Hi Genodians
On December 08. 2020 the openssl project issued a security advisory (https://www.openssl.org/news/secadv/20201208.txt).
I started looking into binging the latest version of openssl (1.1.1i) to Genode. I have a first version of the library that compiles on x86_64.
When I started testing components I encountered the following things: - `wpa_supplicant` (wifi driver) compiles, but running it fails due to a symbol the dynamic linker can't find - `lighttpd` compiles, but running it fails due to a symbol the dynamic linker can't find - `libssh` doesn't compile (it looks, as it uses data structures that were moved to internal only in version 1.1.x of openssl) - `openvpn` (repo genode-world) doesn't compile (it looks, as it uses data structures that were moved to internal only in version 1.1.x of openssl) - `grpc` (repo genode-world) compiles with some warnings about using deprecated functions - `grpc_tls/client` and `grpc_tls/server` (repo genode-world) can be built
I'm thinking about how to proceed with this. One way that I see, is to create a separate port (e.g. `openssl_1.1`) that provides the updated library. Then each component can choose to use the old or the new version of the library. When a component (or library) is updated, one can choose to switch to the new library if it is supported. In the long run the old version of openssl could then be removed once all users of it have switched.
Do you agree with proceeding according to this plan or would you approach this differently?
Best regards, Pirmin
On Dec 17, 2020, at 12:10 AM, Duss Pirmin pirmin.duss@gapfruit.com wrote:
Hi Genodians
On December 08. 2020 the openssl project issued a security advisory (https://www.openssl.org/news/secadv/20201208.txt).
I started looking into binging the latest version of openssl (1.1.1i) to Genode. I have a first version of the library that compiles on x86_64.
When I started testing components I encountered the following things:
- `wpa_supplicant` (wifi driver) compiles, but running it fails due to
a symbol the dynamic linker can't find
- `lighttpd` compiles, but running it fails due to a symbol the dynamic
linker can't find
- `libssh` doesn't compile (it looks, as it uses data structures that
were moved to internal only in version 1.1.x of openssl)
- `openvpn` (repo genode-world) doesn't compile (it looks, as it uses
data structures that were moved to internal only in version 1.1.x of openssl)
- `grpc` (repo genode-world) compiles with some warnings about using
deprecated functions
- `grpc_tls/client` and `grpc_tls/server` (repo genode-world) can be built
I'm thinking about how to proceed with this. One way that I see, is to create a separate port (e.g. `openssl_1.1`) that provides the updated library. Then each component can choose to use the old or the new version of the library. When a component (or library) is updated, one can choose to switch to the new library if it is supported. In the long run the old version of openssl could then be removed once all users of it have switched.
Do you agree with proceeding according to this plan or would you approach this differently?
This is not an answer to your question, but really another question: have you considered an alternative, such as LibreSSL (libressl.org http://libressl.org/)?
My understanding is that it is designed for portability, and that drop-in compatibility with OpenSSL is a stated goal. AFAIK, it frequently isn’t vulnerable to CVEs reported against OpenSSL (though, that doesn’t seem to be the case here).
Sorry for the noise if you’ve already ruled it out.
Best regards, Pirmin
Genode users mailing list users@lists.genode.org https://lists.genode.org/listinfo/users
Hello Pirmin,
please let me first refer to
https://github.com/genodelabs/genode/issues/3773
which also contains work-in-progress branch for the openssl/curl update from August 2020 [1].
On Thu, Dec 17, 2020 at 09:10:44 CET, Duss Pirmin wrote:
I'm thinking about how to proceed with this. One way that I see, is to create a separate port (e.g. `openssl_1.1`) that provides the updated library. Then each component can choose to use the old or the new version of the library. When a component (or library) is updated, one can choose to switch to the new library if it is supported. In the long run the old version of openssl could then be removed once all users of it have switched.
After some of my update work in spring of 2020 I decided against the additional flavor but for updating also libraries and components that use openssl. During my tests lighttpd worked without flaws.
Do you agree with proceeding according to this plan or would you approach this differently?
I'd much appreciate if you have a look into my branch and decide for yourself if it fits your requirements. Please note that I also put much effort into working ARM support.
[1] https://github.com/chelmuth/genode/commits/openssl11
Greets
Hello Cristian
Thanks for your input.
On 12/17/20 1:35 PM, Christian Helmuth wrote:
Hello Pirmin,
please let me first refer to
https://github.com/genodelabs/genode/issues/3773
which also contains work-in-progress branch for the openssl/curl update from August 2020 [1]. ... I'd much appreciate if you have a look into my branch and decide for yourself if it fits your requirements. Please note that I also put much effort into working ARM support.
[1] https://github.com/chelmuth/genode/commits/openssl11
Greets
I was not aware of this issue (unfortunately I didn't search before starting my work). I will look into your work. Maybe I can continue where you had to let it rest and bring it further along to completion.
Regards, Pirmin
-
Christian Helmuth -
Duss Pirmin -
Matthew Robbetts -
Pirmin Duss