For discussion of Alpine Linux development and developer support

15 6

[alpine-devel] Switching back to OpenSSL

Natanael Copa
Details
Message ID
<20181011171746.4c01f758@ncopa-desktop.copa.dup.pw>
Sender timestamp
1539271066
DKIM signature
missing
Download raw message
Hi,

Are there any good reasons to not switch back to OpenSSL for v3.9?

Some reasons why I think we should switch back to OpenSSL:
- better upstream support from projects
- To my understanding, various of the issues in OpenSSL that made us
  switch to libressl have been resolved. (for example memory management)
- libressl failed to retain compability with OpenSSL
- libressl breaks ABI every 6 months, OpenSSL does not
- FIPS support

Some reasons to why we may continue with libressl may be:
- its smaller
- has fewer CVEs (due to their approach to remove stuff)
- libtls

Previous thread on the issue:
http://lists.alpinelinux.org/alpine-devel/6073.html


-nc


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Laurent Bercot
Details
Message ID
<em8b7107e1-4df0-42af-90d5-c57002af5eeb@elzian>
In-Reply-To
<CAGG_d8BznmmOsMVTu3z_xY8P8XyF_M64o5-+L6_Lpy+JG+BMrA@mail.gmail.com> (view parent)
Sender timestamp
1539279658
DKIM signature
missing
Download raw message
>>Are there any good reasons to not switch back to OpenSSL for v3.9?

  Please confirm that "switching back" means using the OpenSSL library
again as a dependency for base packages, and *not* dropping the
packaging of LibreSSL (that some software specifically depends on).

  If it's the case, I have no objection.
  Thanks,

--
  Laurent



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Leonardo Arena
Details
Message ID
<CAGG_d8BznmmOsMVTu3z_xY8P8XyF_M64o5-+L6_Lpy+JG+BMrA@mail.gmail.com>
In-Reply-To
<20181011171746.4c01f758@ncopa-desktop.copa.dup.pw> (view parent)
Sender timestamp
1539275954
DKIM signature
missing
Download raw message
On Thu, Oct 11, 2018 at 5:17 PM Natanael Copa <ncopa@alpinelinux.org> wrote:

> Hi,
>
> Are there any good reasons to not switch back to OpenSSL for v3.9?
>
> Some reasons why I think we should switch back to OpenSSL:
> - better upstream support from projects
> - To my understanding, various of the issues in OpenSSL that made us
>   switch to libressl have been resolved. (for example memory management)
> - libressl failed to retain compability with OpenSSL
> - libressl breaks ABI every 6 months, OpenSSL does not
> - FIPS support
>
> Some reasons to why we may continue with libressl may be:
> - its smaller
> - has fewer CVEs (due to their approach to remove stuff)
> - libtls
>
> Previous thread on the issue:
> http://lists.alpinelinux.org/alpine-devel/6073.html
>
>
I think that the package maintenance work alone doesn't justify LibreSSL
pros, not to mention that some packages never worked with LibreSSL (not
implying that is due to LibreSSL fault).

+1 to revert.

/eo
Timo Teräs
Details
Message ID
<CABTJ_OePvtRFbwZTJAUk2vzNc5wjb9EMatO=hA4ztYKB7m9ouw@mail.gmail.com>
In-Reply-To
<20181011171746.4c01f758@ncopa-desktop.copa.dup.pw> (view parent)
Sender timestamp
1539273354
DKIM signature
missing
Download raw message
+1 for openssl

Libressl removed things we need. Like engine support.

On Thu, 11 Oct 2018, 18.54 Natanael Copa, <ncopa@alpinelinux.org> wrote:

> Hi,
>
> Are there any good reasons to not switch back to OpenSSL for v3.9?
>
> Some reasons why I think we should switch back to OpenSSL:
> - better upstream support from projects
> - To my understanding, various of the issues in OpenSSL that made us
>   switch to libressl have been resolved. (for example memory management)
> - libressl failed to retain compability with OpenSSL
> - libressl breaks ABI every 6 months, OpenSSL does not
> - FIPS support
>
> Some reasons to why we may continue with libressl may be:
> - its smaller
> - has fewer CVEs (due to their approach to remove stuff)
> - libtls
>
> Previous thread on the issue:
> http://lists.alpinelinux.org/alpine-devel/6073.html
>
>
> -nc
>
>
> ---
> Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
> Help:         alpine-devel+help@lists.alpinelinux.org
> ---
>
>
Francesco Colista
Details
Message ID
<ce15453630236636a2f7e1ed54c36874@alpinelinux.org>
In-Reply-To
<20181011171746.4c01f758@ncopa-desktop.copa.dup.pw> (view parent)
Sender timestamp
1539325219
DKIM signature
missing
Download raw message
October 11, 2018 3:17 PM, "Natanael Copa" <ncopa@alpinelinux.org> wrote:

> Hi,
> 
> Are there any good reasons to not switch back to OpenSSL for v3.9?
> 
> Some reasons why I think we should switch back to OpenSSL:
> - better upstream support from projects
> - To my understanding, various of the issues in OpenSSL that made us
> switch to libressl have been resolved. (for example memory management)
> - libressl failed to retain compability with OpenSSL
> - libressl breaks ABI every 6 months, OpenSSL does not
> - FIPS support
> 
> Some reasons to why we may continue with libressl may be:
> - its smaller
> - has fewer CVEs (due to their approach to remove stuff)
> - libtls

+1 to switch back to openssl.
Reasons to come back are totally valid (an more) compared with the pros in having libressl.
Thanks.

.: Francesco Colista


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
William Pitcock
Details
Message ID
<CA+T2pCGQr+r-YSJo9=wLC5KTZB0vYi5TWD7+rAmOtiBXPyrH_w@mail.gmail.com>
In-Reply-To
<em8b7107e1-4df0-42af-90d5-c57002af5eeb@elzian> (view parent)
Sender timestamp
1539349254
DKIM signature
missing
Download raw message
Hi,

On Thu, Oct 11, 2018 at 12:41 PM Laurent Bercot <ska-devel@skarnet.org> wrote:
>
> >>Are there any good reasons to not switch back to OpenSSL for v3.9?
>
>   Please confirm that "switching back" means using the OpenSSL library
> again as a dependency for base packages, and *not* dropping the
> packaging of LibreSSL (that some software specifically depends on).

I prefer to drop the packaging, there are serious ABI problems when
you combine software that use OpenSSL with other software that use
LibreSSL.

But, I can split out the LibreSSL libtls as a standalone package and
adapt it to use with our OpenSSL packages.  It is something we plan to
do in Adélie anyway, so it may as well be incubated upstream.

>   If it's the case, I have no objection.

Would the above solution be sufficient to resolve your concerns?

William


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Laurent Bercot
Details
Message ID
<em15b83c1c-c3fa-4455-a69d-c1e92519e0fa@elzian>
In-Reply-To
<CA+T2pCGQr+r-YSJo9=wLC5KTZB0vYi5TWD7+rAmOtiBXPyrH_w@mail.gmail.com> (view parent)
Sender timestamp
1539365404
DKIM signature
missing
Download raw message
>But, I can split out the LibreSSL libtls as a standalone package and
>adapt it to use with our OpenSSL packages.  It is something we plan to
>do in Adélie anyway, so it may as well be incubated upstream.

>Would the above solution be sufficient to resolve your concerns?

  Yes, an alternative implementation of libtls works for me.
  Thanks!

--
  Laurent



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Natanael Copa
Details
Message ID
<20181012201258.6c048e41@ncopa-desktop.copa.dup.pw>
In-Reply-To
<em15b83c1c-c3fa-4455-a69d-c1e92519e0fa@elzian> (view parent)
Sender timestamp
1539367978
DKIM signature
missing
Download raw message
On Fri, 12 Oct 2018 17:30:04 +0000
"Laurent Bercot" <ska-devel@skarnet.org> wrote:

> >But, I can split out the LibreSSL libtls as a standalone package and
> >adapt it to use with our OpenSSL packages.  It is something we plan to
> >do in Adélie anyway, so it may as well be incubated upstream.  
> 
> >Would the above solution be sufficient to resolve your concerns?  
> 
>   Yes, an alternative implementation of libtls works for me.
>   Thanks!

We use libtls for our ssl_client for busybox wget, so yes, we need some
sort of libtls implementation.

I think there are some port of it to OpenSSL out there, but I don't
know what the state is.

-nc


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
William Pitcock
Details
Message ID
<CA+T2pCGKGBXTumQ2xF8EGhFjWENHt2qX25btxMtUkNPObR5B-g@mail.gmail.com>
In-Reply-To
<20181012201258.6c048e41@ncopa-desktop.copa.dup.pw> (view parent)
Sender timestamp
1539449014
DKIM signature
missing
Download raw message
Hi,

On Fri, Oct 12, 2018 at 1:13 PM Natanael Copa <ncopa@alpinelinux.org> wrote:
>
> On Fri, 12 Oct 2018 17:30:04 +0000
> "Laurent Bercot" <ska-devel@skarnet.org> wrote:
>
> > >But, I can split out the LibreSSL libtls as a standalone package and
> > >adapt it to use with our OpenSSL packages.  It is something we plan to
> > >do in Adélie anyway, so it may as well be incubated upstream.
> >
> > >Would the above solution be sufficient to resolve your concerns?
> >
> >   Yes, an alternative implementation of libtls works for me.
> >   Thanks!
>
> We use libtls for our ssl_client for busybox wget, so yes, we need some
> sort of libtls implementation.
>
> I think there are some port of it to OpenSSL out there, but I don't
> know what the state is.

I created an aport which builds LibreSSL's libtls against some compat
stubs and links against system openssl.  This is, for obvious reasons,
living in testing.
Can people give it a go and tell me if it works?

Some very light testing indicates success thus far, but...

William


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
William Pitcock
Details
Message ID
<CA+T2pCG3DpsvcfBWfO2u0VZT6jGnanDgx7pje0EtJEsbsFUG7A@mail.gmail.com>
In-Reply-To
<CA+T2pCGKGBXTumQ2xF8EGhFjWENHt2qX25btxMtUkNPObR5B-g@mail.gmail.com> (view parent)
Sender timestamp
1540271275
DKIM signature
missing
Download raw message
Hi,

On Sat, Oct 13, 2018 at 11:43 AM William Pitcock
<nenolod@dereferenced.org> wrote:
>
> Hi,
>
> On Fri, Oct 12, 2018 at 1:13 PM Natanael Copa <ncopa@alpinelinux.org> wrote:
> >
> > On Fri, 12 Oct 2018 17:30:04 +0000
> > "Laurent Bercot" <ska-devel@skarnet.org> wrote:
> >
> > > >But, I can split out the LibreSSL libtls as a standalone package and
> > > >adapt it to use with our OpenSSL packages.  It is something we plan to
> > > >do in Adélie anyway, so it may as well be incubated upstream.
> > >
> > > >Would the above solution be sufficient to resolve your concerns?
> > >
> > >   Yes, an alternative implementation of libtls works for me.
> > >   Thanks!
> >
> > We use libtls for our ssl_client for busybox wget, so yes, we need some
> > sort of libtls implementation.
> >
> > I think there are some port of it to OpenSSL out there, but I don't
> > know what the state is.
>
> I created an aport which builds LibreSSL's libtls against some compat
> stubs and links against system openssl.  This is, for obvious reasons,
> living in testing.
> Can people give it a go and tell me if it works?
>
> Some very light testing indicates success thus far, but...

Has anyone tried using the libtls-standalone package in testing as of
yet?  It would be nice to know if it is working for others.

William


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Natanael Copa
Details
Message ID
<20181023133553.28167249@ncopa-desktop.copa.dup.pw>
In-Reply-To
<CA+T2pCG3DpsvcfBWfO2u0VZT6jGnanDgx7pje0EtJEsbsFUG7A@mail.gmail.com> (view parent)
Sender timestamp
1540294553
DKIM signature
missing
Download raw message
On Tue, 23 Oct 2018 00:07:55 -0500
William Pitcock <nenolod@dereferenced.org> wrote:

> Hi,
> 
> On Sat, Oct 13, 2018 at 11:43 AM William Pitcock
> <nenolod@dereferenced.org> wrote:
> >
> > Hi,
> >
> > On Fri, Oct 12, 2018 at 1:13 PM Natanael Copa <ncopa@alpinelinux.org> wrote:  
> > >
> > > On Fri, 12 Oct 2018 17:30:04 +0000
> > > "Laurent Bercot" <ska-devel@skarnet.org> wrote:
> > >  
> > > > >But, I can split out the LibreSSL libtls as a standalone package and
> > > > >adapt it to use with our OpenSSL packages.  It is something we plan to
> > > > >do in Adélie anyway, so it may as well be incubated upstream.  
> > > >  
> > > > >Would the above solution be sufficient to resolve your concerns?  
> > > >
> > > >   Yes, an alternative implementation of libtls works for me.
> > > >   Thanks!  
> > >
> > > We use libtls for our ssl_client for busybox wget, so yes, we need some
> > > sort of libtls implementation.
> > >
> > > I think there are some port of it to OpenSSL out there, but I don't
> > > know what the state is.  
> >
> > I created an aport which builds LibreSSL's libtls against some compat
> > stubs and links against system openssl.  This is, for obvious reasons,
> > living in testing.
> > Can people give it a go and tell me if it works?
> >
> > Some very light testing indicates success thus far, but...  
> 
> Has anyone tried using the libtls-standalone package in testing as of
> yet?  It would be nice to know if it is working for others.

I haven't yet. I was thinking to get the openssl 1.1. package built
first and maybe pushed to either main or testing.

Once that is done I will test it with our ssl_client with busybox.

-nc

> William



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Natanael Copa
Details
Message ID
<20181023195955.18f393a9@ncopa-desktop.copa.dup.pw>
In-Reply-To
<CA+T2pCGKGBXTumQ2xF8EGhFjWENHt2qX25btxMtUkNPObR5B-g@mail.gmail.com> (view parent)
Sender timestamp
1540317595
DKIM signature
missing
Download raw message
On Sat, 13 Oct 2018 11:43:34 -0500
William Pitcock <nenolod@dereferenced.org> wrote:
 
> I created an aport which builds LibreSSL's libtls against some compat
> stubs and links against system openssl.  This is, for obvious reasons,
> living in testing.
> Can people give it a go and tell me if it works?

Hi!

I pushed openssl 1.1 to testing. It seems like libtls-standalone does
not build against it?

-nc


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
William Pitcock
Details
Message ID
<CA+T2pCG8gUY52CTrb5ZibfYieH5VAe2gOVNyQWxK=9JpRc1QkQ@mail.gmail.com>
In-Reply-To
<20181023195955.18f393a9@ncopa-desktop.copa.dup.pw> (view parent)
Sender timestamp
1540424787
DKIM signature
missing
Download raw message
Hi,

On Tue, Oct 23, 2018 at 1:00 PM Natanael Copa <ncopa@alpinelinux.org> wrote:
>
> On Sat, 13 Oct 2018 11:43:34 -0500
> William Pitcock <nenolod@dereferenced.org> wrote:
>
> > I created an aport which builds LibreSSL's libtls against some compat
> > stubs and links against system openssl.  This is, for obvious reasons,
> > living in testing.
> > Can people give it a go and tell me if it works?
>
> Hi!
>
> I pushed openssl 1.1 to testing. It seems like libtls-standalone does
> not build against it?

I pushed a new libtls-standalone which has been ported to use OpenSSL
1.1.0 APIs.  I intend to clean this up and present it for upstream
consideration, so hopefully we can drop those patches soon.

William


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Natanael Copa
Details
Message ID
<20181025144400.32f81122@ncopa-desktop.copa.dup.pw>
In-Reply-To
<CA+T2pCG3DpsvcfBWfO2u0VZT6jGnanDgx7pje0EtJEsbsFUG7A@mail.gmail.com> (view parent)
Sender timestamp
1540471440
DKIM signature
missing
Download raw message
On Tue, 23 Oct 2018 00:07:55 -0500
William Pitcock <nenolod@dereferenced.org> wrote:

> Has anyone tried using the libtls-standalone package in testing as of
> yet?  It would be nice to know if it is working for others.

Hi,

I tested it with our ssl_client busybox helper and it works as
expected. I had to add a missing libtls.so symlink to the
libtls-standalone-dev package, though.

There is another problem though, that it conflicts with the libressl
libtls. After libtls-standalone was installed, I cannot uninstall it:

ncopa-edge-x86_64:~/aports/main/busybox$ sudo apk del libtls-standalone
World updated, but the following packages are not removed due to:
  libtls-standalone: libressl abuild aports-build .alpine-release-deps
  ssl_client

This happens because both libressl libtls and libtls-standalone
provides so:libtls.so.17.

ncopa-edge-x86_64:~/aports/main/busybox$ apk info -R libressl
libressl-2.7.4-r1 depends on:
so:libc.musl-x86_64.so.1
so:libcrypto.so.43
so:libssl.so.45
so:libtls.so.17

I think that the fix for this is to use the openssl ABI, libtls.so.1.1,
or use a completely different name, like libtls-standalone.so.17 or
libtls1.1.so.17. Anything that does not conflict with libressl's libtls.

-nc


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
William Pitcock
Details
Message ID
<CA+T2pCE0URDtX+asy0N8EZ8T+GrhCcqrJoagUaxsAf8hmnHdBw@mail.gmail.com>
In-Reply-To
<20181025144400.32f81122@ncopa-desktop.copa.dup.pw> (view parent)
Sender timestamp
1540681253
DKIM signature
missing
Download raw message
Hello,

On Thu, Oct 25, 2018 at 7:44 AM Natanael Copa <ncopa@alpinelinux.org> wrote:
>
> On Tue, 23 Oct 2018 00:07:55 -0500
> William Pitcock <nenolod@dereferenced.org> wrote:
>
> > Has anyone tried using the libtls-standalone package in testing as of
> > yet?  It would be nice to know if it is working for others.
>
> Hi,
>
> I tested it with our ssl_client busybox helper and it works as
> expected. I had to add a missing libtls.so symlink to the
> libtls-standalone-dev package, though.

Great to hear it works.  I'll fix the symlink problem.

>
> There is another problem though, that it conflicts with the libressl
> libtls. After libtls-standalone was installed, I cannot uninstall it:
>
> ncopa-edge-x86_64:~/aports/main/busybox$ sudo apk del libtls-standalone
> World updated, but the following packages are not removed due to:
>   libtls-standalone: libressl abuild aports-build .alpine-release-deps
>   ssl_client
>
> This happens because both libressl libtls and libtls-standalone
> provides so:libtls.so.17.
>
> ncopa-edge-x86_64:~/aports/main/busybox$ apk info -R libressl
> libressl-2.7.4-r1 depends on:
> so:libc.musl-x86_64.so.1
> so:libcrypto.so.43
> so:libssl.so.45
> so:libtls.so.17
>
> I think that the fix for this is to use the openssl ABI, libtls.so.1.1,
> or use a completely different name, like libtls-standalone.so.17 or
> libtls1.1.so.17. Anything that does not conflict with libressl's libtls.

I propose that we install the file as libtls-standalone.so.1 and use a
Provides rule in libtls.pc.in to allow us to save it as
libtls-standalone.pc.

Thoughts?

William


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Natanael Copa
Details
Message ID
<20181028200446.520b77dc@ncopa-desktop.copa.dup.pw>
In-Reply-To
<CA+T2pCE0URDtX+asy0N8EZ8T+GrhCcqrJoagUaxsAf8hmnHdBw@mail.gmail.com> (view parent)
Sender timestamp
1540753486
DKIM signature
missing
Download raw message
On Sat, 27 Oct 2018 18:00:53 -0500
William Pitcock <nenolod@dereferenced.org> wrote:

> > I think that the fix for this is to use the openssl ABI, libtls.so.1.1,
> > or use a completely different name, like libtls-standalone.so.17 or
> > libtls1.1.so.17. Anything that does not conflict with libressl's libtls.  
> 
> I propose that we install the file as libtls-standalone.so.1 and use a
> Provides rule in libtls.pc.in to allow us to save it as
> libtls-standalone.pc.
> 
> Thoughts?

sound good.

-nc


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---