Discussion:
[arch-dev-public] OpenSSL 1.1.0
Pierre Schmitz
2017-01-29 20:49:51 UTC
Permalink
Hi,

I'd like to propose a migration to OpenSSL 1.1. The update comes with
ABI and API changes. Every linked packages needs to be rebuild. There
will likely be broken packages. Once the protobuf* rebuild has left the
[staging] repo I would like to upload a first set of OpenSSL 1.1
packages.

I have created a todo list of packages that either have a direct
dependency on openssl or link to libssl.so.1.0.0 or libcrypto.so.1.0.0:
https://www.archlinux.org/todo/openssl-110-rebuild/

Further reading:
* https://wiki.openssl.org/index.php/1.1_API_Changes
* https://wiki.debian.org/OpenSSL-1.1
* https://lists.debian.org/debian-devel-announce/2016/11/msg00001.html
* http://pkgs.fedoraproject.org/cgit/rpms/

*) https://www.archlinux.org/todo/protobuf-320/

Greetings,

Pierre
--
Pierre Schmitz, https://pierre-schmitz.com
Giancarlo Razzolini
2017-01-29 21:43:18 UTC
Permalink
Post by Pierre Schmitz
Hi,
I'd like to propose a migration to OpenSSL 1.1. The update comes with
ABI and API changes.
I don't know if it ever was discussed, but did we ever considered LibreSSL
instead? There are some distros out there using it already using, I think
the most recent convert was Alpine.

I know it would be a bigger step than simply adopting OpenSSL 1.1, but I
also think it would be a better move, since we need to rebuild everything
anyway. There will be breakage in both cases, but I think there is more to
gain by switching to LibreSSL.

Cheers,
Giancarlo Razzolini
Doug Newgard
2017-01-29 22:04:38 UTC
Permalink
On Sun, 29 Jan 2017 21:43:18 +0000
Post by Giancarlo Razzolini
Post by Pierre Schmitz
Hi,
I'd like to propose a migration to OpenSSL 1.1. The update comes with
ABI and API changes.
I don't know if it ever was discussed, but did we ever considered LibreSSL
instead? There are some distros out there using it already using, I think
the most recent convert was Alpine.
I know it would be a bigger step than simply adopting OpenSSL 1.1, but I
also think it would be a better move, since we need to rebuild everything
anyway. There will be breakage in both cases, but I think there is more to
gain by switching to LibreSSL.
Cheers,
Giancarlo Razzolini
I haven't heard all that much from/about LibreSSL since shortly after the fork.
Care to share what advantages it would bring, and at what cost?
Giancarlo Razzolini
2017-01-29 22:30:18 UTC
Permalink
Post by Doug Newgard
I haven't heard all that much from/about LibreSSL since shortly after the fork.
Care to share what advantages it would bring, and at what cost?
The cost for rebuilding everything against OpenSSL 1.1 will probably be a big one.
For LibreSSL, it would be even bigger. I think the main advantage, right away, is
that LibreSSL has a considerably better security track, specially after their huge
flensing.

I can only dream about the bugs that might lurk on both OpenSSL 1.1 and LibreSSL.
But the defensive approach OpenBSD takes on LibreSSL already has paid off in terms
of CVE's that didn't affected it, but were high/critical issues on OpenSSL.

It would be a considerable effort, but since there will be some for 1.1, I thought
this to be the perfect opportunity for pushing an effort for LibreSSL instead.

I'm as of know searching Void and Alpine bug trackers for learning the issues they
faced (we should/could learn from theirs). We would probably need to bootstrap the
core tools like makepkg, pacman, curl, etc with static OpenSSL support for a while,
to make sure users can smoothly upgrade. Otherwise, I expect LibreSSL to be as much
compatible with the userland software as OpenSSL is.

Cheers,
Giancarlo Razzolini
Allan McRae
2017-01-30 03:05:56 UTC
Permalink
Post by Giancarlo Razzolini
Post by Doug Newgard
I haven't heard all that much from/about LibreSSL since shortly after the fork.
Care to share what advantages it would bring, and at what cost?
The cost for rebuilding everything against OpenSSL 1.1 will probably be a big one.
For LibreSSL, it would be even bigger. I think the main advantage, right away, is
that LibreSSL has a considerably better security track, specially after their huge
flensing.
I can only dream about the bugs that might lurk on both OpenSSL 1.1 and LibreSSL.
But the defensive approach OpenBSD takes on LibreSSL already has paid off in terms
of CVE's that didn't affected it, but were high/critical issues on OpenSSL.
Please cite one example. Every CVE I have seen that is of at least
high severity has affected both. There have been some low severity ones
only affecting openssl.

Even worse, the fix time for libressl in the couple of issues I
monitored was worse than openssl.

A
Giancarlo Razzolini
2017-01-30 13:09:20 UTC
Permalink
Post by Allan McRae
Please cite one example. Every CVE I have seen that is of at least
high severity has affected both. There have been some low severity ones
only affecting openssl.
Even worse, the fix time for libressl in the couple of issues I
monitored was worse than openssl.
I don't have a ready list, but I can make one, sure. One thing I can say
is that it wasn't *every*[0] high/critical CVE that affected both libraries.

And yes, I presume fix time will be somewhat worse than OpenSSL's, because
it is a portable version of a library mainly focused on OpenBSD.

As I said, it is a suggestion for us to consider instead of going OpenSSL 1.1
way. Both will be hard, but I think in the end we would be better off using
LibreSSL.

Cheers,
Giancarlo Razzolini

[0] https://en.wikipedia.org/wiki/LibreSSL
Pierre Schmitz
2017-02-11 08:36:23 UTC
Permalink
Post by Giancarlo Razzolini
Post by Allan McRae
Please cite one example. Every CVE I have seen that is of at least
high severity has affected both. There have been some low severity ones
only affecting openssl.
Even worse, the fix time for libressl in the couple of issues I
monitored was worse than openssl.
I don't have a ready list, but I can make one, sure. One thing I can say
is that it wasn't *every*[0] high/critical CVE that affected both libraries.
And yes, I presume fix time will be somewhat worse than OpenSSL's, because
it is a portable version of a library mainly focused on OpenBSD.
As I said, it is a suggestion for us to consider instead of going OpenSSL 1.1
way. Both will be hard, but I think in the end we would be better off using
LibreSSL.
Cheers,
Giancarlo Razzolini
[0] https://en.wikipedia.org/wiki/LibreSSL
For now I'd like to keep openssl. This might change when upstream
projects might switch to libressl. ATM I do not see an objective reason
to do so. If it is a drop in replacement a separate package could be
provided.

Greetings,

Pierre
--
Pierre Schmitz, https://pierre-schmitz.com
Giancarlo Razzolini
2017-02-12 14:25:15 UTC
Permalink
Post by Pierre Schmitz
For now I'd like to keep openssl. This might change when upstream
projects might switch to libressl. ATM I do not see an objective reason
to do so. If it is a drop in replacement a separate package could be
provided.
Sure, as I said, it was just an idea. LibreSSL is mostly a drop-in replacement,
I was taking some time to analyze void and alpine switch and they had some issues
that they sorted out. OpenBSD had the same issue with their ports (several patches
were sent upstream) and they detected several poorly usage of the OpenSSL library.

Some of the poor usage was bad coding practices, and some was because the library
itself allowed. I think most upstream projects won't change to LibreSSL, either
OpenSSL compatible, or their libtls, for lack of interest in changing the status
quo. For some projects there is also money involved, but that's another issue
entirely.

I don't know if this is a chicken-egg issue, because downstream doesn't switch to
LibreSSL because upstream doesn't use LibreSSL, and so on. The main reason to switch
would be better security overall. But a secondary effect of that would be to force
upstream hand to either code properly or use a different library altogether.

If you are willing I could try to create a separate LibreSSL package, so individual
maintainers could build against either. I just don't see it being sustainable on the
long run.

Cheers,
Giancarlo Razzolini
Pierre Schmitz
2017-02-11 08:32:22 UTC
Permalink
Post by Pierre Schmitz
Hi,
I'd like to propose a migration to OpenSSL 1.1. The update comes with
ABI and API changes. Every linked packages needs to be rebuild. There
will likely be broken packages. Once the protobuf* rebuild has left
the [staging] repo I would like to upload a first set of OpenSSL 1.1
packages.
I have created a todo list of packages that either have a direct
dependency on openssl or link to libssl.so.1.0.0 or
https://www.archlinux.org/todo/openssl-110-rebuild/
I will push the first set of packages to [staging]. Please avoid doing
other rebuilds until this one is done.

Greetings,

Pierre
--
Pierre Schmitz, https://pierre-schmitz.com
Christian Hesse
2017-02-23 21:29:17 UTC
Permalink
Post by Pierre Schmitz
Post by Pierre Schmitz
Hi,
I'd like to propose a migration to OpenSSL 1.1. The update comes with
ABI and API changes. Every linked packages needs to be rebuild. There
will likely be broken packages. Once the protobuf* rebuild has left
the [staging] repo I would like to upload a first set of OpenSSL 1.1
packages.
I have created a todo list of packages that either have a direct
dependency on openssl or link to libssl.so.1.0.0 or
https://www.archlinux.org/todo/openssl-110-rebuild/
I will push the first set of packages to [staging]. Please avoid doing
other rebuilds until this one is done.
Are you interested in details?

I have a working version of openvpn, but it requires heavy patching. I will
wait for version 2.4.1 which has a lot of preparation (and with some luck is
ported completly). Will push an openssl rebuild then.
If anybody is interested... Raise your hands and let me know, I can provide
packages for testing.

Mariadb is still unsolved. There is a ticket in upstream jira [0] but it does
not carry anything useful. There's a reference for a review, but I could not
find the patch in mail archive. Will try to contact the developers and
express our interest...

Mupdf is a burden to maintain due to build system, bundled libraries and
static linking. Looks like upstream is not yet interested in openssl 1.1.0...
As I do not use it currently this will move to [community] if no one
steps up.

[0] https://jira.mariadb.org/browse/MDEV-10332
--
main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];)
putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);}
Antonio Rojas
2017-02-23 21:42:25 UTC
Permalink
Post by Christian Hesse
Mariadb is still unsolved. There is a ticket in upstream jira [0] but it
does not carry anything useful. There's a reference for a review, but I
could not find the patch in mail archive. Will try to contact the
developers and express our interest...
In the meantime, is temporarily switching to internal yassl (as Debian
does) an option? This is blocking all Qt rebuilds (which will also be a
pain themselves), so it would be nice to have a build in staging soonish.
Christian Hesse
2017-02-24 12:37:25 UTC
Permalink
Post by Antonio Rojas
Post by Christian Hesse
Mariadb is still unsolved. There is a ticket in upstream jira [0] but it
does not carry anything useful. There's a reference for a review, but I
could not find the patch in mail archive. Will try to contact the
developers and express our interest...
In the meantime, is temporarily switching to internal yassl (as Debian
does) an option? This is blocking all Qt rebuilds (which will also be a
pain themselves), so it would be nice to have a build in staging soonish.
Ah, did not know this is a huge blocker. I will try.
--
main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];)
putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);}
Christian Hesse
2017-02-24 13:20:17 UTC
Permalink
Post by Christian Hesse
Post by Antonio Rojas
Post by Christian Hesse
Mariadb is still unsolved. There is a ticket in upstream jira [0] but it
does not carry anything useful. There's a reference for a review, but I
could not find the patch in mail archive. Will try to contact the
developers and express our interest...
In the meantime, is temporarily switching to internal yassl (as Debian
does) an option? This is blocking all Qt rebuilds (which will also be a
pain themselves), so it would be nice to have a build in staging soonish.
Ah, did not know this is a huge blocker. I will try.
I pushed mariadb 10.1.21-2 to [testing]. Please give it a try...
--
main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];)
putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);}
Baptiste Jonglez
2017-02-23 22:36:46 UTC
Permalink
Post by Christian Hesse
Post by Pierre Schmitz
I will push the first set of packages to [staging]. Please avoid doing
other rebuilds until this one is done.
Are you interested in details?
FWIW, Debian stretch has openssl 1.1.0, so I guess they had to adapt lots
of packages.
Post by Christian Hesse
Mariadb is still unsolved. There is a ticket in upstream jira [0] but it does
not carry anything useful. There's a reference for a review, but I could not
find the patch in mail archive. Will try to contact the developers and
express our interest...
The debian package uses `-DWITH_SSL=bundled` [1] to avoid linking with the
system-wide openssl. Not a great solution, though.
Post by Christian Hesse
Mupdf is a burden to maintain due to build system, bundled libraries and
static linking. Looks like upstream is not yet interested in openssl 1.1.0...
As I do not use it currently this will move to [community] if no one
steps up.
Can't you just drop the dependency on openssl? What is it used for?
As far as I can tell, Debian does not build mupdf against openssl:

***@stretch:~# apt show mupdf
Package: mupdf
Version: 1.9a+ds1-4
Depends: libc6 (>= 2.15), libfreetype6 (>= 2.6), libharfbuzz0b (>= 0.9.11), libjbig2dec0 (>= 0.11), libjpeg62-turbo (>= 1.3.1), libopenjp2-7 (>= 2.0.0), libx11-6, libxext6, zlib1g (>= 1:1.2.0)
***@stretch:~# ldd /usr/lib/mupdf/mupdf-x11 | grep ssl
***@stretch:~# ldd /usr/lib/mupdf/mupdf-x11 | grep crypto
***@stretch:~#

I just tested building the package without openssl support (I had to patch
out references to openssl and libcrypto from Makerules, since openssl is
part of the base chroot when building), and it seems to work fine.

Baptiste

[1] https://packages.debian.org/stretch/libmariadbclient18
Christian Hesse
2017-02-24 13:56:51 UTC
Permalink
Post by Baptiste Jonglez
Post by Christian Hesse
Mupdf is a burden to maintain due to build system, bundled libraries and
static linking. Looks like upstream is not yet interested in openssl
1.1.0... As I do not use it currently this will move to [community] if no
one steps up.
Can't you just drop the dependency on openssl? What is it used for?
Just did that and pushed to [community-testing].

With mupdf linked against openssl you have support for PKCS#7 which is used
for digital signatures in PDF documents.
--
main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];)
putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);}
Christian Hesse
2017-02-25 19:16:03 UTC
Permalink
Post by Christian Hesse
I have a working version of openvpn, but it requires heavy patching. I will
wait for version 2.4.1 which has a lot of preparation (and with some luck is
ported completly). Will push an openssl rebuild then.
If anybody is interested... Raise your hands and let me know, I can provide
packages for testing.
I am not sure about the amount of spare time I will have in about two weeks.
So I decided to push the patches now...
--
main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];)
putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);}
Sébastien Luttringer
2017-04-22 16:05:27 UTC
Permalink
Post by Pierre Schmitz
Hi,
I'd like to propose a migration to OpenSSL 1.1. The update comes with
ABI and API changes. Every linked packages needs to be rebuild. There
will likely be broken packages. Once the protobuf* rebuild has left
the [staging] repo I would like to upload a first set of OpenSSL 1.1
packages.
I have created a todo list of packages that either have a direct
dependency on openssl or link to libssl.so.1.0.0 or
  https://www.archlinux.org/todo/openssl-110-rebuild/
I will push the first set of packages to [staging]. Please avoid doing 
other rebuilds until this one is done.
Greetings,
Pierre
When do you plan to move openssl rebuild out of testing?

Cheers,


-- 
Sébastien "Seblu" Luttringer
Gaetan Bisson
2017-04-22 22:07:08 UTC
Permalink
Post by Sébastien Luttringer
When do you plan to move openssl rebuild out of testing?
Quoting arojas on IRC:

2017-04-20 09:11:27 arojas: current blocker for openssl if FS#53618
2017-04-20 09:11:47 arojas: someone needs to decide whether we care about it or not, and if yes do something to fix it
--
Gaetan
Allan McRae
2017-04-23 01:30:41 UTC
Permalink
Post by Gaetan Bisson
Post by Sébastien Luttringer
When do you plan to move openssl rebuild out of testing?
2017-04-20 09:11:27 arojas: current blocker for openssl if FS#53618
2017-04-20 09:11:47 arojas: someone needs to decide whether we care about it or not, and if yes do something to fix it
Given there is a workaround, a news item should be posted and we should
stop blocking the entire distribution with this rebuild.

Allan
Pierre Schmitz
2017-04-23 07:46:06 UTC
Permalink
Post by Allan McRae
Post by Gaetan Bisson
Post by Sébastien Luttringer
When do you plan to move openssl rebuild out of testing?
2017-04-20 09:11:27 arojas: current blocker for openssl if FS#53618
2017-04-20 09:11:47 arojas: someone needs to decide whether we care
about it or not, and if yes do something to fix it
Given there is a workaround, a news item should be posted and we should
stop blocking the entire distribution with this rebuild.
Allan
This is fine by me. I cannot reproduce the error with Steam. See my
comment at https://bugs.archlinux.org/task/53618 Does anybody have more
input on this? Even if games try to access the system library rather
than the steam ones, this is more of game or steam bug.

Pierre
--
Pierre Schmitz, https://pierre-schmitz.com
Lukas Fleischer
2017-03-02 06:05:44 UTC
Permalink
Post by Pierre Schmitz
I'd like to propose a migration to OpenSSL 1.1. The update comes with
ABI and API changes. Every linked packages needs to be rebuild. There
will likely be broken packages. Once the protobuf* rebuild has left the
[staging] repo I would like to upload a first set of OpenSSL 1.1
packages.
What is the plan for packages where upstream is dead or reluctant to
migrate to OpenSSL 1.1.0 (see e.g. [1])? Are we going to ship a legacy
openssl-compat (or libressl) package for a while?

Regards,
Lukas

[1] https://github.com/OpenSMTPD/OpenSMTPD/issues/738
Lukas Fleischer
2017-03-02 19:06:52 UTC
Permalink
Post by Lukas Fleischer
What is the plan for packages where upstream is dead or reluctant to
migrate to OpenSSL 1.1.0 (see e.g. [1])? Are we going to ship a legacy
openssl-compat (or libressl) package for a while?
It seems like there already is an openssl-1.0 package [1]. This makes
everything much easier. Thanks.

[1] https://www.archlinux.org/packages/?q=openssl-1.0
Jan de Groot
2017-03-02 22:05:39 UTC
Permalink
Post by Lukas Fleischer
Post by Lukas Fleischer
What is the plan for packages where upstream is dead or reluctant to
migrate to OpenSSL 1.1.0 (see e.g. [1])? Are we going to ship a legacy
openssl-compat (or libressl) package for a while?
It seems like there already is an openssl-1.0 package [1]. This makes
everything much easier. Thanks.
[1] https://www.archlinux.org/packages/?q=openssl-1.0
To use this package you need to set PKG_CONFIG_PATH=/usr/lib/openssl-
1.0/pkgconfig. If your package doesn't use PKG_CONFIG_PATH to look for
openssl you'll have to manually add -I/usr/include/openssl-1.0 to
CFLAGS and -L/usr/lib/openssl-1.0 to LDFLAGS.

Also, make sure that your resulting package uses the correct library.
You don't want to link to two different versions of OpenSSL. An example
where this happens is ptlib/opal, Opal will happily compile against
OpenSSL 1.1 while ptlib is compiled against 1.0 if no changes are made
to opal.
Lukas Fleischer
2017-03-25 12:46:31 UTC
Permalink
Hi,

I just moved the OpenSSL 1.1.0 and libgit2 0.25 rebuilds to [testing].
Please report issues to the bug tracker.

Regards,
Lukas
Jerome Leclanche
2017-03-25 12:50:43 UTC
Permalink
On Sat, Mar 25, 2017 at 2:46 PM, Lukas Fleischer
Post by Lukas Fleischer
Hi,
I just moved the OpenSSL 1.1.0 and libgit2 0.25 rebuilds to [testing].
Please report issues to the bug tracker.
Regards,
Lukas
Heads up, uwsgi breaks with OpenSSL 1.1:
https://github.com/unbit/uwsgi/issues/1395

This is fixed in uwsgi 2.0.15 which is not released yet (cf comments).
J. Leclanche
Bartłomiej Piotrowski
2017-03-25 21:53:27 UTC
Permalink
Post by Jerome Leclanche
On Sat, Mar 25, 2017 at 2:46 PM, Lukas Fleischer
Post by Lukas Fleischer
Hi,
I just moved the OpenSSL 1.1.0 and libgit2 0.25 rebuilds to [testing].
Please report issues to the bug tracker.
Regards,
Lukas
https://github.com/unbit/uwsgi/issues/1395
This is fixed in uwsgi 2.0.15 which is not released yet (cf comments).
J. Leclanche
Unless I missed something, we backported the patch that make it work
with latest OpenSSL. Otherwise we wouldn't move the rebuild from staging…
Loading...