On Dec 17, 2020, at 12:10 AM, Duss Pirmin pirmin.duss@gapfruit.com wrote:
Hi Genodians
On December 08. 2020 the openssl project issued a security advisory (https://www.openssl.org/news/secadv/20201208.txt).
I started looking into binging the latest version of openssl (1.1.1i) to Genode. I have a first version of the library that compiles on x86_64.
When I started testing components I encountered the following things:
- `wpa_supplicant` (wifi driver) compiles, but running it fails due to
a symbol the dynamic linker can't find
- `lighttpd` compiles, but running it fails due to a symbol the dynamic
linker can't find
- `libssh` doesn't compile (it looks, as it uses data structures that
were moved to internal only in version 1.1.x of openssl)
- `openvpn` (repo genode-world) doesn't compile (it looks, as it uses
data structures that were moved to internal only in version 1.1.x of openssl)
- `grpc` (repo genode-world) compiles with some warnings about using
deprecated functions
- `grpc_tls/client` and `grpc_tls/server` (repo genode-world) can be built
I'm thinking about how to proceed with this. One way that I see, is to create a separate port (e.g. `openssl_1.1`) that provides the updated library. Then each component can choose to use the old or the new version of the library. When a component (or library) is updated, one can choose to switch to the new library if it is supported. In the long run the old version of openssl could then be removed once all users of it have switched.
Do you agree with proceeding according to this plan or would you approach this differently?
This is not an answer to your question, but really another question: have you considered an alternative, such as LibreSSL (libressl.org http://libressl.org/)?
My understanding is that it is designed for portability, and that drop-in compatibility with OpenSSL is a stated goal. AFAIK, it frequently isn’t vulnerable to CVEs reported against OpenSSL (though, that doesn’t seem to be the case here).
Sorry for the noise if you’ve already ruled it out.
Best regards, Pirmin
Genode users mailing list users@lists.genode.org https://lists.genode.org/listinfo/users