Suggested roadmap for updating OpenSSL on Fremantle

[jonwil]

Here is a suggested roadmap for what we should do in order to properly use the newest OpenSSL (and related features) on Maemo Fremantle:
1.Get the latest OpenSSL (or LibreSSL) building and working properly on Fremantle (including all the newest algorithms and features and protocols as well as correct debian packaging, optimization flags etc for Fremantle)

2.Examine the OpenSSL 0.9.8n source code for Maemo (in the SDK repos) and identify any local patches vs upstream 0.9.8n and if those patches are actually necessary, forward-port them to the new OpenSSL version from #1 (or otherwise deal with them)

3.Put this new OpenSSL version into CSSU as "openssl", "libsslx.y.z", "libssl-dev" and "libsslx.y.z-dbg" (depending on the exact version we are porting or whatever)

4.Ensure that the root certificates in https://github.com/community-ssu/maemo-security-certman are up-to-date and match with what they should be for best security

5.Recompile/Port-to-new-OpenSSL-version/Put into CSSU maemo-security-certman, maemo-security-certman-applet, xorg-server, clinkc, loudmouth, microb-eal, sofia-sip, qt4-x11 and curl. (as well as anything else using OpenSSL that is FOSS and isn't present on a stock root filesystem). If bringing in a newer (but still ABI compatible) curl is easier, do that.

6.Update any security defaults or other things chosen by libcurl and libqt4-network so that they are only using things considered secure (e.g. dropping SSL2/SSL3/TLS1.0)

7.Identify any cases in the APIs where its possible for a user of libcurl or libqt4-network to specify security settings so we can audit for users of those functions and make sure nothing (especially closed source things) is doing anything insecure that should be updated.

8.Remove obsolete packages nokiamessaging and sharing-service-ovi (they are now useless and they use OpenSSL)

9.Audit the use of OpenSSL by as-daemon-0, tablet-browser-ui, osso-wlan-security, connui-iapsettings, adobe-flashplayer, location-proxy, osso-backup, ota-settings and signond0 and figure out which uses are a potential security risk and figure out what to do about those cases (e.g. cloning things)

This should cover all the things we need to do if we want the newest OpenSSL on Maemo Fremantle (and we want software to be using that new version)

[pali]

Xserver needs openssl only just for sha1 hash function which is used for hashmap of glyphs. See this Christ's sake email thread: http://lists.x.org/archives/xorg-dev...ne/042757.html

Xserver can be recompiled with other libs for sha1 support (instead openssl). Maybe we should choose different lib now?

[pali]

Or revert that commit in xserver which removed internal sha1 implementation as written in: http://lists.x.org/archives/xorg-dev...ne/042774.html

[pali]

TLS1.0 is still quite secure, please do not drop it as many server will need it.

[Dongle Fongle]

+ add sha256 support?

[jonwil]

Ok, I wasn't sure if the current recommendation was to switch off TLS1.0 or not.

[nieldk]

Quote:

Originally Posted by pali

TLS1.0 is still quite secure, please do not drop it as many server will need it.

NIST (And PCI-SSC) certainly disagrees on that statement.

http://nvlpubs.nist.gov/nistpubs/Spe...P.800-52r1.pdf

[peterleinchen]

Quote:

Originally Posted by nieldk

NIST (And PCI-SSC) certainly disagrees on that statement.

http://nvlpubs.nist.gov/nistpubs/Spe...P.800-52r1.pdf

afaik gmail still offers SSL only?
At least that was a few months ago.

[jonwil]

Anyone know where I can get source code to debian OpenSSL 0.9.8n-1 (the version Maemo Fremantle OpenSSL is based on)? If I can get that, I can do a diff between the 2 and see whats new in Maemo Fremantle that might need to be forward ported to whatever OpenSSL/LibreSSL version we end up taking (which IMO should probably be whatever Debian ships these days)

[jonwil]

Google still offers ssl3 on its sites because of backwards compatibility (i.e. many people using ancient versions of Intercrap Exploder that either don't support TLS at all or have it off-by-default for some stupid reason)