maemo.org - Talk - Suggested roadmap for updating OpenSSL on Fremantle

maemo.org - Talk (https://talk.maemo.org/index.php)

- Maemo 5 / Fremantle (https://talk.maemo.org/forumdisplay.php?f=40)

- - Suggested roadmap for updating OpenSSL on Fremantle (https://talk.maemo.org/showthread.php?t=96292)

Suggested roadmap for updating OpenSSL on Fremantle

Here is a suggested roadmap for what we should do in order to properly use the newest OpenSSL (and related features) on Maemo Fremantle:
1.Get the latest OpenSSL (or LibreSSL) building and working properly on Fremantle (including all the newest algorithms and features and protocols as well as correct debian packaging, optimization flags etc for Fremantle)

2.Examine the OpenSSL 0.9.8n source code for Maemo (in the SDK repos) and identify any local patches vs upstream 0.9.8n and if those patches are actually necessary, forward-port them to the new OpenSSL version from #1 (or otherwise deal with them)

3.Put this new OpenSSL version into CSSU as "openssl", "libsslx.y.z", "libssl-dev" and "libsslx.y.z-dbg" (depending on the exact version we are porting or whatever)

4.Ensure that the root certificates in https://github.com/community-ssu/maemo-security-certman are up-to-date and match with what they should be for best security

5.Recompile/Port-to-new-OpenSSL-version/Put into CSSU maemo-security-certman, maemo-security-certman-applet, xorg-server, clinkc, loudmouth, microb-eal, sofia-sip, qt4-x11 and curl. (as well as anything else using OpenSSL that is FOSS and isn't present on a stock root filesystem). If bringing in a newer (but still ABI compatible) curl is easier, do that.

6.Update any security defaults or other things chosen by libcurl and libqt4-network so that they are only using things considered secure (e.g. dropping SSL2/SSL3/TLS1.0)

7.Identify any cases in the APIs where its possible for a user of libcurl or libqt4-network to specify security settings so we can audit for users of those functions and make sure nothing (especially closed source things) is doing anything insecure that should be updated.

8.Remove obsolete packages nokiamessaging and sharing-service-ovi (they are now useless and they use OpenSSL)

9.Audit the use of OpenSSL by as-daemon-0, tablet-browser-ui, osso-wlan-security, connui-iapsettings, adobe-flashplayer, location-proxy, osso-backup, ota-settings and signond0 and figure out which uses are a potential security risk and figure out what to do about those cases (e.g. cloning things)

This should cover all the things we need to do if we want the newest OpenSSL on Maemo Fremantle (and we want software to be using that new version)