Re-enabling old ciphers in openssl

John Kennedy warlock at phouka.net
Tue Dec 29 07:09:14 UTC 2020 

On Sun, Dec 27, 2020 at 03:49:10PM -0800, Dan Mahoney (Gushi) wrote:
> Hey there all.
> 
> This is a "don't try this at home" question.  This is not something I'm 
> asking how to do in the general case, but I'd like to know.
> 
> It seems recently (since 1.1.1, OpenSSL has deprecated a number of 
> ciphers, and made them a compile-time default disable.) ...
> Ergo, I am wondering what the best way forward is to get a reasonably 
> patched version of openssl that has old ciphers turned on (since it is 
> still possible at compile-time, the code hasn't been outright removed), 
> that I can build *some* subset of ports against.
> 
> Here are the questions I can't seem to answer:
> 
> 1) There's no make.conf entry to override the openssl ciphers.  This needs 
> to be done at the port level.  (Probably reasonable, I don't think there 
> should be an insecure "flavor")  But in the interest of making things 
> reproducible, is there a "Standard" way to keep this consistent without 
> running "make config" every time, or echo'ing options into 
> /var/db/ports/security-openssl/options?

If you can submit a patch, the person that maintains OpenSSL may accept it.
If not, you can always have a local-to-your-system patch that permits it.
That would give you a OpenSSL that allows it.  Hopefully your window of
support isn't so big that you have to go back and start using obsolete/
dangerous versions of the software, because at some point software support
may get yanked out for those.

Either way, you start out with your own patch.

> 2) I'm unclear as to what to put in make.conf to tell ONE PORT to use the 
> openssl from ports, while I want all the others to use base.  I know this 
> is in some cases askign for trouble, but the nagios plugins are standalone 
> binaries.  Is there some method in make.conf or on the port command line 
> to tell ONE PORT to use a defaults+=ssl-openssl without making it the 
> default for ALL PORTS?

Assuming that by default the DEFAULT_VERSIONS for ssl is base, you'd just
want to use the .if syntax for your port.  Something like:

	.if ${.CURDIR:M*/www/firefox}
	DEFAULT_VERSIONS +=     ssl=openssl
	.endif

That shouldn't be a syntax error, but I'm not sure it'll do what you want or
be anywhere near complete enough (I just picked it because you mentioned
firefox).  Firefox has a ton of dependencies, and if one of them needs
SSL then you're going to want it running against the same version of SSL
and now you're going to be chasing a lot of nitty-gritty details that will
change over time.

Not sure if poudriere (or whatever you're using to build packages) will
complain about the potential conflicts that setup might imply.

You seemed to want a minimum amount of apps that might be linked against
the less-secure library, so there are going to be some tradeoffs there.

I haven't played with it in a while, but SSL_CTX_set_cipher_list() may
or may not be your friend if the software you're interested in lets you
configure it (so you can exclude bad ciphers where you don't want them,
and include them where you do) but then you still have to hope that
if you're using strength levels (high, medium, low, etc) that the ciphers
you want aren't getting discriminated against in multiple ways.  And
who knows how that function would be called across all the packages+ports.


It sounds like you're trying to do your best with the insecure targets,
so I'm not sure if your insecure jump-hosts would be treated the same
(responsibly), then I might not feel too bad if openssl was recompiled
for everything on the box as long as it wasn't weak for incoming traffic.
Weak for outgoing traffic might be considered acceptable since the only
things it would be talking to are the known-weak remote devices.

If it was a multi-purpose host (like you were using it for other admin
purposes, like looking up documentation out on the web) then I'd lean
way more towards jailing those packages somewhere.

> 3) If I do all that, ports seems to lack a standard way to build static 
> binaries, which is what I'd really like.  Is there an easy way to do this, 
> or is it best to work outside the ports system at that point?

Don't know the answer to that one.

More information about the freebsd-ports mailing list