OpenBSD Journal
Home : : Add Story : : Archives : : About : : Create Account : : Login :
a2k17 hackathon report: Bob Beck on LibreSSL progress and more
Contributed by pitrh on Wed Jan 25 14:53:42 2017 (GMT)
from the puffy hugged a dropbear dept.

Fresh from the newly completed a2k17 hackathon comes this report from Bob Beck:

So, I wasn't going to do this one, but I had enough fun sitting next to jsing@ in Toulouse in November working on LibreSSL, I did a bunch of stuff this time:

  1. I went through LibreSSL and attacked all the constant time functions in the bignum library, and changed these functions as used internally to always use the safe constant time mode of operation, to somewhat mitigate timing attacks.

  2. jsing@ and I bumped the LibreSSL majors and started moving a lot of the bits out of the SSL/TLS structures into private locations, removing publicly accessible API that is not used (or should not be used unless you are a crack addled rhesus monkey) We are still dealing with the ports fallout (ensuring that most ports still build) and we have had to move a few things back that we got too aggressive with, but largely this has been a success and will let us move forward at unifying more of the libssl code to make our lives easier going forward (I'll let jsing@ talk about that.)

  3. I did a bunch of fixes to ftp, as well as the ftp cgi's on used by the installer to support TLS in the installer and new awesomeness to be done by rpe@.

  4. I wrote and committed ocspcheck(8) so we have a command in base to use for OCSP stapling on servers, replacing the need to use a lot of nasty "openssl x509' and 'openssl ocsp' to accomplish the same thing.

Thanks very much to dlg@ jono, and the University of Queensland for hosting! it was very productive

Thanks for the report, Bob! Judging from recent commits, other devs will be queueing up with interesting reports over the next few days too, and we're looking forward to hearing from them all.


<< Understanding the modernization of the OpenBSD network stack, part 2: A story of if_get(9) | Reply | Flattened | Expanded | a2k17 hackathon report: Kenneth Westerback on the hidden wonders of the build system, the network stack and more >>

Threshold: Help

Related Links
more by pitrh

  Re: a2k17 hackathon report: Bob Beck on LibreSSL progress and more (mod 2/118)
by Etienne (2400:cb00:25:10e::1) on Thu Jan 26 14:43:40 2017 (GMT)
  From ocspcheck's manpage:

While ocspcheck could possibly be used in scripts to query responders for server certificates seen on client connections, this is almost always a bad idea. God kills a kitten every time you make an OCSP query from the client side of a TLS connection.

I'm really unsure what the problem is with that. It seems to me that it's exactly what OCSP was meant for? Can anyone explain?

  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  ftpd (mod 1/111)
by Chas ( on Thu Jan 26 17:21:12 2017 (GMT)

It would be really nice if the portable LibreSSL bundled ftpd. I'm occasionally asked for ftps, and I point out the stern warning from the vsftpd manpage.

There are many who despise the protocol for it's ambiguities who would be displeased by such a move, but a whole ftps stack with OpenBSD code quality would be quite useful in dealing with an OS2200 system that occasionally troubles me.

If enabled, and vsftpd was compiled against OpenSSL, vsftpd will
support  secure connections via SSL. This applies to the control
connection (including login) and also data  connections.  You'll
need a client with SSL support too. NOTE!!  Beware enabling this
option. Only enable it if you need it. vsftpd can make no  guar‐
antees  about the security of the OpenSSL libraries. By enabling
this option, you are declaring that you trust  the  security  of
your installed OpenSSL library.

Default: NO
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]
      Re: ftpd (4/108) by George Koehler on Fri Jan 27 02:39:22 2017 (GMT)
        Re: ftpd (4/100) by Chas on Fri Jan 27 16:15:42 2017 (GMT)

[ Home | Add Story | Archives | Polls | About ]

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. Some icons from used with permission from Kathleen. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. Search engine is ht://Dig. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]