Re: [openssl-users] Checksum for openssl-1.0.2p download
On 13/09/2018 03:24, Michael Wojcik wrote: From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Jakob Bohm Sent: Wednesday, September 12, 2018 17:18 Testing your OpenSSL download with the HTTPS security bites its own tail, especially if your download tool uses an (older) version of OpenSSL to check the connection. And as I noted in my previous email, the HTTPS PKI is rubbish. Historically there have been numerous successful attacks on it, even in modes that do not involve user intervention. It's better than nothing, but checking the PGP signature is defense in depth that does not rely solely on the integrity of the HTTPS PKI. But unless you have an established personal list of GPG/PGP keys you have checked against their holders in person yourself, checking the HTTPS certificate of the OpenSSL.org web server is pretty much all you can do to distinguish between a genuine and a fake first time OpenSSL download (signatures on later downloads can be compared to previous downloadsfor some degree of signature consistency). There are plenty of other channels that can be used to validate the PGP public key used to confirm the signature of the OpenSSL tarball. None of them are secure in themselves, but by using multiple channels, the defender greatly increases the attacker's work factor and risk of discovery. That's the whole point of defense in depth. It's not hard to learn how to install an OpenPGP implementation (most likely gpg) and use it to verify a detached signature. There are many tutorials available online. I don't think a lack of experience with PGP or gpg is a valid excuse for not validating the signature. Of cause some real knowledge is needed to not use the OpenSSL source code incorrectly, unless you are merely compiling other peoples software exactly as instructed. Yes. And this is a much more likely source of problems than a counterfeit OpenSSL distribution. To make it clear, I am very experienced and do in fact check the gpg signature if possible. I was trying to give good advice to the OP based on my experience checking the only ways that the OpenSSL foundation provides. The OpenPGP/GPG key servers that you suggested, by design, accept any made up key identity and thus provide no indication of validity, so just downloading the key from there is a non-solution to the problem of bootstrapping trust in someones first OpenSSL download. To my knowledge the only ways to check that the .asc file was signed with an authorized release key are: A) Trusting that the HTTPS connection to the download server is uncompromised, essentially treating at least the first such signature as a glorified .sha256 file. B) Checking doc/fingerprints.txt in the previous tarball and hoping the OpenSSL foundation double checks the correctness of that file before signing a new tarball. C) Using the text (BUT NOT THE INSECURE LINKS) on https://www.openssl.org/community/omc.html But this lists some unauthorized keys, and also relies on that same HTTPS certificate. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Checksum for openssl-1.0.2p download
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Jakob Bohm > Sent: Wednesday, September 12, 2018 17:18 > > Testing your OpenSSL download with the HTTPS security bites its > own tail, especially if your download tool uses an (older) version > of OpenSSL to check the connection. And as I noted in my previous email, the HTTPS PKI is rubbish. Historically there have been numerous successful attacks on it, even in modes that do not involve user intervention. It's better than nothing, but checking the PGP signature is defense in depth that does not rely solely on the integrity of the HTTPS PKI. > But unless you have an established personal list of GPG/PGP keys > you have checked against their holders in person yourself, checking > the HTTPS certificate of the OpenSSL.org web server is pretty much > all you can do to distinguish between a genuine and a fake first time > OpenSSL download (signatures on later downloads can be compared to > previous downloadsfor some degree of signature consistency). There are plenty of other channels that can be used to validate the PGP public key used to confirm the signature of the OpenSSL tarball. None of them are secure in themselves, but by using multiple channels, the defender greatly increases the attacker's work factor and risk of discovery. That's the whole point of defense in depth. It's not hard to learn how to install an OpenPGP implementation (most likely gpg) and use it to verify a detached signature. There are many tutorials available online. I don't think a lack of experience with PGP or gpg is a valid excuse for not validating the signature. > Of cause some real knowledge is needed to not use the OpenSSL source > code incorrectly, unless you are merely compiling other peoples > software exactly as instructed. Yes. And this is a much more likely source of problems than a counterfeit OpenSSL distribution. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Checksum for openssl-1.0.2p download
(Top posting to avoid zig-zag) Testing your OpenSSL download with the HTTPS security bites its own tail, especially if your download tool uses an (older) version of OpenSSL to check the connection. But unless you have an established personal list of GPG/PGP keys you have checked against their holders in person yourself, checking the HTTPS certificate of the OpenSSL.org web server is pretty much all you can do to distinguish between a genuine and a fake first time OpenSSL download (signatures on later downloads can be compared to previous downloadsfor some degree of signature consistency). Of cause some real knowledge is needed to not use the OpenSSL source code incorrectly, unless you are merely compiling other peoples software exactly as instructed. Personally, I would prefer if there also was a detached CMS signature with an EV software signing certificate independently validated as belonging to the real OpenSSL foundation. On 12/09/2018 22:56, Chris Outwin wrote: Thank you very much for your helpful reply. I’m a graphics programmer with no experience in PGP. The shell script I have calls: OPENSSL_ARCHIVE_URL="https://www.openssl.org/source/old/${BRANCH}/${OPENSSL_ARCHIVE_FILE_NAME}” in the process of downloading OpenSSL for use in building an iOS static implementation. Does https have a reasonable level of security? I believe I can include a block of code in the script to do a checksum. On Sep 12, 2018, at 1:42 PM, Michael Wojcik wrote: From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Matt Caswell Sent: Wednesday, September 12, 2018 14:29 On 12/09/18 19:24, Chris Outwin wrote: I’m an OpenSSL newbie and this is my first post. I’m using OpenSSL for receipt validation in an iOS application. Is there a list of checksums to verify openssl download versions? Next to each download on the website there are links for SHA256/PGP/SHA1 checksums. https://www.openssl.org/source/ I'd strongly recommend verifying the PGP (OpenPGP, gpg) signature on the tarball. The signature files are right there alongside the tarballs. If you're new to gpg (or whatever OpenPGP implementation of your choice), there's a bit of learning and setup to do: you'll need to fetch the appropriate key from a public keyserver or other trustworthy (-ish) source to fully verify the signature, and you'll probably want to mark the key as trusted so the output from gpg is clear. But once you've done that, it's very easy to verify the signature, and to automate the process if you prefer. And the signatures add a bit of defense-in-depth because publishing a tampered-with tarball would require subverting the private key as well as to the OpenSSL web server. (If you're just checking the SHA256 hash, an attacker could either get access to the OpenSSL web server, or force you to a counterfeit server, for example via DNS cache poisoning. And due to the systemic brokenness of the web PKI, it's pretty easy to fool a lot of people with a counterfeit server.) So do the work now to set yourself up for verifying the signature, and inculcate a good habit. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Checksum for openssl-1.0.2p download
Thank you very much for your helpful reply. I’m a graphics programmer with no experience in PGP. The shell script I have calls: OPENSSL_ARCHIVE_URL="https://www.openssl.org/source/old/${BRANCH}/${OPENSSL_ARCHIVE_FILE_NAME}” in the process of downloading OpenSSL for use in building an iOS static implementation. Does https have a reasonable level of security? I believe I can include a block of code in the script to do a checksum. > On Sep 12, 2018, at 1:42 PM, Michael Wojcik > wrote: > >> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf >> Of Matt Caswell >> Sent: Wednesday, September 12, 2018 14:29 >> >> On 12/09/18 19:24, Chris Outwin wrote: >>> I’m an OpenSSL newbie and this is my first post. I’m using OpenSSL for >> receipt validation in an iOS application. >>> >>> Is there a list of checksums to verify openssl download versions? >> >> Next to each download on the website there are links for SHA256/PGP/SHA1 >> checksums. >> >> https://www.openssl.org/source/ > > I'd strongly recommend verifying the PGP (OpenPGP, gpg) signature on the > tarball. The signature files are right there alongside the tarballs. > > If you're new to gpg (or whatever OpenPGP implementation of your choice), > there's a bit of learning and setup to do: you'll need to fetch the > appropriate key from a public keyserver or other trustworthy (-ish) source to > fully verify the signature, and you'll probably want to mark the key as > trusted so the output from gpg is clear. > > But once you've done that, it's very easy to verify the signature, and to > automate the process if you prefer. And the signatures add a bit of > defense-in-depth because publishing a tampered-with tarball would require > subverting the private key as well as to the OpenSSL web server. (If you're > just checking the SHA256 hash, an attacker could either get access to the > OpenSSL web server, or force you to a counterfeit server, for example via DNS > cache poisoning. And due to the systemic brokenness of the web PKI, it's > pretty easy to fool a lot of people with a counterfeit server.) > > So do the work now to set yourself up for verifying the signature, and > inculcate a good habit. > > -- > Michael Wojcik > Distinguished Engineer, Micro Focus > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Checksum for openssl-1.0.2p download
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Matt Caswell > Sent: Wednesday, September 12, 2018 14:29 > > On 12/09/18 19:24, Chris Outwin wrote: > > I’m an OpenSSL newbie and this is my first post. I’m using OpenSSL for > receipt validation in an iOS application. > > > > Is there a list of checksums to verify openssl download versions? > > Next to each download on the website there are links for SHA256/PGP/SHA1 > checksums. > > https://www.openssl.org/source/ I'd strongly recommend verifying the PGP (OpenPGP, gpg) signature on the tarball. The signature files are right there alongside the tarballs. If you're new to gpg (or whatever OpenPGP implementation of your choice), there's a bit of learning and setup to do: you'll need to fetch the appropriate key from a public keyserver or other trustworthy (-ish) source to fully verify the signature, and you'll probably want to mark the key as trusted so the output from gpg is clear. But once you've done that, it's very easy to verify the signature, and to automate the process if you prefer. And the signatures add a bit of defense-in-depth because publishing a tampered-with tarball would require subverting the private key as well as to the OpenSSL web server. (If you're just checking the SHA256 hash, an attacker could either get access to the OpenSSL web server, or force you to a counterfeit server, for example via DNS cache poisoning. And due to the systemic brokenness of the web PKI, it's pretty easy to fool a lot of people with a counterfeit server.) So do the work now to set yourself up for verifying the signature, and inculcate a good habit. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Checksum for openssl-1.0.2p download
On 12/09/18 19:24, Chris Outwin wrote: > I’m an OpenSSL newbie and this is my first post. I’m using OpenSSL for > receipt validation in an iOS application. > > Is there a list of checksums to verify openssl download versions? Next to each download on the website there are links for SHA256/PGP/SHA1 checksums. https://www.openssl.org/source/ > I believe I should be using openssl-1.0.2p. Can openssl-1.1.1 be used in a > production application yet? Yes. The final version was released earlier this week. > Why doesn’t openssl-1.1.1 end with a letter of the alphabet? 1.1.1 is the first production release of the 1.1.1 series. The next time we issue a bug and/or security fix version it will be 1.1.1a. The one after that 1.1.1b, and so on. Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Checksum for openssl-1.0.2p download
I’m an OpenSSL newbie and this is my first post. I’m using OpenSSL for receipt validation in an iOS application. Is there a list of checksums to verify openssl download versions? I believe I should be using openssl-1.0.2p. Can openssl-1.1.1 be used in a production application yet? Why doesn’t openssl-1.1.1 end with a letter of the alphabet? Thank you very much. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users