[cryptography] Just how bad is OpenSSL ?

Ben Laurie ben at links.org
Wed Oct 31 05:51:51 EDT 2012


On Tue, Oct 30, 2012 at 2:55 PM, Patrick Mylund Nielsen
<cryptography at patrickmylund.com> wrote:
> Hopefully somebody's doing some kind of integrity check pre-release no
> matter where it's hosted... :)
>
> In either case, happy to help if it is manhours you need, and I'm sure
> others on this list are as well.

I think what we need is both manhours and the hardware to run on (plus
bandwidth, etc).

>
> On Tue, Oct 30, 2012 at 3:51 PM, Aaron Grattafiori
> <aaron at digitalinfinity.net> wrote:
>>
>> Thank god...
>>
>> On Oct 30, 2012 7:50 AM, "Ben Laurie" <ben at links.org> wrote:
>>>
>>> On Tue, Oct 30, 2012 at 2:39 PM, Patrick Mylund Nielsen
>>> <cryptography at patrickmylund.com> wrote:
>>> > I would be happy to volunteer to move everything to Github. But it
>>> > really is
>>> > really, really easy to do, and the maintenance required is minimal.
>>> > That or
>>> > git+redmine or git+JIRA would be my suggestion.
>>>
>>> The team has ruled out having the master at github.
>>>
>>> >
>>> >
>>> > On Tue, Oct 30, 2012 at 3:28 PM, Ben Laurie <ben at links.org> wrote:
>>> >>
>>> >> On Tue, Oct 30, 2012 at 2:21 PM, Matthew Green
>>> >> <matthewdgreen at gmail.com>
>>> >> wrote:
>>> >> > So:
>>> >> >
>>> >> > 1. What is the process by which you get OpenSSL contributors to
>>> >> > notice a
>>> >> > serious issue and apply a patch?
>>> >>
>>> >> I wouldn't know, I haven't tried :-)
>>> >>
>>> >> In my case, just ask (me, that is, not some mailing list). If the
>>> >> issue is serious, I will likely apply the patch.
>>> >>
>>> >> > 2. What are the criteria for applying a patch? Is it just 'whatever
>>> >> > interests the devs'? It seems that publishing an exploit works, but
>>> >> > is that
>>> >> > necessary?
>>> >>
>>> >> I think it can be taken as read that the devs are interested in the
>>> >> security and stability of OpenSSL.
>>> >>
>>> >> > 3. It's 2012 -- why the **** is OpenSSL running its own ticket
>>> >> > tracker
>>> >> > and source control servers??? (RT is a disaster.)
>>> >>
>>> >> Damn good question. Probably because we don't have a volunteer to move
>>> >> everything somewhere else and keep it running.
>>> >>
>>> >> > 4. What does it take to become an OpenSSL volunteer?
>>> >>
>>> >> :-) Like most (good) open source projects: sustained contribution.
>>> >>
>>> >> >
>>> >> > Matt
>>> >> >
>>> >> > On Oct 30, 2012, at 10:12 AM, Ben Laurie <ben at links.org> wrote:
>>> >> >
>>> >> >> On Tue, Oct 30, 2012 at 11:58 AM, Jeffrey Walton
>>> >> >> <noloader at gmail.com>
>>> >> >> wrote:
>>> >> >>> On Tue, Oct 30, 2012 at 5:03 AM, Ben Laurie <ben at links.org> wrote:
>>> >> >>>> On Mon, Oct 29, 2012 at 10:34 PM, Jeffrey Walton
>>> >> >>>> <noloader at gmail.com>
>>> >> >>>> wrote:
>>> >> >>>>> On Fri, Oct 26, 2012 at 2:29 PM, John Case <case at sdf.org> wrote:
>>> >> >>>>>>
>>> >> >>>>>> [SNIP]
>>> >> >>>>
>>> >> >>>> Apparently you think the best way to get a secure platform is to
>>> >> >>>> apply
>>> >> >>>> pressure through pointless security standards. I'd suggest your
>>> >> >>>> efforts might be better spent supplying patches instead. Or,
>>> >> >>>> y'know,
>>> >> >>>> talking to the authors of the s/w in question. You never know,
>>> >> >>>> they
>>> >> >>>> might care.
>>> >> >>> Ah, OK. My bad.
>>> >> >>>
>>> >> >>> I've tried supplying patches and filing bug report/enhancement
>>> >> >>> requests.
>>> >> >>>
>>> >> >>> Here was a gentle patch for spelling corrections in a README -
>>> >> >>> rejected.
>>> >> >>>
>>> >> >>> http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=2401.
>>> >> >>
>>> >> >> AFAICS that is not rejected, it is ignored. There's a difference.
>>> >> >>
>>> >> >> Also, your patch appears to be reversed. Or your spelling is
>>> >> >> terrible
>>> >> >> :-)
>>> >> >>
>>> >> >>> Here was a patch for Xcode awareness - rejected (is it fair to say
>>> >> >>> when its sites for years without acknowledgement?).
>>> >> >>>
>>> >> >>>
>>> >> >>> http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=2402.
>>> >> >>
>>> >> >> Also not rejected.
>>> >> >>
>>> >> >> Now, I agree that having patches ignored isn't so great either, but
>>> >> >> the problem is:
>>> >> >>
>>> >> >> * RT doesn't actually work, the guy who allegedly maintains our
>>> >> >> infrastructure doesn't, and the team can't agree what to do about
>>> >> >> it
>>> >> >> (not that its tried very hard).
>>> >> >>
>>> >> >> * OpenSSL is mostly maintained by volunteers, who may not have felt
>>> >> >> particularly inspired by your patches, or may just have missed
>>> >> >> them.
>>> >> >>
>>> >> >> * When people are paid, they're generally paid to do specific
>>> >> >> things,
>>> >> >> not to trawl through RT (if they even could) looking for patches to
>>> >> >> adopt. I'm sure someone could pay for that if they want to, though.
>>> >> >>
>>> >> >> * CVS is a shit tool, too, making it hard to deal with patches -
>>> >> >> we've
>>> >> >> even agreed as a team to move off it, but see above about
>>> >> >> infrastructure :-)
>>> >> >>
>>> >> >>> I can't locate a bug report on the use of the uninitialized data.
>>> >> >>> Perhaps I had the discussion on the developer's mailing list (I
>>> >> >>> know
>>> >> >>> I'm not imagining it, so my apologies).
>>> >> >>>
>>> >> >>> I am also aware that patches existed for some time for CCM mode,
>>> >> >>> GCM
>>> >> >>> mode, and SRP. In the case of GCM, IBM supplied the patches 5 or
>>> >> >>> 10
>>> >> >>> years earlier. None were acted upon.
>>> >> >>
>>> >> >> It always amuses me when bigcorp pays to have a patch made, but
>>> >> >> somehow manages to fail to understand that the guy applying the
>>> >> >> patch
>>> >> >> has to eat, too. Plus, ISTR the IP situation is none too clear on
>>> >> >> all
>>> >> >> of these.
>>> >> >>
>>> >> >> This reminds me of the first attempt to FIPSify OpenSSL, where
>>> >> >> there
>>> >> >> was zero budget for the developer - just money for test labs and
>>> >> >> the
>>> >> >> like ("what do you mean you want money to work on it? I thought it
>>> >> >> was
>>> >> >> free software!").
>>> >> >>
>>> >> >>> The project does not appear to want outside help. If I am drawing
>>> >> >>> the
>>> >> >>> wrong conclusion, please forgive me.
>>> >> >>
>>> >> >> I'll grant you that your very small patches could be considered
>>> >> >> help,
>>> >> >> and it is a little unfortunate they they were ignored, but like I
>>> >> >> say,
>>> >> >> RT is a shit tool, at least as implemented at OpenSSL, as is CVS (I
>>> >> >> notice you didn't supply the needed 4 patches, just a single one)
>>> >> >> and
>>> >> >> no-one's paying anyone to pick patches up from it, particularly.
>>> >> >>
>>> >> >> The rest of your "help" appears to be specifying flags you'd like
>>> >> >> to
>>> >> >> be used and expecting us to do the work for you. Which I actually
>>> >> >> might, I find that kind of thing therapeutic, but you get my point.
>>> >> >>
>>> >> >> I think the project would welcome help - but it needs to be useful
>>> >> >> help
>>> >> >> :-)
>>> >> >> _______________________________________________
>>> >> >> cryptography mailing list
>>> >> >> cryptography at randombit.net
>>> >> >> http://lists.randombit.net/mailman/listinfo/cryptography
>>> >> >
>>> >> _______________________________________________
>>> >> cryptography mailing list
>>> >> cryptography at randombit.net
>>> >> http://lists.randombit.net/mailman/listinfo/cryptography
>>> >
>>> >
>>> _______________________________________________
>>> cryptography mailing list
>>> cryptography at randombit.net
>>> http://lists.randombit.net/mailman/listinfo/cryptography
>
>



More information about the cryptography mailing list