#8214: openssl-1.1.0
-------------------------+-----------------------
Reporter: renodr | Owner: renodr
Type: enhancement | Status: assigned
Priority: low | Milestone: hold
Component: BOOK | Version: SVN
Severity: normal | Resolution:
Keywords: |
-------------------------+-----------------------
Comment (by dj@…):
Replying to [comment:6 renodr]:
> I'll take this challenge on. The SWEET32 issue needs to be mitigated.
https://www.openssl.org/blog/blog/2016/08/24/sweet32/
OpenSSL folks rated it low priority in the above review. I'm inclined to
agree with their assessment given the amount of data required (and default
configs of both httpd and nginx). I do not like the fix in 1.1.0. In the
interim, we could safely follow the same approach as upstream until 1.0.2i
is released if it is still a concern:
https://github.com/openssl/openssl/commit/0fff5065884d5ac61123a604bbcee30a53c808ff
The above classifies it as MEDIUM instead of HIGH. Optionally, we could
move it to WEAK but still build 3DES via the enable-weak-ssl-ciphers
switch (I don't like this).
When we do upgrade to 1.1.0, do we want to include 3DES anyway? Probably
going to break some existing configs if not (which should be updated if
not cost prohibitive). If not undoing the change in favor of the one for
1.0.2, at very least, the switch should be mentioned in command
explanations. For reference, here is the 1.1.0 change (make it WEAK and
not built by default):
https://github.com/openssl/openssl/commit/d33726b92e09605a088369d0e01c99d138c0524f
Regarding Sweet32, no need to do anything with httpd or nginx configs for
now. It is mathematically impossible to exploit using this method in the
default configuration for both (maximum requests at 100).
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/8214#comment:9>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
