Hey everyone, I ported a new version of OpenSSL (1.1.0i) to Genode. I have it working for x86_32 and x86_64. All of my testing was done using the seL4 kernel. The changes are here:
https://github.com/sand7000/genode/tree/openssl-1.1.0i
Updating OpenSSL impacted Curl and LibSSH. I ported a newer version of Curl and started porting a newer version of LibSSH.
Additional work is required to complete this, including adding support for ARM, completing the port of LibSSH and completing the depot packaging.
The following is included in my release, if other folks want to carry it on from here:
* OpenSSL 1.1.0i works for x86_32 and x86_64 * Curl 7.50.3 works for x86_32 and x86_64 * LibSSH 0.8.3 port compiles but I have not tested it
Hello Edward,
On Mon, Dec 17, 2018 at 01:18:53PM -0600, Edward Sandberg wrote:
Hey everyone, I ported a new version of OpenSSL (1.1.0i) to Genode. I have it working for x86_32 and x86_64. All of my testing was done using the seL4 kernel. The changes are here:
[...]
thanks for your contribution.
With his work on issue 3039 [1] Josef Söntgen updated openssl to 1.0.2q (commits are already on the staging branch). It was not required to adapt curl or libssh in any way for this. As 1.0.2q has the same security patch level as 1.1.0j I wonder about your requirements for the 1.1 branch. Could you tell us more or maybe your application could also be satisfied by a recent 1.0 version?
[1] https://github.com/genodelabs/genode/issues/3069
Regards
On 12/18/18 1:59 AM, Christian Helmuth wrote:
With his work on issue 3039 [1] Josef Söntgen updated openssl to 1.0.2q (commits are already on the staging branch). It was not required to adapt curl or libssh in any way for this. As 1.0.2q has the same security patch level as 1.1.0j I wonder about your requirements for the 1.1 branch. Could you tell us more or maybe your application could also be satisfied by a recent 1.0 version?
On [1] it says:
"The latest stable version is the 1.1.1 series. This is also our Long Term Support (LTS) version... All users of 1.0.2 and 1.1.0 are encouraged to upgrade to 1.1.1 as soon as possible."
and on [2] it says:
"OpenSSL 1.1.1 is API and ABI compliant with OpenSSL 1.1.0 so most applications that work with 1.1.0 can gain many of the benefits of TLSv1.3 simply by dropping in the new OpenSSL version."
Our main goals are to stay on a LTS version and to utilize TLSv1.3 so stepping to 1.1.0 was more useful to us in the long term than stepping to 1.0.2.
[1] https://www.openssl.org/source/ [2] https://www.openssl.org/blog/blog/2018/09/11/release111/
-
Christian Helmuth -
Edward Sandberg