[PATCH 0/2] Introduce a distro feature openssl-no-weak-ciphers

[PATCH 0/2] Introduce a distro feature openssl-no-weak-ciphers

[kai.kang]

From: Kai Kang <kai.kang@windriver.com>

Introduce a distro feature openssl-no-weak-ciphers to make openssl disable weak
ciphers support, including:

* des
* ec
* ecdh
* ecdsa
* md2
* mdc2

The following changes since commit 4b1d270602a0542eef1b497eaf15bad2b747686f:

  bitbake: bitbake-user-manual: Removed and replaced broken link (2017-07-04 16:05:22 +0100)

are available in the git repository at:

  git://git.pokylinux.org/poky-contrib kangkai/ciphers-weak
  http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=kangkai/ciphers-weak

Kai Kang (2):
  openssl: disable weak ciphers
  bind: disable ecdsa if openssl doesn't support it

 meta/recipes-connectivity/bind/bind_9.10.3-P3.bb | 1 +
 meta/recipes-connectivity/openssl/openssl.inc    | 5 +++++
 2 files changed, 6 insertions(+)

-- 
2.10.1

[PATCH 1/2] openssl: disable weak ciphers

[kai.kang]

From: Kai Kang <kai.kang@windriver.com>

Check distro feature 'openssl-no-weak-ciphers' to disable weak ciphers
provided by openssl:

* des
* ec
* ecdh
* ecdsa
* md2
* mdc2

Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
 meta/recipes-connectivity/openssl/openssl.inc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc
index 3980ec2..69845df 100644
--- a/meta/recipes-connectivity/openssl/openssl.inc
+++ b/meta/recipes-connectivity/openssl/openssl.inc
@@ -52,6 +52,11 @@ RDEPENDS_${PN}-ptest += "${PN}-misc make perl perl-module-filehandle bc"
 # vulnerability
 EXTRA_OECONF = " -no-ssl3"
 
+WEAKCIPHERS = "${@bb.utils.contains('DISTRO_FEATURES', 'openssl-no-weak-ciphers', \
+               'no-des no-ec no-ecdh no-ecdsa no-md2 no-mdc2', '', d)}"
+EXTRA_OECONF_append_class-target = " ${WEAKCIPHERS}"
+EXTRA_OECONF_append_class-nativesdk = " ${WEAKCIPHERS}"
+
 do_configure_prepend_darwin () {
 	sed -i -e '/version-script=openssl\.ld/d' Configure
 }
-- 
2.10.1

Re: [PATCH 1/2] openssl: disable weak ciphers

[Pascal Bach]

On 05.07.2017 09:58, kai.kang@windriver.com wrote:
> From: Kai Kang <kai.kang@windriver.com>
>
> Check distro feature 'openssl-no-weak-ciphers' to disable weak ciphers
> provided by openssl:
>
> * des
> * ec
> * ecdh
> * ecdsa
> * md2
> * mdc2
Why are the elliptic curve ciphers considered weak?
I'm wondering because Mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS) is recommending ECDSA.

Pascal

Re: [PATCH 1/2] openssl: disable weak ciphers

[Burton, Ross]

[-- Attachment #1: Type: text/plain, Size: 253 bytes --]

On 5 July 2017 at 08:58, <kai.kang@windriver.com> wrote:

> Check distro feature 'openssl-no-weak-ciphers' to disable weak ciphers
> provided by openssl:
>

Would it be controversial to just say weak ciphers should be disabled
globally?

Ross

[-- Attachment #2: Type: text/html, Size: 672 bytes --]

[PATCH 2/2] bind: disable ecdsa if openssl doesn't support it

[kai.kang]

From: Kai Kang <kai.kang@windriver.com>

Distro feature 'openssl-no-weak-ciphers' is introduced to disable
openssl weak ciphers support which include ecdsa. So configure bind
without ecdsa if openssl doesn't support it.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
 meta/recipes-connectivity/bind/bind_9.10.3-P3.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
index 7eb79b0..e10cffc 100644
--- a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
+++ b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
@@ -41,6 +41,7 @@ ENABLE_IPV6 = "--enable-ipv6=${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ye
 EXTRA_OECONF = " ${ENABLE_IPV6} --with-libtool --enable-threads \
                  --disable-devpoll --enable-epoll --with-gost=no \
                  --with-gssapi=no --with-ecdsa=yes \
+                 --with-ecdsa=${@bb.utils.contains('DISTRO_FEATURES', 'openssl-no-weak-ciphers', 'no', 'yes', d)} \
                  --sysconfdir=${sysconfdir}/bind \
                  --with-openssl=${STAGING_LIBDIR}/.. \
                "
-- 
2.10.1

Re: [PATCH 2/2] bind: disable ecdsa if openssl doesn't support it

[Richard Purdie]

On Wed, 2017-07-05 at 15:58 +0800, kai.kang@windriver.com wrote:
> From: Kai Kang <kai.kang@windriver.com>
> 
> Distro feature 'openssl-no-weak-ciphers' is introduced to disable
> openssl weak ciphers support which include ecdsa. So configure bind
> without ecdsa if openssl doesn't support it.
> 
> Signed-off-by: Kai Kang <kai.kang@windriver.com>
> ---
>  meta/recipes-connectivity/bind/bind_9.10.3-P3.bb | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
> b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
> index 7eb79b0..e10cffc 100644
> --- a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
> +++ b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
> @@ -41,6 +41,7 @@ ENABLE_IPV6 = "--enable-ipv6=${@bb.utils.contains('
> DISTRO_FEATURES', 'ipv6', 'ye
>  EXTRA_OECONF = " ${ENABLE_IPV6} --with-libtool --enable-threads \
>                   --disable-devpoll --enable-epoll --with-gost=no \
>                   --with-gssapi=no --with-ecdsa=yes \
> +                 --with-ecdsa=${@bb.utils.contains('DISTRO_FEATURES'
> , 'openssl-no-weak-ciphers', 'no', 'yes', d)} \
>                   --sysconfdir=${sysconfdir}/bind \
>                   --with-openssl=${STAGING_LIBDIR}/.. \
>                 "
> 

I think there are a few more questions that need answering about this,
like why ecdsa is considered weak but this patch leaves --with-
ecdsa=yes  in there which is confusing at best.

I do think these are best controlled as individual PACKAGECONFIG
options rather than a distro setting which is ambigous (what is
'weak').

Cheers,

Richard

Re: [PATCH 2/2] bind: disable ecdsa if openssl doesn't support it

[Kang Kai]

On 2017年07月05日 22:28, Richard Purdie wrote:
> On Wed, 2017-07-05 at 15:58 +0800, kai.kang@windriver.com wrote:
>> From: Kai Kang <kai.kang@windriver.com>
>>
>> Distro feature 'openssl-no-weak-ciphers' is introduced to disable
>> openssl weak ciphers support which include ecdsa. So configure bind
>> without ecdsa if openssl doesn't support it.
>>
>> Signed-off-by: Kai Kang <kai.kang@windriver.com>
>> ---
>>   meta/recipes-connectivity/bind/bind_9.10.3-P3.bb | 1 +
>>   1 file changed, 1 insertion(+)
>>
>> diff --git a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
>> b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
>> index 7eb79b0..e10cffc 100644
>> --- a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
>> +++ b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
>> @@ -41,6 +41,7 @@ ENABLE_IPV6 = "--enable-ipv6=${@bb.utils.contains('
>> DISTRO_FEATURES', 'ipv6', 'ye
>>   EXTRA_OECONF = " ${ENABLE_IPV6} --with-libtool --enable-threads \
>>                    --disable-devpoll --enable-epoll --with-gost=no \
>>                    --with-gssapi=no --with-ecdsa=yes \
>> +                 --with-ecdsa=${@bb.utils.contains('DISTRO_FEATURES'
>> , 'openssl-no-weak-ciphers', 'no', 'yes', d)} \
>>                    --sysconfdir=${sysconfdir}/bind \
>>                    --with-openssl=${STAGING_LIBDIR}/.. \
>>                  "
>>
> I think there are a few more questions that need answering about this,
> like why ecdsa is considered weak but this patch leaves --with-
> ecdsa=yes  in there which is confusing at best.
>
> I do think these are best controlled as individual PACKAGECONFIG
> options rather than a distro setting which is ambigous (what is
> 'weak').

Maybe I didn't express clearly. The original requirement is that disable 
weak ciphers(maybe we should discuss the scope of weak ciphers)
for openssl. And then other packages depends on openssl. For bind, if 
openssl configured with 'no-ecdsa', bind will compile failed. So add
a distro feature to sync openssl and other packages depends on it.


Thanks,
Kai
>
> Cheers,
>
> Richard
>

-- 
Regards,
Neil | Kai Kang

Re: [PATCH 0/2] Introduce a distro feature openssl-no-weak-ciphers

[Khem Raj]

[-- Attachment #1: Type: text/plain, Size: 1327 bytes --]

On Wed, Jul 5, 2017 at 1:06 AM <kai.kang@windriver.com> wrote:

> From: Kai Kang <kai.kang@windriver.com>
>
> Introduce a distro feature openssl-no-weak-ciphers to make openssl disable
> weak
> ciphers support, including:
>
> * des
> * ec
> * ecdh
> * ecdsa
> * md2
> * mdc2


It's probably more appropriate to pin it at recipe level may be via package
config OpenSSL is not universal and some may even avoid it completely

>
>
> The following changes since commit
> 4b1d270602a0542eef1b497eaf15bad2b747686f:
>
>   bitbake: bitbake-user-manual: Removed and replaced broken link
> (2017-07-04 16:05:22 +0100)
>
> are available in the git repository at:
>
>   git://git.pokylinux.org/poky-contrib kangkai/ciphers-weak
>
> http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=kangkai/ciphers-weak
>
> Kai Kang (2):
>   openssl: disable weak ciphers
>   bind: disable ecdsa if openssl doesn't support it
>
>  meta/recipes-connectivity/bind/bind_9.10.3-P3.bb | 1 +
>  meta/recipes-connectivity/openssl/openssl.inc    | 5 +++++
>  2 files changed, 6 insertions(+)
>
> --
> 2.10.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>

[-- Attachment #2: Type: text/html, Size: 2337 bytes --]

Re: [PATCH 0/2] Introduce a distro feature openssl-no-weak-ciphers

[Burton, Ross]

[-- Attachment #1: Type: text/plain, Size: 402 bytes --]

On 5 July 2017 at 15:38, Khem Raj <raj.khem@gmail.com> wrote:

> It's probably more appropriate to pin it at recipe level may be via
> package config OpenSSL is not universal and some may even avoid it
> completely
>
>>
Agreed, whilst I'm not against adding options for enabling insecure ciphers
(verses just disabling them), I don't think they deserve a DISTRO_FEATURE
of their own.

Ross

[-- Attachment #2: Type: text/html, Size: 907 bytes --]

Re: [PATCH 0/2] Introduce a distro feature openssl-no-weak-ciphers

[Kang Kai]

[-- Attachment #1: Type: text/plain, Size: 824 bytes --]

On 2017年07月05日 23:15, Burton, Ross wrote:
>
> On 5 July 2017 at 15:38, Khem Raj <raj.khem@gmail.com 
> <mailto:raj.khem@gmail.com>> wrote:
>
>     It's probably more appropriate to pin it at recipe level may be
>     via package config OpenSSL is not universal and some may even
>     avoid it completely
>
>
> Agreed, whilst I'm not against adding options for enabling insecure 
> ciphers (verses just disabling them), I don't think they deserve a 
> DISTRO_FEATURE of their own.

The problem is that packages depend on openssl don't know whether the 
cipher they need is disabled or not, so add such a DISTRO_FEATURE to 
sync openssl and packages depends on it.
I did it by a var before, but it looks not be a so official way.


Thanks,
Kai


>
> Ross


-- 
Regards,
Neil | Kai Kang


[-- Attachment #2: Type: text/html, Size: 2160 bytes --]

Re: [PATCH 0/2] Introduce a distro feature openssl-no-weak-ciphers

[Alexander Kanavin]

On 07/05/2017 10:58 AM, kai.kang@windriver.com wrote:

> Introduce a distro feature openssl-no-weak-ciphers to make openssl disable weak
> ciphers support, including:
> 
> * des
> * ec
> * ecdh
> * ecdsa
> * md2
> * mdc2

How are those handled in openssl 1.1? If they are disabled by default, 
then maybe the whole distro feature is not needed when 1.1 is in oe-core.

Alex


Alex

Re: [PATCH 0/2] Introduce a distro feature openssl-no-weak-ciphers

[Kang Kai]

On 2017年07月17日 21:20, Alexander Kanavin wrote:
> On 07/05/2017 10:58 AM, kai.kang@windriver.com wrote:
>
>> Introduce a distro feature openssl-no-weak-ciphers to make openssl 
>> disable weak
>> ciphers support, including:
>>
>> * des
>> * ec
>> * ecdh
>> * ecdsa
>> * md2
>> * mdc2
>
> How are those handled in openssl 1.1? If they are disabled by default, 
> then maybe the whole distro feature is not needed when 1.1 is in oe-core.

It depends on whether all the packages which depends on openssl in Yocto 
have options to disable such weak ciphers. I am afraid it could not build
some packages if disable these weak ciphers by default.

Thanks,
Kai

>
> Alex
>
>
> Alex
>

-- 
Regards,
Neil | Kai Kang