Re: [Openvpn-devel] build against openssl 1.1.0
On Friday, 17 February 2017 18:18:27 CEST David Sommerseth wrote: > On 17/02/17 17:35, Emmanuel Deloget wrote: > > I understand that I'm the new guy in town, but can you allow me to > > make the formal request to ditch OpenSSL 0.9.8, 1.0.0 and 1.0.1 and > > require at least version 1.0.2? > > So to the RHEL releases and the OpenSSL versions. RHEL 5 ships with > openssl-0.9.8e. Both RHEL 6 and RHEL 7 ships with openssl-1.0.1e. > > The way Red Hat releases works is that versions are close to never > rebased, at least not core libraries such as OpenSSL. Both core libraries and non-core libraries are rebased in RHEL. Case in point, RHEL 6 originally shipped with openssl-1.0.0[1]. But rebases to releases that are ABI incompatible happen only to packages that are explicitly excluded[2] from ABI guarantee. OpenSSL is not one of such packages. For obvious reasons, I hope. > But Red Hat > employs a lot of users to ensure all packages they distribute is secure > and maintained. That means that security and important bug fixes will > be backported from newer OpenSSL releases to the openssl-1.0.1e > baseline. And this happens for the whole life cycle of each major release. Correct[3]. > Sometimes even features are backported as well. Unfortunately because RHEL-6 is currently in Production Phase 2, soon entering Phase 3, providing new feature like openssl-1.0.2 would be an exception[4]. > But I have gotten > fairly clear signals that TLSv1.3 from openssl-1.1 will not be > backported, as the code has changed too much since the 1.0.1 baseline. > But I would be surprised if a future RHEL 8 does not ship with openssl-1.1.x Well, openssl-1.1.0 is already available for Fedora rawhide :) (Hope I don't sound too much like a markedroid, but I appreciate the support for RHEL you provide so I wanted to let you know exactly where everything is, the least I can do) 1 - http://vault.centos.org/6.0/os/x86_64/Packages/ openssl-1.0.0-4.el6.x86_64.rpm 2 - https://access.redhat.com/articles/rhel-abi-compatibility 3 - https://access.redhat.com/security/updates/backporting 4 - https://access.redhat.com/support/policy/updates/errata -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic signature.asc Description: This is a digitally signed message part. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] fuzz testing by google ?
On Wednesday, 7 December 2016 13:04:30 CET Gert Doering wrote: > Hi, > > On Wed, Dec 07, 2016 at 04:51:36PM +0500, ?? wrote: > > it used to crash on simple tcp connect (after immediate disconnect), it > > was > > reproducible to running login/password authentication mode > > > > it might have been caught by fuzz testing. > > I should point out that this was not a "crash" but an "openvpn detects > invalid input and ASSERT()s out -> well-defined program exit". > > Not exactly *friendly* behaviour (and stupid, in this case), but not > a *crash*. > > But that's exactly why fuzzing openvpn is hard: we detect bad stuff, and > in doubt, we ASSERT() - which is well-defined behaviour, not "crashing > randomly, possibly in a way that can be exploited to get access to > security critical bits" It still results in a denial of service. Yes, far less severe than private key leak or remote code execution, but a severe vulnerability none the less. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic signature.asc Description: This is a digitally signed message part. -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH 1/2] ocsp_check - signature verification and cert staus results are separate
when openssl returns result of parsing and verification of the OCSP response, the signature verification is separate from the certificate status, as such it's necessary to check both of them. Otherwise results like: Response Verify Failure 140170966779776:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found:ocsp_vfy.c:85: ca/cert.pem: good This Update: Sep 23 12:12:28 2014 GMT will be accepted as being trustworthy. Note that "Response verify OK" is printed on stderr, so it can't be discarded. Signed-off-by: Hubert Kario --- contrib/OCSP_check/OCSP_check.sh | 9 ++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/contrib/OCSP_check/OCSP_check.sh b/contrib/OCSP_check/OCSP_check.sh index 553c3dc..ce7ec04 100644 --- a/contrib/OCSP_check/OCSP_check.sh +++ b/contrib/OCSP_check/OCSP_check.sh @@ -97,12 +97,15 @@ if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then "$nonce" \ -CAfile "$verify" \ -url "$ocsp_url" \ --serial "${serial}" 2>/dev/null) +-serial "${serial}" 2>&1) if [ $? -eq 0 ]; then - # check that it's good + # check that the reported status of certificate is ok if echo "$status" | grep -Fq "^${serial}: good"; then -exit 0 +# check if signature on the OCSP response verified correctly +if echo "$status" | grep -Fq "^Response verify OK"; then +exit 0 +fi fi fi fi -- 1.9.3
[Openvpn-devel] [PATCH 2/2] ocsp_check - double check if ocsp didn't report any errors in execution
in case the reposnses are too old, ocsp tool can return text like this: Response verify OK ca/cert.pem: WARNING: Status times invalid. 139990703290240:error:2707307D:OCSP routines:OCSP_check_validity:status expired:ocsp_cl.c:358: good This Update: Sep 21 12:12:48 2014 GMT Next Update: Sep 22 12:12:48 2014 GMT light change in buffering can cause "verify OK" and "ca/cert.pem: good" to be placed in a way that matching will be valid --- contrib/OCSP_check/OCSP_check.sh | 4 1 file changed, 4 insertions(+) diff --git a/contrib/OCSP_check/OCSP_check.sh b/contrib/OCSP_check/OCSP_check.sh index ce7ec04..6876c6d 100644 --- a/contrib/OCSP_check/OCSP_check.sh +++ b/contrib/OCSP_check/OCSP_check.sh @@ -100,6 +100,10 @@ if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then -serial "${serial}" 2>&1) if [ $? -eq 0 ]; then + # check if ocsp didn't report any errors + if echo "$status" | grep -Eq "(error|fail)"; then + exit 1 + fi # check that the reported status of certificate is ok if echo "$status" | grep -Fq "^${serial}: good"; then # check if signature on the OCSP response verified correctly -- 1.9.3
[Openvpn-devel] OCSP_check.sh fixup
There are few serious issues with the OCSP_check.sh script: 1. It will accept OCSP responses with bad signatures 2. It may accept OCSP old responses as currently valid detailed description on bug tracker: https://community.openvpn.net/openvpn/ticket/450#ticket Pull request with fixes: https://github.com/OpenVPN/openvpn/pull/17 -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Email: hka...@redhat.com Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic