WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: OpenSSL updates  (Read 811 times)

Offline andyj

  • Sr. Member
  • ****
  • Posts: 476
OpenSSL updates
« on: May 04, 2017, 09:52:53 AM »
I see that TCL 8.x has the latest version of OpenSSL, whereas 7.x is behind. Is there a security reason why the 8.x binary shouldn't be used on 7.x, or is it safe to use? Also, are the certificates files different between platforms?

Offline curaga

  • Administrator
  • Hero Member
  • *****
  • Posts: 9591
Re: OpenSSL updates
« Reply #1 on: May 04, 2017, 10:14:57 AM »
It probably won't work due to being compiled against newer libs, but if it works, there is no downside to using it.
The only barriers that can stop you are the ones you create yourself.

Offline Juanito

  • Administrator
  • Hero Member
  • *****
  • Posts: 9547
Re: OpenSSL updates
« Reply #2 on: May 05, 2017, 02:53:57 AM »
Note also that the openssl extensions in the tc-7.x x86 and X86_64 repos contained ca-certificates - these were factored out to a separate extension in the tc-8.x repos.

Offline andyj

  • Sr. Member
  • ****
  • Posts: 476
Re: OpenSSL updates
« Reply #3 on: May 05, 2017, 07:08:25 AM »
I saw that which got me thinking. OpenSSL extension is openssl + ca-certificates, and ca-certificates extension is ca-certificates only, so to get updated ca-certificates you wind up with them being loaded twice unless in the process of loading ca-certificates it unloads any existing ones first. Seems that it would be cleaner and easier if openssl was software only with ca-certificates as a dependency, and maybe less overall maintenance.

Offline Juanito

  • Administrator
  • Hero Member
  • *****
  • Posts: 9547
Re: OpenSSL updates
« Reply #4 on: May 05, 2017, 07:22:07 AM »
In tc-8.x, the openssl extension does not contain any ca-certificates.

Offline andyj

  • Sr. Member
  • ****
  • Posts: 476
Re: OpenSSL updates
« Reply #5 on: May 18, 2017, 05:41:01 PM »
I noticed that in TC-8 the ca-certificates depends on (but I couldn't see where) perl, which wasn't required before. Ignoring the hugeness of the perl extension, what is this for?

Offline Juanito

  • Administrator
  • Hero Member
  • *****
  • Posts: 9547
Re: OpenSSL updates
« Reply #6 on: May 19, 2017, 01:02:42 AM »
As you say, needing perl is not ideal - c_rehash (openssl) is a perl script.

Offline andyj

  • Sr. Member
  • ****
  • Posts: 476
Re: OpenSSL updates
« Reply #7 on: May 19, 2017, 05:03:18 AM »
So, perl is an optional dependency of openssl, but not ca-certificates? Could we remove the dependency on perl from ca-certificates dep file, and leave it out of the openssl dep file?

Offline Juanito

  • Administrator
  • Hero Member
  • *****
  • Posts: 9547
Re: OpenSSL updates
« Reply #8 on: May 19, 2017, 05:17:26 AM »
perl is not optional for ca-certificates, c_rehash is run by update-ca-certificates, which is called by the start-up script.

Offline andyj

  • Sr. Member
  • ****
  • Posts: 476
Re: OpenSSL updates
« Reply #9 on: May 22, 2017, 10:04:46 AM »
I accepted your challenge, and wrote the equivalent (as far as I can tell) functionality (that we're using c_rehash for) for sh:

Code: [Select]
#!/bin/sh
#
CERTDIR="$1"
# remove hash links
/bin/busybox find "$CERTDIR" -regex '.*/[0-9a-f]\{8\}\.[0-9]\{1,\}' -type l -exec rm {} \;

for CFILE in $CERTDIR/*.pem $CERTDIR/*.crt $CERTDIR/*.cer $CERTDIR/*.crl; do     
        FNAME=$(echo $CFILE | sed "s/'/\\'/g")
        KEYS=""
        grep -q -E '^-----BEGIN (X509 |TRUSTED |)CERTIFICATE-----' $FNAME 2>/dev/null && \
                KEYS=$(openssl x509 -subject_hash -fingerprint -noout -in $FNAME) && \
                CRL=""
        grep -q -E '^-----BEGIN X509 CRL-----' $FNAME 2>/dev/null && \
                KEYS=$(openssl crl -hash -fingerprint -noout -in $FNAME) && \
                CRL="r"
        if [ -n "$KEYS" ] ; then
                HASH=${KEYS:0:8}
                FPRINT=${KEYS##*=} && FPRINT=${FPRINT//:/}
                SFX=0
                while [ $SFX -lt 10 ] ; do
                        HASHSFX=HASH_${HASH}_${CRL}${SFX}
                        eval "HASHED=\${$HASHSFX}"
                        if [ -z "$HASHED" ] ; then
                                eval "$HASHSFX=$FPRINT"
                                ln -s $CFILE "${HASH}.${CRL}${SFX}"
                                break
                        elif [ "$HASHED" = "$FPRINT" ] ; then
                                echo "duplicate certificate $CFILE"
                                break
                        else
                                SFX=$(($SFX + 1))
                        fi
                done
        fi
done

Once the 14 meg perl extension is loaded TinyCore becomes PudgyCore.  :o  I already have enough bloat issues   :P

Offline Juanito

  • Administrator
  • Hero Member
  • *****
  • Posts: 9547
Re: OpenSSL updates
« Reply #10 on: May 22, 2017, 10:10:00 AM »
looks interesting - I'm away tomorrow, but will test when I get back.

Offline curaga

  • Administrator
  • Hero Member
  • *****
  • Posts: 9591
Re: OpenSSL updates
« Reply #11 on: May 22, 2017, 11:57:59 PM »
Maybe openssl or libressl would also be interested? (if it works with GNU versions and not just bb, of course)
The only barriers that can stop you are the ones you create yourself.

Offline andyj

  • Sr. Member
  • ****
  • Posts: 476
Re: OpenSSL updates
« Reply #12 on: May 23, 2017, 02:04:26 AM »
The syntax of the regex for GNU find is different, which is why I had to specify busybox as the command. I put together this script to solve our specific problem and not replace all the functionality of c_rehash, although this is probably 90+% of it. Also, as you can see, there isn't much in the way of verbose logging or error checking. I don't know what the common issues are to put in the handling for them.

Offline Juanito

  • Administrator
  • Hero Member
  • *****
  • Posts: 9547
Re: OpenSSL updates
« Reply #13 on: May 23, 2017, 10:18:50 PM »
corepure64 8.x ca-certificates updated - thanks for this  :)

Offline andyj

  • Sr. Member
  • ****
  • Posts: 476
Re: OpenSSL updates
« Reply #14 on: May 24, 2017, 01:18:32 PM »
Not to be a nag, but somehow the version of the script in my updated ca-certificates extension got corrupted and gives me a "expected done" error. I couldn't see the problem, so I'm uploading the script that works on my system. I modified the for loop to use find instead of globbing files in the shell so we won't get the pattern back if it doesn't match. Update-ca-certificates is also complaining about a missing /usr/local/etc/ca-certificates.conf. Could we maybe add a /usr/local/etc/ca-certificates.conf-sample to the extension as a go by? Not that I don't appreciate all the fame and glory and so on, but maybe a name more like c_rehash.sh?
« Last Edit: May 24, 2017, 01:24:21 PM by andyj »