SSL_CONF_cmd(): SecurityLevel keyword, by chance?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL_CONF_cmd(): SecurityLevel keyword, by chance?

Steffen Nurpmeso-2
Hello.

I do use SSL_CONF_cmd() (and modules) possibility if it exists,
since it allow users to simply use the features of the newest
OpenSSL library without any code changes on my side.
This is great, and i think i applauded in the past.

I discovered security_level(), needless to say i thought
@SECLEVEL= of ciphers(1) was broken until i discovered -s is
required to make it functional (..and do not get me started on
-ciphersuites..).

Wouldn't it make sense to offer SecurityLevel as a keyword for
SSL_CONF_cmd(), and therefore also SSL_CTX_config(), too -- since
it seems (from the manual) to extend to more than what i would
assume to be covered by a @SECLEVEL member of CipherString aka
..Ciphersuites...?

This seems desirable to me.  For now i will not offer
security_level because i would have to implement a special code
path to bypass SSL_CONF_cmd/SSL_CTX_config, which is used
exclusively if available.

Ciao and a good Sunday from Germany i wish,

(P.S.: i have not github account.)

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
Reply | Threaded
Open this post in threaded view
|

Re: SSL_CONF_cmd(): SecurityLevel keyword, by chance?

Matt Caswell-2


On 09/01/2021 23:24, Steffen Nurpmeso wrote:

> Hello.
>
> I do use SSL_CONF_cmd() (and modules) possibility if it exists,
> since it allow users to simply use the features of the newest
> OpenSSL library without any code changes on my side.
> This is great, and i think i applauded in the past.
>
> I discovered security_level(), needless to say i thought
> @SECLEVEL= of ciphers(1) was broken until i discovered -s is
> required to make it functional (..and do not get me started on
> -ciphersuites..).
>
> Wouldn't it make sense to offer SecurityLevel as a keyword for
> SSL_CONF_cmd(), and therefore also SSL_CTX_config(), too -- since
> it seems (from the manual) to extend to more than what i would
> assume to be covered by a @SECLEVEL member of CipherString aka
> ..Ciphersuites...?

This is probably a good idea. I'd support it if someone wanted to add that.

Matt

Reply | Threaded
Open this post in threaded view
|

Re: SSL_CONF_cmd(): SecurityLevel keyword, by chance?

Steffen Nurpmeso-2
Hello.

Matt Caswell wrote in
 <[hidden email]>:
 |On 09/01/2021 23:24, Steffen Nurpmeso wrote:
 |> Hello.
 |>
 |> I do use SSL_CONF_cmd() (and modules) possibility if it exists,
 |> since it allow users to simply use the features of the newest
 |> OpenSSL library without any code changes on my side.
 |> This is great, and i think i applauded in the past.
 |>
 |> I discovered security_level(), needless to say i thought
 |> @SECLEVEL= of ciphers(1) was broken until i discovered -s is
 |> required to make it functional (..and do not get me started on
 |> -ciphersuites..).
 |>
 |> Wouldn't it make sense to offer SecurityLevel as a keyword for
 |> SSL_CONF_cmd(), and therefore also SSL_CTX_config(), too -- since
 |> it seems (from the manual) to extend to more than what i would
 |> assume to be covered by a @SECLEVEL member of CipherString aka
 |> ..Ciphersuites...?
 |
 |This is probably a good idea. I'd support it if someone wanted to add that.

Please find a simple add-on attached, it could be it ("having no
idea of the codebase"..).  It compiles, but when linking against
678cae0295e3f (master from today) plus the patch i get errors:

  In file included from /home/steffen/src/nail.git/src/mx/xtls.c:60:
  /home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected declaration specifiers or '...' before 'ossl_check_const_GENERAL_NAME_sk_type'
    402 |    DEFINE_STACK_OF(GENERAL_NAME)
        |    ^~~~~~~~~~~~~~~
  /home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected ')' before '*' token
    402 |    DEFINE_STACK_OF(GENERAL_NAME)
        |    ^~~~~~~~~~~~~~~
  /home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected ')' before 'OPENSSL_sk_value'
    402 |    DEFINE_STACK_OF(GENERAL_NAME)
        |    ^~~~~~~~~~~~~~~
  In file included from /home/steffen/usr-kent-linux-x86_64/opt/.ossl3/include/openssl/crypto.h:35,
                   from /home/steffen/src/nail.git/src/mx/xtls.c:53:
  /home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected identifier or '(' before 'struct'
    402 |    DEFINE_STACK_OF(GENERAL_NAME)
        |    ^~~~~~~~~~~~~~~
  In file included from /home/steffen/src/nail.git/src/mx/xtls.c:60:
  /home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected ')' before 'OPENSSL_sk_new'
    402 |    DEFINE_STACK_OF(GENERAL_NAME)
        |    ^~~~~~~~~~~~~~~
  /home/steffen/src/nail.git/src/mx/xtls.c:402:1: error: macro "sk_GENERAL_NAME_new_null" passed 1 arguments, but takes just 0
    402 |    DEFINE_STACK_OF(GENERAL_NAME)
        | ^  ~~~~~~~~~~~~~~~~~~~~~
  In file included from /home/steffen/src/nail.git/src/mx/xtls.c:60:
  /home/steffen/usr-kent-linux-x86_64/opt/.ossl3/include/openssl/x509v3.h:225: note: macro "sk_GENERAL_NAME_new_null" defined here
    225 | #define sk_GENERAL_NAME_new_null() ((STACK_OF(GENERAL_NAME) *)OPENSSL_sk_new_null())
        |

I have not tested OpenSSL 3.0 for a while, but it was clean when
i tried it last, my last commit was "Be truly
OPENSSL_NO_DEPRECATED_3_0 clean" on 2020-07-19.  I used

  ./config --prefix=/home/steffen/usr-kent-linux-x86_64/opt/.ossl3 \
    zlib-dynamic shared no-deprecated no-async threads no-tests \
    -Wl,-rpath,'$(LIBRPATH)'

on a current glibc Linux (CRUX-Linux 3.6).

Ciao from Germany,

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

ossl3-conf-seclvl.patch (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SSL_CONF_cmd(): SecurityLevel keyword, by chance?

Matt Caswell-2
Please raise your patch as a PR so that it can properly reviewed. You'll
also need to submit a CLA:

https://www.openssl.org/policies/cla.html

Thanks

Matt


On 11/01/2021 22:19, Steffen Nurpmeso wrote:

> Hello.
>
> Matt Caswell wrote in
>  <[hidden email]>:
>  |On 09/01/2021 23:24, Steffen Nurpmeso wrote:
>  |> Hello.
>  |>
>  |> I do use SSL_CONF_cmd() (and modules) possibility if it exists,
>  |> since it allow users to simply use the features of the newest
>  |> OpenSSL library without any code changes on my side.
>  |> This is great, and i think i applauded in the past.
>  |>
>  |> I discovered security_level(), needless to say i thought
>  |> @SECLEVEL= of ciphers(1) was broken until i discovered -s is
>  |> required to make it functional (..and do not get me started on
>  |> -ciphersuites..).
>  |>
>  |> Wouldn't it make sense to offer SecurityLevel as a keyword for
>  |> SSL_CONF_cmd(), and therefore also SSL_CTX_config(), too -- since
>  |> it seems (from the manual) to extend to more than what i would
>  |> assume to be covered by a @SECLEVEL member of CipherString aka
>  |> ..Ciphersuites...?
>  |
>  |This is probably a good idea. I'd support it if someone wanted to add that.
>
> Please find a simple add-on attached, it could be it ("having no
> idea of the codebase"..).  It compiles, but when linking against
> 678cae0295e3f (master from today) plus the patch i get errors:
>
>   In file included from /home/steffen/src/nail.git/src/mx/xtls.c:60:
>   /home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected declaration specifiers or '...' before 'ossl_check_const_GENERAL_NAME_sk_type'
>     402 |    DEFINE_STACK_OF(GENERAL_NAME)
>         |    ^~~~~~~~~~~~~~~
>   /home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected ')' before '*' token
>     402 |    DEFINE_STACK_OF(GENERAL_NAME)
>         |    ^~~~~~~~~~~~~~~
>   /home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected ')' before 'OPENSSL_sk_value'
>     402 |    DEFINE_STACK_OF(GENERAL_NAME)
>         |    ^~~~~~~~~~~~~~~
>   In file included from /home/steffen/usr-kent-linux-x86_64/opt/.ossl3/include/openssl/crypto.h:35,
>                    from /home/steffen/src/nail.git/src/mx/xtls.c:53:
>   /home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected identifier or '(' before 'struct'
>     402 |    DEFINE_STACK_OF(GENERAL_NAME)
>         |    ^~~~~~~~~~~~~~~
>   In file included from /home/steffen/src/nail.git/src/mx/xtls.c:60:
>   /home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected ')' before 'OPENSSL_sk_new'
>     402 |    DEFINE_STACK_OF(GENERAL_NAME)
>         |    ^~~~~~~~~~~~~~~
>   /home/steffen/src/nail.git/src/mx/xtls.c:402:1: error: macro "sk_GENERAL_NAME_new_null" passed 1 arguments, but takes just 0
>     402 |    DEFINE_STACK_OF(GENERAL_NAME)
>         | ^  ~~~~~~~~~~~~~~~~~~~~~
>   In file included from /home/steffen/src/nail.git/src/mx/xtls.c:60:
>   /home/steffen/usr-kent-linux-x86_64/opt/.ossl3/include/openssl/x509v3.h:225: note: macro "sk_GENERAL_NAME_new_null" defined here
>     225 | #define sk_GENERAL_NAME_new_null() ((STACK_OF(GENERAL_NAME) *)OPENSSL_sk_new_null())
>         |
>
> I have not tested OpenSSL 3.0 for a while, but it was clean when
> i tried it last, my last commit was "Be truly
> OPENSSL_NO_DEPRECATED_3_0 clean" on 2020-07-19.  I used
>
>   ./config --prefix=/home/steffen/usr-kent-linux-x86_64/opt/.ossl3 \
>     zlib-dynamic shared no-deprecated no-async threads no-tests \
>     -Wl,-rpath,'$(LIBRPATH)'
>
> on a current glibc Linux (CRUX-Linux 3.6).
>
> Ciao from Germany,
>
> --steffen
> |
> |Der Kragenbaer,                The moon bear,
> |der holt sich munter           he cheerfully and one by one
> |einen nach dem anderen runter  wa.ks himself off
> |(By Robert Gernhardt)
>
Reply | Threaded
Open this post in threaded view
|

Re: SSL_CONF_cmd(): SecurityLevel keyword, by chance?

Steffen Nurpmeso-2
Matt Caswell wrote in
 <[hidden email]>:
 |Please raise your patch as a PR so that it can properly reviewed. You'll
 |also need to submit a CLA:

Sorry no, i do not have a github account nor will i go there.
You may commit it with your own name, or not.
Have a nice day.

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)