Re: [Openvpn-devel] OpenSSL in OpenVPN software to be replaced?

2014-07-21 Thread Gert Doering 
Hi,

On Mon, Jul 21, 2014 at 07:17:30PM +0200, Lisa Minogue wrote:
> Hi Samuli and friends:
> 
> This is what I think.

Don't think so much, use google first :)

> Both of us don't know how long it will take for OpenSSL to fix the long list 
> of bugs -some of which are significant- that have accumulated over the years. 
> One year or two years?
> 
> OpenVPN is in the business of providing software that enables secure 
> communications. Can OpenVPN afford to wait one or two years for bugs to be 
> fixed? 

What makes you assume that any of these bugs are security relevant?  

All software has bugs, and of the OpenSSL bugs so far, only two had 
really nasty effects on OpenVPN (heartbleed and the most recent weak
crypto one) and heartbleed only affected users that were on 1.0.1, none 
that were on 0.9.8.  So while one might have opinions on OpenSSL code 
quality and maintainability, it's track record is fairly *good* for code 
that has been around for so long.

But we don't have to "wait one or two years".  PolarSSL support is here
*today* - you can build OpenVPN with PolarSSL just fine.  It's just that
the binaries we provide for windows are currently built against OpenSSL,
because nobody extended the windows build environment to build against
PolarSSL.

(If you feel we need windows binaries built with PolarSSL: patches for
the build system are welcome.  We are always short on time, so contributions
are welcome)


> How will OpenVPN address the concerns of its Access Server's customers? Do 
> Access Server software incorporate OpenSSL or PolarSSL?

AS could be built with PolarSSL mostly fine (some functionality is missing
in PolarSSL), and judging from the patches I've seen from James, he is 
working on it.  But for AS, ask your commercial channels, not this list.

OpenVPN Connect on iOS uses PolarSSL already today.

> Hackers and agencies sponsored by their respective governments
> will have a field day disrupting secure communications enabled by
> the use of defective VPN software. Economic espionage will wreak
> havoc on the markets and create unfair competition for those
> countries which are technically and scientifically superior. Human
> rights abuses will be on the increase.

You're welcome to funnel your excitement about the poor state of software
into patches that contribute what you think is missing.  The rest of us
is already busy doing so.


> I accept that substantial portions of the current software code for 
> Windows will have to be rewritten. 

Nothing at all of the *code* needs to be rewritten.  OpenVPN with PolarSSL
support is here today.

What needs to be done is extend the build system to build windows binaries
with PolarSSL - building so for Linux is very easy today, just call

 ./configure --with-crypto-library=polarssl
 make

and you get a polarssl-enabled OpenVPN binary.


> But aren't you also doing it for Access Server customers? Aren't they 
> affected by OpenSSL's bugs?

This is not the AS support channel, so we can't answer questions about AS.

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgpB3Mfu7r4zB.pgp
Description: PGP signature

Re: [Openvpn-devel] OpenSSL in OpenVPN software to be replaced?

2014-07-21 Thread Lisa Minogue 
Hi Samuli and friends:

This is what I think.

Both of us don't know how long it will take for OpenSSL to fix the long list of 
bugs -some of which are significant- that have accumulated over the years. One 
year or two years?

OpenVPN is in the business of providing software that enables secure 
communications. Can OpenVPN afford to wait one or two years for bugs to be 
fixed? How will OpenVPN address the concerns of its Access Server's customers? 
Do Access Server software incorporate OpenSSL or PolarSSL?

Hackers and agencies sponsored by their respective governments will have a 
field day disrupting secure communications enabled by the use of defective VPN 
software. Economic espionage will wreak havoc on the markets and create unfair 
competition for those countries which are technically and scientifically 
superior. Human rights abuses will be on the increase.

I accept that substantial portions of the current software code for Windows 
will have to be rewritten. But aren't you also doing it for Access Server 
customers? Aren't they affected by OpenSSL's bugs?

Regards.

Lisa


> 
> From: Samuli Seppänen 
> Sent: Mon Jul 21 14:44:11 CEST 2014
> To: Gert Doering , Lisa Minogue 
> Subject: Re: [Openvpn-devel] OpenSSL in OpenVPN software to be replaced?
> 
> 
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> 
> 
> > Hi,
> >
> > On Mon, Jul 21, 2014 at 11:35:48AM +0200, Lisa Minogue wrote:
> >> In the light of the above, do you have plans to replace OpenSSL with
> PolarSSL or LibreSSL? And how soon will new bundles of OpenVPN software
> be released that incorporate OpenSSL alternatives?
> > [..]
> >> P.S.: I apologize if the above questions have been dealt with in the
> past.
> >
> > Indeed, you could have just googled for "OpenVPN PolarSSL"...
> >
> > But anyway.  Samuli: can the build environment do windows binaries using
> > PolarSSL?  Might be nice to offer both...
> >
> > gert
> >
> The build environment for Windows would have to be modified
> significantly to support PolarSSL. Although we probably can all agree
> that the state of OpenSSL leaves a lot to be desired, it's now funded by
> the Core Infratructure Initiative:
> 
> 
> 
> I don't know if money (=few full-time developers) can save the can of
> worms, but probably we should not panic quite yet. Opinions?
> 
> - -- 
> Samuli Seppänen
> Community Manager
> OpenVPN Technologies, Inc
> 
> irc freenode net: mattock
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iEYEARECAAYFAlPNCxoACgkQwp2X7RmNIqPLVwCeJlS7jpSFGL8N1UtO/fI17Ovi
> C10An3Gzt1blQd5SrCcEE47Qid0oSGin
> =etcu
> -END PGP SIGNATURE-
> 

-
Mail.be, WebMail and Virtual Office
http://www.mail.be

Re: [Openvpn-devel] OpenSSL in OpenVPN software to be replaced?

2014-07-21 Thread David Sommerseth 
On 21/07/14 14:44, Samuli Seppänen wrote:
> Although we probably can all agree
> that the state of OpenSSL leaves a lot to be desired, it's now funded by
> the Core Infratructure Initiative:
> 
> 
> 
> I don't know if money (=few full-time developers) can save the can of
> worms, but probably we should not panic quite yet. Opinions?

No libraries are perfect.  OpenSSL is also far from perfect.  But I
think the press and the OpenSSL-haters have abused their screen time
somewhat much too.  So, I would say: No need to panic.

It takes long to really build confidence in a crypto library, just like
the math behind cryptographic functions.

Currently, PolarSSL is more attractive because of the smaller code base
(but also less support for features OpenSSL have).  So PolarSSL is
easier to do a proper code review on.  But also bear in mind that
PolarSSL had their first releases around early 2009.  OpenSSL was
released mid/late 1990's.  The age difference is 10 years(!).

I more strongly believe we will have a more secure world if it is more
unpredictable which SSL implementation is being used.  So I welcome
PolarSSL very much, and I believe that just their _presence_ and being
used by some of our users are important.  Just as well as I'd like to
see someone looking at an NSS implementation in OpenVPN.


-- 
kind regards,

David Sommerseth



signature.asc
Description: OpenPGP digital signature

Re: [Openvpn-devel] OpenSSL in OpenVPN software to be replaced?

2014-07-21 Thread David Sommerseth 
On 21/07/14 14:02, Gert Doering wrote:
> Hi,
> 
> On Mon, Jul 21, 2014 at 01:24:53PM +0200, Steffan Karger wrote:
>> LibreSSL has just been ported to Linux. 
> 
> I'd stay away from LibreSSL for a while.  "We do OpenBSD, and do not care
> for portability" seems to have side effects on things like "seeding RNG"
> that should be fully understood before using that.
> 
> (Unfortunately I do not have the link that details this particular issue
> - came around it last week)

Maybe it was this one? 

But I generally agree, LibreSSL should not be used too easily currently.
 It takes a long time to mature an SSL library and ensure it is secure
and good.  Many also questions how the LibreSSL team will tackle
security updates of new issues found in OpenSSL, and due to the
freshness of LibreSSL, nobody really knows.  How will these fixes be
ported to LibreSSL and how will they ensure it will work just as well
there as in OpenSSL?

I also feel that OpenSSL have been bashed a bit too harshly by media and
the "I don't like OpenSSL"-mobs.  Remember that OpenSSL the really first
true open sourced SSL which got a real breakthrough (before that, it was
ssley, which OpenSSL do somewhat build upon).  Many others have come and
gone in the mean time as well.  In addition: All kind of software have
bugs.  Some will be severe.  And with time, it will appear also in other
libraries as well as OpenSSL.  There have already been many issues which
have been fixed in PolarSSL, GnuTLS, NSS, etc, etc.

Yes, there are issues with OpenSSL.  Some code is ancient, some code is
very poorly documented.  Some code paths are dead on many of today's
platforms.  But it doesn't mean it's completely crappy code.  And the
OpenSSL seems to try to fix and correct some of this as well.

What is important, no matter which library you use, is that it gets
quickly updates when something is found.  OpenSSL have generally been
fairly good at this (once issues have been noticed).  But this also
requires that the sys-admins are responsible in their update processes,
and also updates the libraries as soon as possible after the official
update was released.


--
kind regards,

David Sommerseth




signature.asc
Description: OpenPGP digital signature

Re: [Openvpn-devel] OpenSSL in OpenVPN software to be replaced?

2014-07-21 Thread Samuli Seppänen 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



> Hi,
>
> On Mon, Jul 21, 2014 at 11:35:48AM +0200, Lisa Minogue wrote:
>> In the light of the above, do you have plans to replace OpenSSL with
PolarSSL or LibreSSL? And how soon will new bundles of OpenVPN software
be released that incorporate OpenSSL alternatives?
> [..]
>> P.S.: I apologize if the above questions have been dealt with in the
past.
>
> Indeed, you could have just googled for "OpenVPN PolarSSL"...
>
> But anyway.  Samuli: can the build environment do windows binaries using
> PolarSSL?  Might be nice to offer both...
>
> gert
>
The build environment for Windows would have to be modified
significantly to support PolarSSL. Although we probably can all agree
that the state of OpenSSL leaves a lot to be desired, it's now funded by
the Core Infratructure Initiative:



I don't know if money (=few full-time developers) can save the can of
worms, but probably we should not panic quite yet. Opinions?

- -- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlPNCxoACgkQwp2X7RmNIqPLVwCeJlS7jpSFGL8N1UtO/fI17Ovi
C10An3Gzt1blQd5SrCcEE47Qid0oSGin
=etcu
-END PGP SIGNATURE-

Re: [Openvpn-devel] OpenSSL in OpenVPN software to be replaced?

2014-07-21 Thread Gert Doering 
Hi,

On Mon, Jul 21, 2014 at 11:35:48AM +0200, Lisa Minogue wrote:
> In the light of the above, do you have plans to replace OpenSSL with PolarSSL 
> or LibreSSL? And how soon will new bundles of OpenVPN software be released 
> that incorporate OpenSSL alternatives?
[..]
> P.S.: I apologize if the above questions have been dealt with in the past.

Indeed, you could have just googled for "OpenVPN PolarSSL"...

But anyway.  Samuli: can the build environment do windows binaries using
PolarSSL?  Might be nice to offer both...

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgp38uFSBNjLH.pgp
Description: PGP signature

Re: [Openvpn-devel] OpenSSL in OpenVPN software to be replaced?

2014-07-21 Thread Gert Doering 
Hi,

On Mon, Jul 21, 2014 at 01:24:53PM +0200, Steffan Karger wrote:
> LibreSSL has just been ported to Linux. 

I'd stay away from LibreSSL for a while.  "We do OpenBSD, and do not care
for portability" seems to have side effects on things like "seeding RNG"
that should be fully understood before using that.

(Unfortunately I do not have the link that details this particular issue
- came around it last week)

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgpwPfXzeHDa8.pgp
Description: PGP signature

Re: [Openvpn-devel] OpenSSL in OpenVPN software to be replaced?

2014-07-21 Thread Steffan Karger 
Hi Lisa,

On Mon, Jul 21, 2014 at 11:35 AM, Lisa Minogue  wrote:
> do you have plans to replace OpenSSL with PolarSSL or LibreSSL? And how soon 
> will new bundles of OpenVPN software be released that incorporate OpenSSL 
> alternatives?

OpenVPN is already capable of using PolarSSL instead of OpenSSL, see
http://community.openvpn.net/openvpn/wiki/UsingPolarSSL. I don't know
of any 'regular' OpenVPN software releases that use PolarSSL, but
there is OpenVPN-NL (https://openvpn.fox-it.com) that uses PolarSSL.

LibreSSL has just been ported to Linux. As soon as it becomes mature
and readily available in distros, I think it would be nice to add it
as an option for OpenVPN, but afaik there are currently no concrete
plans to do so.

-Steffan

[Openvpn-devel] OpenSSL in OpenVPN software to be replaced?

2014-07-21 Thread Lisa Minogue 
Hi guys,

It's been universally acknowledged that you all have been doing a wonderful job 
by providing free, open-source OpenVPN software and free support for it over 
the past few years.

However a few days ago OpenSSL, in a project roadmap last modified on July 16, 
stated [sic]"there are a very significant number of them. A large proportion of 
these issues have been open for years. Some of these have in fact been dealt 
with and should be closed, but this has not been recorded in the system. Most 
however have not been looked at."

I'm no expert of cryptography but I guess some of these issues could inflict 
more devastating effects than the recent Heartbleed/Heartbeat bug.

In the light of the above, do you have plans to replace OpenSSL with PolarSSL 
or LibreSSL? And how soon will new bundles of OpenVPN software be released that 
incorporate OpenSSL alternatives?

Regards.

Lisa

P.S.: I apologize if the above questions have been dealt with in the past.
-
Mail.be, WebMail and Virtual Office
http://www.mail.be