW+AJY8hXBgFo/xaQfh2Oirv52KgA8F0GGBWxnxKq+7Gg4 v69XevK6wmEpLIjPFUEc2gDhvpaoe7bVWJ3VffYBwUvCcAkvhgHAAibmQd30guR2 wUyjTeBVxE3gngAt/qIeFZCgV4QdvMTpYeGtXtLCinVO19wVrdlJjWIsYn0UNNl2 ssf+DvQvqAa2XiiPC8A/ =0oi8 -END PGP SIGNATURE- 0x9D74326C.asc Description: application/pgp-keys 0x9D74326C.asc.sig Description: Binary data
OS X OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hey all, I noticed something in the latest Yosemite developer preview - Apple has finally updated the OpenSSL that ships with OS X. We remain on the 0.9.8 branch, but 'Openssl version' now gets the response 'OpenSSL 0.9.8za 5 Jun 2014'. I guess this confirms that OS X was vulnerable to the security issues OpenSSL patched and announced in early June, given Apple's extreme reluctance to update OpenSSL at any point other than when absolutely necessary. I don't know however if Mavericks has been patched in the same way. Can anyone on OS X 10.9-10.9.3/10.9.4 run the 'openssl version' command and see what the response is? Curious if only Yosemite has received this fix Mavericks remains vulnerable. It should seem unlikely, but given Apple's history with OpenSSL updates I'm not quite certain either way. I'd still prefer to be using the 1.0.1 branch but at least this seems to close the vulnerabilities exposed last month. Dominyk - -- Sent from Thunderbird for OS X. My PGP public key is automatically attached to this email. -BEGIN PGP SIGNATURE- Comment: GPGTools - https://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJT0S+7AAoJEIclJNuddDJsQnoQAI3HmPWOALd+qRu/QApXPeJ5 NdQvEWVYk7eAN/B0dzSL4tj3+C8+2pz7ArA1J9LVEzPbtCVGpo7n+xp+zBDjS3K4 7yjQU8pPdIbbPp0s4oFuCVAL8XqJvH/5/RRZ4yoe3N13Roq64nvfGwvhykKuyGgi uPNE8OgM4xOE5GB8qBUTgyJV7INZ9EfHpJ+xN99OoPM8bgu8QL0rlFUlXCxbfR9a b95SELDQyIVbYsu1vJej4YF/YTOYe0+6kyqRQ2LUVG7XfsMNJEcCCVNXNLbIw1D3 mNNb8NzvW2JKb3kLF22DRTvHvb1bWWPJ9B1+UtPsFlm5AyQx5w0KQ6ozrshIiL8t Nz3cw31H+/VtdqZuZoHO4Ql0glEtPDcA5qFZkv70L7IbVQfpBRCBsx4yBOSy7gCR yX4sB2kcdGaJZXOwCjyM8/Xs2hkCD+aUiMP3SYTDTIzkoC5D1l6PqFv/JocPbZyB otqQ7RJcrinNNKNQk0/U4JllETJG1tt9TyzYW+sPIsbDSUSVN6R7zRopX6FTaiOG l7I03LZcyPNeLm/8ygq0HwArS2jyBYDLqXQ4VsCCFPuuqunV7d5uo/g2RwGkRBSi azL3MPBUW8J3Ljq+jzpkWtF86GHtFomdDHweTFIs/1Py9Dpb5fv7Wou1quIK1I82 SCueTxjlk0sxZxntAUAT =qxWP -END PGP SIGNATURE- 0x9D74326C.asc Description: application/pgp-keys 0x9D74326C.asc.sig Description: Binary data
Re: Website Contribution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Jekyll Sass are another two strong candidates IMO. Dom Sent from Thunderbird for OS X. My PGP public key is automatically attached to this email. On 03/07/2014 20:38, Allan Clark wrote: Hi; I'm a big fan of static pages. They cache easily. They can run from a local disk. What are your thoughts on Doxygen? Allan -BEGIN PGP SIGNATURE- Comment: GPGTools - https://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJTtvlAAAoJEIclJNuddDJs+HAP/0z7lG1kiQheJhzkJu0O79fH 8U8H9AuDiYDnfSEqh1lKHUMF/lIdPUvk5Kcjntd1fOVNZiQ/0pUQP32VMuMmCGYv b9/qlXdJKTe/odxraAf2Zs/YK1sVqMWHpBvKwHMgfG0SW0r87FCYLd5R8j3nnCke xjxPA5ZsqXEB752I7pozSV34ymQqsI64a6Q2fyV8QP8QKkFuCQNKULMY+sTV/yL0 DVs6xjrUNf0NRepA4YFdhaue79UZHQqO0inoFZlGw/0jNBDcD++BpoBvvK2Jf2pZ w2y+U89bvOz9JjoyiHpiVDozJV9UasgqnOpvnkL0yppuav06wLs5kvSLEAnmETIq Ejt9sqfoVno9HGDl/gposmpBgmfR7r0Gvd8AhMQ6T7XH2TxKiHhmP6eveKL0kQx1 +GciscstHgQsbhHrBUhs/TWs9dmLbAiGAOBmLcZApECIoHVIrfHaLw3rupbHr6w0 N71j9ayRWvjIPbGQqfAjwFjENvldqlmnMYaDFDsG9rvcSj4IY730TXmbZhgt3Rm8 V2tL2zvg1lAChjpjJYg6KXoPp8v3/Hu968xuAaNgP4iVr1QaFA8a3qlfUYFM9y7j 8cuWmwco3INFjpwGodfXm1FHh+q7Ohei3RxLT52Mu4e5pcPvMwFCQ/DtiPSyJE40 WRFlPZw5msQLxiAmrbxf =GBPc -END PGP SIGNATURE- 0x9D74326C.asc Description: application/pgp-keys 0x9D74326C.asc.sig Description: Binary data
Re: Website Contribution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 If there's genuine interest in modernising the OpenSSL website with HTML CSS instead of wml I'd be willing to code something up. I can't promise to work particularly quickly, but if there's a desire to generate a new website design I'm certainly willing to chuck a decent amount of time into making that happen. I could always make it a Github project and that way folks could just chip in where they wanted to. On copyright grounds we'd probably need permission from Steve H or Steve M to do that on Github, given that we'd be touching the OpenSSL 'brand' and such. Dominyk Sent from Thunderbird for OS X. My PGP public key is automatically attached to this email. On 29/06/2014 04:01, Salz, Rich wrote: The website is written using a tool called wml. It would be great if someone wanted to make it more modern and properly use things like CSS. Then it might make sense to put it into a github repository. Want to volunteer? -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz :��IϮ��r�m(���Z+�7�zZ)���1���x��h���W^��^��%�� -BEGIN PGP SIGNATURE- Comment: GPGTools - https://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJTsF6LAAoJEIclJNuddDJspRgP/0YX6PEHy6oczGtnyaWJYtH8 FRsGE8HA2lZroNEPfTQxJTr+vBsMNf3+rofM2k5BGAkQwhpil/bEW32vzGR/KzZm cr9giZntzLcF+GKIgl7pftJeWUu3F/IVHHdgiMQgjNSgLh7LTRxiQb+s1l4XJHCN 7FSwqASD0Bs4UGRJi955F2NyPmjJ1OkBLDzeoLLrOfc/ez221asy/Aa2YWDRJb78 0gKF8X9sOfChb/Uc4/xnq9imof1X5hfrA6ohRHLiFw9dKKf7Mq44EvgzMAyWjqYC vGURh+vEvQi6v3jvbs7soZPQ43Vm8qdNy8rfPtX5kCQAR+liPLuI/tNVcIqLGhYD LWaOejmqo1wYE7UPfBvxYKuIJFHliFSTCtmfcvbyj4KTLP4jh5B/bipI2ckR3aIb KoaH0mmDi3sAq7P6IRjs4HWHAXbN9trb/t55ocyFKxc8RY1gtdPy6hQghU6RnOx8 MdKe/Y1kpTjFx8e4rroUsU83xciXn73MIeGwsgewisEOKmES9CokXWF+CgFGsAdF J/IB9uNhoy5o3+g73aMDZzH00EjUA84W9/q62OKmB+WC9dXWYSjO+DiQAxhBOOlF w+nT6nft2rHSeKhaWIOwVm+HEPkxp807vuD3htLgykhSOEDV0DKYTtUNm9ZYkErM 2KL4PydPD0WkamgBj4MC =wrlC -END PGP SIGNATURE- 0x9D74326C.asc Description: application/pgp-keys 0x9D74326C.asc.sig Description: Binary data
SSLv2 SSLv3
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hey all, I wondered if you all had an opinion on disabling SSLv2 SSLv3 during the ./configure process, and what kind of impact that'd have for end-users and general compatibility when building against an updated version of OpenSSL. It's a discussion that has generated quite a bit of heat in this discussion over at Homebrew on Github: https://github.com/Homebrew/homebrew/pull/30504 Would appreciate any input clarity on this. Cheers, Dominyk - -- Sent from Thunderbird for OS X. My PGP public key is automatically attached to this email. -BEGIN PGP SIGNATURE- Comment: GPGTools - https://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJTrvyIAAoJEIclJNuddDJspSQP/iQn3cMb7lU/XevNBCcAERue jonKwKruEw8N7JtdlTiMNhF//XR2mqZd1WtFjxRI002Xtt/mEEM5HmYSYPgiD4vc MIZemxyc54Ue2hdVsinGuf2e9vDJSIRXxcX75+MD4dmArtAm/vftd4dVf9sPYUcc YaVgYDOVtzm+G6CkX9tS9eMZIEMwT1wmPJK9aOy/gaHI3hENg09Qlf13dUsP0faK rajWcq6Kc6oIsWrvaKJkIbZzmZqCLhyrrTam11U4nRg60SLova7etMcUeZX563jL u7NeSxgtYTtzGmln6ukqrSRN5/92bLn+X7QZOyisVNAJdOQ3d2V20JxTwtyz8mcq S/m31jYHnP1lU/wJOFWLFdcaJt78OyfNSRiaACUeL+KxQ32UxfMsHhviW8e09Lbp 9pj5DTGFFoj+etAE0OGazgGDpHudIDzbfzIEDwzJszzWbiMcGyv7E1UxYCURpKGQ Vc5zW1/9XZOqEU+BXwhzP8oHFg3IWsZ/Tq+4pKP4LEGSUHZsnmeRDH4NgSb6tTsK JFBvTmHoHv46dAo6y9TWk9K1VdqvRqCrUxzEuNhaHNySBev+atsoAKoeOCRv4ezK c9E9C5l+7HMZhnHrFbaFHN0fmH6kVWG6CiVbamKZDCgl2o8hJJeVtTJSulP4s/Gd u+Ro3OebC842xT6SuzFX =o6LZ -END PGP SIGNATURE- 0x9D74326C.asc Description: application/pgp-keys 0x9D74326C.asc.sig Description: Binary data