Notices


Reply
Thread Tools
Posts: 489 | Thanked: 2,397 times | Joined on Oct 2009
#1
Here is a suggested roadmap for what we should do in order to properly use the newest OpenSSL (and related features) on Maemo Fremantle:
1.Get the latest OpenSSL (or LibreSSL) building and working properly on Fremantle (including all the newest algorithms and features and protocols as well as correct debian packaging, optimization flags etc for Fremantle)

2.Examine the OpenSSL 0.9.8n source code for Maemo (in the SDK repos) and identify any local patches vs upstream 0.9.8n and if those patches are actually necessary, forward-port them to the new OpenSSL version from #1 (or otherwise deal with them)

3.Put this new OpenSSL version into CSSU as "openssl", "libsslx.y.z", "libssl-dev" and "libsslx.y.z-dbg" (depending on the exact version we are porting or whatever)

4.Ensure that the root certificates in https://github.com/community-ssu/maemo-security-certman are up-to-date and match with what they should be for best security

5.Recompile/Port-to-new-OpenSSL-version/Put into CSSU maemo-security-certman, maemo-security-certman-applet, xorg-server, clinkc, loudmouth, microb-eal, sofia-sip, qt4-x11 and curl. (as well as anything else using OpenSSL that is FOSS and isn't present on a stock root filesystem). If bringing in a newer (but still ABI compatible) curl is easier, do that.

6.Update any security defaults or other things chosen by libcurl and libqt4-network so that they are only using things considered secure (e.g. dropping SSL2/SSL3/TLS1.0)

7.Identify any cases in the APIs where its possible for a user of libcurl or libqt4-network to specify security settings so we can audit for users of those functions and make sure nothing (especially closed source things) is doing anything insecure that should be updated.

8.Remove obsolete packages nokiamessaging and sharing-service-ovi (they are now useless and they use OpenSSL)

9.Audit the use of OpenSSL by as-daemon-0, tablet-browser-ui, osso-wlan-security, connui-iapsettings, adobe-flashplayer, location-proxy, osso-backup, ota-settings and signond0 and figure out which uses are a potential security risk and figure out what to do about those cases (e.g. cloning things)

This should cover all the things we need to do if we want the newest OpenSSL on Maemo Fremantle (and we want software to be using that new version)
 

The Following 6 Users Say Thank You to jonwil For This Useful Post:
Posts: 2,140 | Thanked: 8,375 times | Joined on May 2010
#2
Xserver needs openssl only just for sha1 hash function which is used for hashmap of glyphs. See this Christ's sake email thread: http://lists.x.org/archives/xorg-dev...ne/042757.html

Xserver can be recompiled with other libs for sha1 support (instead openssl). Maybe we should choose different lib now?
 
Posts: 2,140 | Thanked: 8,375 times | Joined on May 2010
#3
Or revert that commit in xserver which removed internal sha1 implementation as written in: http://lists.x.org/archives/xorg-dev...ne/042774.html
 
Posts: 2,140 | Thanked: 8,375 times | Joined on May 2010
#4
TLS1.0 is still quite secure, please do not drop it as many server will need it.
 
Posts: 92 | Thanked: 139 times | Joined on Apr 2014
#5
+ add sha256 support?
 
Posts: 489 | Thanked: 2,397 times | Joined on Oct 2009
#6
Ok, I wasn't sure if the current recommendation was to switch off TLS1.0 or not.
 
Posts: 1,128 | Thanked: 3,717 times | Joined on Oct 2014
#7
Originally Posted by pali View Post
TLS1.0 is still quite secure, please do not drop it as many server will need it.
NIST (And PCI-SSC) certainly disagrees on that statement.

http://nvlpubs.nist.gov/nistpubs/Spe...P.800-52r1.pdf
__________________
You can still support my work by donation - click here

ETH: 0xFcD031609DB739C62730589361940C68ceEbC913
 
peterleinchen's Avatar
Posts: 3,280 | Thanked: 6,060 times | Joined on Aug 2010 @ Ruhrgebiet, Germany
#8
Originally Posted by nieldk View Post
NIST (And PCI-SSC) certainly disagrees on that statement.

http://nvlpubs.nist.gov/nistpubs/Spe...P.800-52r1.pdf
afaik gmail still offers SSL only?
At least that was a few months ago.
__________________
SIM-Switcher, automated SIM switching with a Double (Dual) SIM adapter
--
Thank you all for voting me into the Community Council 2014-2016!

Please consider your membership / supporting Maemo e.V. and help to spread this by following/copying this link to your TMO signature:
[MC eV] Maemo Community eV membership application, http://talk.maemo.org/showthread.php?t=94257

editsignature, http://talk.maemo.org/profile.php?do=editsignature
 
Posts: 489 | Thanked: 2,397 times | Joined on Oct 2009
#9
Anyone know where I can get source code to debian OpenSSL 0.9.8n-1 (the version Maemo Fremantle OpenSSL is based on)? If I can get that, I can do a diff between the 2 and see whats new in Maemo Fremantle that might need to be forward ported to whatever OpenSSL/LibreSSL version we end up taking (which IMO should probably be whatever Debian ships these days)
 
Posts: 489 | Thanked: 2,397 times | Joined on Oct 2009
#10
Google still offers ssl3 on its sites because of backwards compatibility (i.e. many people using ancient versions of Intercrap Exploder that either don't support TLS at all or have it off-by-default for some stupid reason)
 
Reply

Thread Tools

 
Forum Jump


All times are GMT. The time now is 13:48.