* [PATCH 0/2] Introduce a distro feature openssl-no-weak-ciphers @ 2017-07-05 7:58 kai.kang 2017-07-05 7:58 ` [PATCH 1/2] openssl: disable weak ciphers kai.kang ` (3 more replies) 0 siblings, 4 replies; 12+ messages in thread From: kai.kang @ 2017-07-05 7:58 UTC (permalink / raw) To: openembedded-core From: Kai Kang <kai.kang@windriver.com> Introduce a distro feature openssl-no-weak-ciphers to make openssl disable weak ciphers support, including: * des * ec * ecdh * ecdsa * md2 * mdc2 The following changes since commit 4b1d270602a0542eef1b497eaf15bad2b747686f: bitbake: bitbake-user-manual: Removed and replaced broken link (2017-07-04 16:05:22 +0100) are available in the git repository at: git://git.pokylinux.org/poky-contrib kangkai/ciphers-weak http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=kangkai/ciphers-weak Kai Kang (2): openssl: disable weak ciphers bind: disable ecdsa if openssl doesn't support it meta/recipes-connectivity/bind/bind_9.10.3-P3.bb | 1 + meta/recipes-connectivity/openssl/openssl.inc | 5 +++++ 2 files changed, 6 insertions(+) -- 2.10.1 ^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH 1/2] openssl: disable weak ciphers 2017-07-05 7:58 [PATCH 0/2] Introduce a distro feature openssl-no-weak-ciphers kai.kang @ 2017-07-05 7:58 ` kai.kang 2017-07-05 10:24 ` Pascal Bach 2017-07-05 10:40 ` Burton, Ross 2017-07-05 7:58 ` [PATCH 2/2] bind: disable ecdsa if openssl doesn't support it kai.kang ` (2 subsequent siblings) 3 siblings, 2 replies; 12+ messages in thread From: kai.kang @ 2017-07-05 7:58 UTC (permalink / raw) To: openembedded-core From: Kai Kang <kai.kang@windriver.com> Check distro feature 'openssl-no-weak-ciphers' to disable weak ciphers provided by openssl: * des * ec * ecdh * ecdsa * md2 * mdc2 Signed-off-by: Kai Kang <kai.kang@windriver.com> --- meta/recipes-connectivity/openssl/openssl.inc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc index 3980ec2..69845df 100644 --- a/meta/recipes-connectivity/openssl/openssl.inc +++ b/meta/recipes-connectivity/openssl/openssl.inc @@ -52,6 +52,11 @@ RDEPENDS_${PN}-ptest += "${PN}-misc make perl perl-module-filehandle bc" # vulnerability EXTRA_OECONF = " -no-ssl3" +WEAKCIPHERS = "${@bb.utils.contains('DISTRO_FEATURES', 'openssl-no-weak-ciphers', \ + 'no-des no-ec no-ecdh no-ecdsa no-md2 no-mdc2', '', d)}" +EXTRA_OECONF_append_class-target = " ${WEAKCIPHERS}" +EXTRA_OECONF_append_class-nativesdk = " ${WEAKCIPHERS}" + do_configure_prepend_darwin () { sed -i -e '/version-script=openssl\.ld/d' Configure } -- 2.10.1 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH 1/2] openssl: disable weak ciphers 2017-07-05 7:58 ` [PATCH 1/2] openssl: disable weak ciphers kai.kang @ 2017-07-05 10:24 ` Pascal Bach 2017-07-05 10:40 ` Burton, Ross 1 sibling, 0 replies; 12+ messages in thread From: Pascal Bach @ 2017-07-05 10:24 UTC (permalink / raw) To: kai.kang, openembedded-core On 05.07.2017 09:58, kai.kang@windriver.com wrote: > From: Kai Kang <kai.kang@windriver.com> > > Check distro feature 'openssl-no-weak-ciphers' to disable weak ciphers > provided by openssl: > > * des > * ec > * ecdh > * ecdsa > * md2 > * mdc2 Why are the elliptic curve ciphers considered weak? I'm wondering because Mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS) is recommending ECDSA. Pascal ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 1/2] openssl: disable weak ciphers 2017-07-05 7:58 ` [PATCH 1/2] openssl: disable weak ciphers kai.kang 2017-07-05 10:24 ` Pascal Bach @ 2017-07-05 10:40 ` Burton, Ross 1 sibling, 0 replies; 12+ messages in thread From: Burton, Ross @ 2017-07-05 10:40 UTC (permalink / raw) To: Kang Kai; +Cc: OE-core [-- Attachment #1: Type: text/plain, Size: 253 bytes --] On 5 July 2017 at 08:58, <kai.kang@windriver.com> wrote: > Check distro feature 'openssl-no-weak-ciphers' to disable weak ciphers > provided by openssl: > Would it be controversial to just say weak ciphers should be disabled globally? Ross [-- Attachment #2: Type: text/html, Size: 672 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH 2/2] bind: disable ecdsa if openssl doesn't support it 2017-07-05 7:58 [PATCH 0/2] Introduce a distro feature openssl-no-weak-ciphers kai.kang 2017-07-05 7:58 ` [PATCH 1/2] openssl: disable weak ciphers kai.kang @ 2017-07-05 7:58 ` kai.kang 2017-07-05 14:28 ` Richard Purdie 2017-07-05 14:38 ` [PATCH 0/2] Introduce a distro feature openssl-no-weak-ciphers Khem Raj 2017-07-17 13:20 ` Alexander Kanavin 3 siblings, 1 reply; 12+ messages in thread From: kai.kang @ 2017-07-05 7:58 UTC (permalink / raw) To: openembedded-core From: Kai Kang <kai.kang@windriver.com> Distro feature 'openssl-no-weak-ciphers' is introduced to disable openssl weak ciphers support which include ecdsa. So configure bind without ecdsa if openssl doesn't support it. Signed-off-by: Kai Kang <kai.kang@windriver.com> --- meta/recipes-connectivity/bind/bind_9.10.3-P3.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb index 7eb79b0..e10cffc 100644 --- a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb +++ b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb @@ -41,6 +41,7 @@ ENABLE_IPV6 = "--enable-ipv6=${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ye EXTRA_OECONF = " ${ENABLE_IPV6} --with-libtool --enable-threads \ --disable-devpoll --enable-epoll --with-gost=no \ --with-gssapi=no --with-ecdsa=yes \ + --with-ecdsa=${@bb.utils.contains('DISTRO_FEATURES', 'openssl-no-weak-ciphers', 'no', 'yes', d)} \ --sysconfdir=${sysconfdir}/bind \ --with-openssl=${STAGING_LIBDIR}/.. \ " -- 2.10.1 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH 2/2] bind: disable ecdsa if openssl doesn't support it 2017-07-05 7:58 ` [PATCH 2/2] bind: disable ecdsa if openssl doesn't support it kai.kang @ 2017-07-05 14:28 ` Richard Purdie 2017-07-06 1:44 ` Kang Kai 0 siblings, 1 reply; 12+ messages in thread From: Richard Purdie @ 2017-07-05 14:28 UTC (permalink / raw) To: kai.kang, openembedded-core On Wed, 2017-07-05 at 15:58 +0800, kai.kang@windriver.com wrote: > From: Kai Kang <kai.kang@windriver.com> > > Distro feature 'openssl-no-weak-ciphers' is introduced to disable > openssl weak ciphers support which include ecdsa. So configure bind > without ecdsa if openssl doesn't support it. > > Signed-off-by: Kai Kang <kai.kang@windriver.com> > --- > meta/recipes-connectivity/bind/bind_9.10.3-P3.bb | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb > b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb > index 7eb79b0..e10cffc 100644 > --- a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb > +++ b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb > @@ -41,6 +41,7 @@ ENABLE_IPV6 = "--enable-ipv6=${@bb.utils.contains(' > DISTRO_FEATURES', 'ipv6', 'ye > EXTRA_OECONF = " ${ENABLE_IPV6} --with-libtool --enable-threads \ > --disable-devpoll --enable-epoll --with-gost=no \ > --with-gssapi=no --with-ecdsa=yes \ > + --with-ecdsa=${@bb.utils.contains('DISTRO_FEATURES' > , 'openssl-no-weak-ciphers', 'no', 'yes', d)} \ > --sysconfdir=${sysconfdir}/bind \ > --with-openssl=${STAGING_LIBDIR}/.. \ > " > I think there are a few more questions that need answering about this, like why ecdsa is considered weak but this patch leaves --with- ecdsa=yes in there which is confusing at best. I do think these are best controlled as individual PACKAGECONFIG options rather than a distro setting which is ambigous (what is 'weak'). Cheers, Richard ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 2/2] bind: disable ecdsa if openssl doesn't support it 2017-07-05 14:28 ` Richard Purdie @ 2017-07-06 1:44 ` Kang Kai 0 siblings, 0 replies; 12+ messages in thread From: Kang Kai @ 2017-07-06 1:44 UTC (permalink / raw) To: Richard Purdie, openembedded-core On 2017年07月05日 22:28, Richard Purdie wrote: > On Wed, 2017-07-05 at 15:58 +0800, kai.kang@windriver.com wrote: >> From: Kai Kang <kai.kang@windriver.com> >> >> Distro feature 'openssl-no-weak-ciphers' is introduced to disable >> openssl weak ciphers support which include ecdsa. So configure bind >> without ecdsa if openssl doesn't support it. >> >> Signed-off-by: Kai Kang <kai.kang@windriver.com> >> --- >> meta/recipes-connectivity/bind/bind_9.10.3-P3.bb | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb >> b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb >> index 7eb79b0..e10cffc 100644 >> --- a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb >> +++ b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb >> @@ -41,6 +41,7 @@ ENABLE_IPV6 = "--enable-ipv6=${@bb.utils.contains(' >> DISTRO_FEATURES', 'ipv6', 'ye >> EXTRA_OECONF = " ${ENABLE_IPV6} --with-libtool --enable-threads \ >> --disable-devpoll --enable-epoll --with-gost=no \ >> --with-gssapi=no --with-ecdsa=yes \ >> + --with-ecdsa=${@bb.utils.contains('DISTRO_FEATURES' >> , 'openssl-no-weak-ciphers', 'no', 'yes', d)} \ >> --sysconfdir=${sysconfdir}/bind \ >> --with-openssl=${STAGING_LIBDIR}/.. \ >> " >> > I think there are a few more questions that need answering about this, > like why ecdsa is considered weak but this patch leaves --with- > ecdsa=yes in there which is confusing at best. > > I do think these are best controlled as individual PACKAGECONFIG > options rather than a distro setting which is ambigous (what is > 'weak'). Maybe I didn't express clearly. The original requirement is that disable weak ciphers(maybe we should discuss the scope of weak ciphers) for openssl. And then other packages depends on openssl. For bind, if openssl configured with 'no-ecdsa', bind will compile failed. So add a distro feature to sync openssl and other packages depends on it. Thanks, Kai > > Cheers, > > Richard > -- Regards, Neil | Kai Kang ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 0/2] Introduce a distro feature openssl-no-weak-ciphers 2017-07-05 7:58 [PATCH 0/2] Introduce a distro feature openssl-no-weak-ciphers kai.kang 2017-07-05 7:58 ` [PATCH 1/2] openssl: disable weak ciphers kai.kang 2017-07-05 7:58 ` [PATCH 2/2] bind: disable ecdsa if openssl doesn't support it kai.kang @ 2017-07-05 14:38 ` Khem Raj 2017-07-05 15:15 ` Burton, Ross 2017-07-17 13:20 ` Alexander Kanavin 3 siblings, 1 reply; 12+ messages in thread From: Khem Raj @ 2017-07-05 14:38 UTC (permalink / raw) To: kai.kang, openembedded-core [-- Attachment #1: Type: text/plain, Size: 1327 bytes --] On Wed, Jul 5, 2017 at 1:06 AM <kai.kang@windriver.com> wrote: > From: Kai Kang <kai.kang@windriver.com> > > Introduce a distro feature openssl-no-weak-ciphers to make openssl disable > weak > ciphers support, including: > > * des > * ec > * ecdh > * ecdsa > * md2 > * mdc2 It's probably more appropriate to pin it at recipe level may be via package config OpenSSL is not universal and some may even avoid it completely > > > The following changes since commit > 4b1d270602a0542eef1b497eaf15bad2b747686f: > > bitbake: bitbake-user-manual: Removed and replaced broken link > (2017-07-04 16:05:22 +0100) > > are available in the git repository at: > > git://git.pokylinux.org/poky-contrib kangkai/ciphers-weak > > http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=kangkai/ciphers-weak > > Kai Kang (2): > openssl: disable weak ciphers > bind: disable ecdsa if openssl doesn't support it > > meta/recipes-connectivity/bind/bind_9.10.3-P3.bb | 1 + > meta/recipes-connectivity/openssl/openssl.inc | 5 +++++ > 2 files changed, 6 insertions(+) > > -- > 2.10.1 > > -- > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core > [-- Attachment #2: Type: text/html, Size: 2337 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 0/2] Introduce a distro feature openssl-no-weak-ciphers 2017-07-05 14:38 ` [PATCH 0/2] Introduce a distro feature openssl-no-weak-ciphers Khem Raj @ 2017-07-05 15:15 ` Burton, Ross 2017-07-06 2:00 ` Kang Kai 0 siblings, 1 reply; 12+ messages in thread From: Burton, Ross @ 2017-07-05 15:15 UTC (permalink / raw) To: Khem Raj; +Cc: OE-core [-- Attachment #1: Type: text/plain, Size: 402 bytes --] On 5 July 2017 at 15:38, Khem Raj <raj.khem@gmail.com> wrote: > It's probably more appropriate to pin it at recipe level may be via > package config OpenSSL is not universal and some may even avoid it > completely > >> Agreed, whilst I'm not against adding options for enabling insecure ciphers (verses just disabling them), I don't think they deserve a DISTRO_FEATURE of their own. Ross [-- Attachment #2: Type: text/html, Size: 907 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 0/2] Introduce a distro feature openssl-no-weak-ciphers 2017-07-05 15:15 ` Burton, Ross @ 2017-07-06 2:00 ` Kang Kai 0 siblings, 0 replies; 12+ messages in thread From: Kang Kai @ 2017-07-06 2:00 UTC (permalink / raw) To: Burton, Ross, Khem Raj; +Cc: OE-core [-- Attachment #1: Type: text/plain, Size: 824 bytes --] On 2017年07月05日 23:15, Burton, Ross wrote: > > On 5 July 2017 at 15:38, Khem Raj <raj.khem@gmail.com > <mailto:raj.khem@gmail.com>> wrote: > > It's probably more appropriate to pin it at recipe level may be > via package config OpenSSL is not universal and some may even > avoid it completely > > > Agreed, whilst I'm not against adding options for enabling insecure > ciphers (verses just disabling them), I don't think they deserve a > DISTRO_FEATURE of their own. The problem is that packages depend on openssl don't know whether the cipher they need is disabled or not, so add such a DISTRO_FEATURE to sync openssl and packages depends on it. I did it by a var before, but it looks not be a so official way. Thanks, Kai > > Ross -- Regards, Neil | Kai Kang [-- Attachment #2: Type: text/html, Size: 2160 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 0/2] Introduce a distro feature openssl-no-weak-ciphers 2017-07-05 7:58 [PATCH 0/2] Introduce a distro feature openssl-no-weak-ciphers kai.kang ` (2 preceding siblings ...) 2017-07-05 14:38 ` [PATCH 0/2] Introduce a distro feature openssl-no-weak-ciphers Khem Raj @ 2017-07-17 13:20 ` Alexander Kanavin 2017-07-18 2:09 ` Kang Kai 3 siblings, 1 reply; 12+ messages in thread From: Alexander Kanavin @ 2017-07-17 13:20 UTC (permalink / raw) To: kai.kang, openembedded-core On 07/05/2017 10:58 AM, kai.kang@windriver.com wrote: > Introduce a distro feature openssl-no-weak-ciphers to make openssl disable weak > ciphers support, including: > > * des > * ec > * ecdh > * ecdsa > * md2 > * mdc2 How are those handled in openssl 1.1? If they are disabled by default, then maybe the whole distro feature is not needed when 1.1 is in oe-core. Alex Alex ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 0/2] Introduce a distro feature openssl-no-weak-ciphers 2017-07-17 13:20 ` Alexander Kanavin @ 2017-07-18 2:09 ` Kang Kai 0 siblings, 0 replies; 12+ messages in thread From: Kang Kai @ 2017-07-18 2:09 UTC (permalink / raw) To: Alexander Kanavin, openembedded-core On 2017年07月17日 21:20, Alexander Kanavin wrote: > On 07/05/2017 10:58 AM, kai.kang@windriver.com wrote: > >> Introduce a distro feature openssl-no-weak-ciphers to make openssl >> disable weak >> ciphers support, including: >> >> * des >> * ec >> * ecdh >> * ecdsa >> * md2 >> * mdc2 > > How are those handled in openssl 1.1? If they are disabled by default, > then maybe the whole distro feature is not needed when 1.1 is in oe-core. It depends on whether all the packages which depends on openssl in Yocto have options to disable such weak ciphers. I am afraid it could not build some packages if disable these weak ciphers by default. Thanks, Kai > > Alex > > > Alex > -- Regards, Neil | Kai Kang ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2017-07-18 2:06 UTC | newest] Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-07-05 7:58 [PATCH 0/2] Introduce a distro feature openssl-no-weak-ciphers kai.kang 2017-07-05 7:58 ` [PATCH 1/2] openssl: disable weak ciphers kai.kang 2017-07-05 10:24 ` Pascal Bach 2017-07-05 10:40 ` Burton, Ross 2017-07-05 7:58 ` [PATCH 2/2] bind: disable ecdsa if openssl doesn't support it kai.kang 2017-07-05 14:28 ` Richard Purdie 2017-07-06 1:44 ` Kang Kai 2017-07-05 14:38 ` [PATCH 0/2] Introduce a distro feature openssl-no-weak-ciphers Khem Raj 2017-07-05 15:15 ` Burton, Ross 2017-07-06 2:00 ` Kang Kai 2017-07-17 13:20 ` Alexander Kanavin 2017-07-18 2:09 ` Kang Kai
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.