[Bro-Dev] [JIRA] (BIT-1499) Updates for newer version of OpenSSL/LibreSSL

Thu, 05 Nov 2015 10:12:19 -0800 

     [ 
https://bro-tracker.atlassian.net/browse/BIT-1499?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1499:
---------------------------------

    Assignee: Robin Sommer

> Updates for newer version of OpenSSL/LibreSSL
> ---------------------------------------------
>
>                 Key: BIT-1499
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1499
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro, Broccoli
>    Affects Versions: git/master
>            Reporter: Seth Hall
>            Assignee: Robin Sommer
>             Fix For: 2.5
>
>         Attachments: patch-aux_broccoli_src_bro__openssl.c, 
> patch-src_ChunkedIO.cc
>
>
> A comment from Christoph Pietsch:
> {quote}Currently bro fails to build when openssl libraries have been built
> without SSLv3  (configure --no-ssl2 --nossl3). This has
> surfaced when building with the latest LibreSSL 2.3.
> Attached patches address all these issues. These can be improved upon
> by using only SSLv23_ methods or even TLS_ methods and setting
> SSL_CTX_set_options(ctx, SSL_OP_NO_SSL2 | SSL_OP_NO_SSL3) but I've
> tried to make the patches minimally intrusive. OpenSSL 1.1.0 will
> deprecate SSLv23_ methods and introduces compatible TLS_ methods.{quote}
> The patches are attached.  Fortunately all of this code is slated to be 
> removed but it does introduce the question how we manage this moving forward. 
>  I'd like to avoid having to add compiler directives to use alternate 
> implementations and detect which version of OpenSSL someone has installed. 
> Alternately, what does everyone think about deprecating the existing 
> communication mechanism by making it a configure-time option?  We can just 
> not compile those by default which means that almost everyone would just see 
> everything work correctly and our effort would be minimal.  People that need 
> the existing built in communication still can deal with the complications of 
> compiling Bro with the option and having the correct version of OpenSSL.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-005#70107)

_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Reply via email to