update openssl port

Matthew Robbetts wingfeathera at gmail.com
Thu Dec 17 09:43:29 CET 2020



> On Dec 17, 2020, at 12:10 AM, Duss Pirmin <pirmin.duss at gapfruit.com> wrote:
> 
> Hi Genodians
> 
> On December 08. 2020 the openssl project issued a security advisory
> (https://www.openssl.org/news/secadv/20201208.txt).
> 
> I started looking into binging the latest version of openssl (1.1.1i) to
> Genode. I have a first version of the library that compiles on x86_64.
> 
> When I started testing components I encountered the following things:
> - `wpa_supplicant` (wifi driver) compiles, but running it fails due to
> a symbol the dynamic linker can't find
> - `lighttpd` compiles, but running it fails due to a symbol the dynamic
> linker can't find
> - `libssh` doesn't compile (it looks, as it uses data structures that
> were moved to internal only in version 1.1.x of openssl)
> - `openvpn` (repo genode-world) doesn't compile (it looks, as it uses
> data structures that were moved to internal only in version 1.1.x of
> openssl)
> - `grpc` (repo genode-world) compiles with some warnings about using
> deprecated functions
> - `grpc_tls/client` and `grpc_tls/server` (repo genode-world) can be built
> 
> I'm thinking about how to proceed with this. One way that I see, is to
> create a separate port (e.g. `openssl_1.1`) that provides the updated
> library.
> Then each component can choose to use the old or the new version of the
> library. When a component (or library) is updated, one can choose to
> switch to the new
> library if it is supported. In the long run the old version of openssl
> could then be removed once all users of it have switched.
> 
> Do you agree with proceeding according to this plan or would you
> approach this differently?

This is not an answer to your question, but really another question: have you considered an alternative, such as LibreSSL (libressl.org <http://libressl.org/>)?

My understanding is that it is designed for portability, and that drop-in compatibility with OpenSSL is a stated goal. AFAIK, it frequently isn’t vulnerable to CVEs reported against OpenSSL (though, that doesn’t seem to be the case here).

Sorry for the noise if you’ve already ruled it out.

> 
> Best regards,
> Pirmin
> 
> _______________________________________________
> Genode users mailing list
> users at lists.genode.org
> https://lists.genode.org/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.genode.org/pipermail/users/attachments/20201217/ce6a2bd4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4386 bytes
Desc: not available
URL: <http://lists.genode.org/pipermail/users/attachments/20201217/ce6a2bd4/attachment.bin>


More information about the users mailing list