Re: Qpopper and openssl on FreeBSD 11.x

2018-03-24 Thread Matthias Andree 
Am 23.03.2018 um 23:48 schrieb Doug Hardie:
>
>> Use SSLv23_server_method(), and use code to block out SSLv2 + SSLv3 on
>> those systems that still support them - which depends on the
>> OpenSSL/LibreSSL version, however:
>> Older OpenSSL and LibreSSL require SSL_OP_NO_SSLv3 and SSL_OP_NO_SSLv2
>> set through ..._set_options() on the SSL or CTX,
>> newer OpenSSL (1.1.0+) have ..._set_min_proto_version(..., TLS1_VERSION).
> The simple approach for 11 is to use SSLv23_server_method() as it handles 
> everything and no extra calls are required.  However, that doesn't work for 
> 10.x  Adding in all the checks you mention is a lot of development and 
> testing effort.  I don't have the resources or desire to do all that.  I have 
> not found a hardware system that will run 10.x.  Everything I have runs 11 
> just fine...

Why does it not work for FreeBSD 10? SSLv23_server_method() has been in
OpenSSL for ages. It is however important to block out broken protocols
(SSL v2, v3) in the application if changing the method regardsless of
FreeBSD version. This would mean unsupporting clients that do not
support at least TLS v1.0, but well, unless you only want to pretend to
offer network security you will have to do that.
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Qpopper and openssl on FreeBSD 11.x

2018-03-23 Thread Doug Hardie 
> On 23 March 2018, at 02:40, Matthias Andree  wrote:
> 
> Am 17.02.2018 um 04:22 schrieb Doug Hardie:
>> I have encountered an interesting situation while trying to resolve a PR on 
>> qpopper.  I am unable to build qpopper on 11.1 (and probably 11.0) because 
>> the openssl function SSLv3_server_method has been removed.  I can see where 
>> the SSLv2 functions are disabled in ssl.h, but the SSLv3 functions appear 
>> that they should be there.  nm on libssl shows they are there.  Clang's 
>> linker can't link to them.  One of the qpopper users' indicates that the 
>> problem does not exist on 10.4.  I believe the loss of the SSLv3 methods is 
>> a bug and have filed Bug report.
> 
> It is a deliberate security measure to remove SSLv3 methods, and not a
> bug. The protocol is broken.

Granted those protocols are broken, but removing the calls to disable them 
means that for systems that still support them, you have no real option to 
disable them.  Its like you are pretending they never existed.  However, they 
still do in 10.x which is still supported.

> 
>> Resolution of that PR will obviously take some time.  The question at hand 
>> is what to do in the meantime. I am guessing the packages must be built on 
>> 10.x or there would be a report of the problem.  I can easily change the 
>> code, via a patch, to use SSLv23_server_method in all cases, or the 
>> preferred TLSv1_server_method.  That will eliminate the options to restrict 
>> qpopper to SSLv2 or SSLv3.  This does not appear to be an issue for those 
>> running 11.x.  However, it is for those using 10.x and earlier.  Given the 
>> security issues today, I can't imagine anyone wanting to use those options, 
>> but it is possible someone is using them.  Switching to the 
>> TLSv1_server_method will remove that capability for them.  
> 
> Use SSLv23_server_method(), and use code to block out SSLv2 + SSLv3 on
> those systems that still support them - which depends on the
> OpenSSL/LibreSSL version, however:
> Older OpenSSL and LibreSSL require SSL_OP_NO_SSLv3 and SSL_OP_NO_SSLv2
> set through ..._set_options() on the SSL or CTX,
> newer OpenSSL (1.1.0+) have ..._set_min_proto_version(..., TLS1_VERSION).

The simple approach for 11 is to use SSLv23_server_method() as it handles 
everything and no extra calls are required.  However, that doesn't work for 
10.x  Adding in all the checks you mention is a lot of development and testing 
effort.  I don't have the resources or desire to do all that.  I have not found 
a hardware system that will run 10.x.  Everything I have runs 11 just fine...

-- Doug

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Qpopper and openssl on FreeBSD 11.x

2018-03-23 Thread Matthias Andree 
Am 17.02.2018 um 04:22 schrieb Doug Hardie:
> I have encountered an interesting situation while trying to resolve a PR on 
> qpopper.  I am unable to build qpopper on 11.1 (and probably 11.0) because 
> the openssl function SSLv3_server_method has been removed.  I can see where 
> the SSLv2 functions are disabled in ssl.h, but the SSLv3 functions appear 
> that they should be there.  nm on libssl shows they are there.  Clang's 
> linker can't link to them.  One of the qpopper users' indicates that the 
> problem does not exist on 10.4.  I believe the loss of the SSLv3 methods is a 
> bug and have filed Bug report.

It is a deliberate security measure to remove SSLv3 methods, and not a
bug. The protocol is broken.

> Resolution of that PR will obviously take some time.  The question at hand is 
> what to do in the meantime. I am guessing the packages must be built on 10.x 
> or there would be a report of the problem.  I can easily change the code, via 
> a patch, to use SSLv23_server_method in all cases, or the preferred 
> TLSv1_server_method.  That will eliminate the options to restrict qpopper to 
> SSLv2 or SSLv3.  This does not appear to be an issue for those running 11.x.  
> However, it is for those using 10.x and earlier.  Given the security issues 
> today, I can't imagine anyone wanting to use those options, but it is 
> possible someone is using them.  Switching to the TLSv1_server_method will 
> remove that capability for them.  

Use SSLv23_server_method(), and use code to block out SSLv2 + SSLv3 on
those systems that still support them - which depends on the
OpenSSL/LibreSSL version, however:
Older OpenSSL and LibreSSL require SSL_OP_NO_SSLv3 and SSL_OP_NO_SSLv2
set through ..._set_options() on the SSL or CTX,
newer OpenSSL (1.1.0+) have ..._set_min_proto_version(..., TLS1_VERSION).

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Qpopper and openssl on FreeBSD 11.x

2018-02-16 Thread Doug Hardie 
I have encountered an interesting situation while trying to resolve a PR on 
qpopper.  I am unable to build qpopper on 11.1 (and probably 11.0) because the 
openssl function SSLv3_server_method has been removed.  I can see where the 
SSLv2 functions are disabled in ssl.h, but the SSLv3 functions appear that they 
should be there.  nm on libssl shows they are there.  Clang's linker can't link 
to them.  One of the qpopper users' indicates that the problem does not exist 
on 10.4.  I believe the loss of the SSLv3 methods is a bug and have filed Bug 
report.

Resolution of that PR will obviously take some time.  The question at hand is 
what to do in the meantime. I am guessing the packages must be built on 10.x or 
there would be a report of the problem.  I can easily change the code, via a 
patch, to use SSLv23_server_method in all cases, or the preferred 
TLSv1_server_method.  That will eliminate the options to restrict qpopper to 
SSLv2 or SSLv3.  This does not appear to be an issue for those running 11.x.  
However, it is for those using 10.x and earlier.  Given the security issues 
today, I can't imagine anyone wanting to use those options, but it is possible 
someone is using them.  Switching to the TLSv1_server_method will remove that 
capability for them.  

-- Doug

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"