[Info-vax] New OpenSSL update from HP

[Stephen Hoffman]

On 2015-06-14 23:08:58 +0000, Dirk Munk said:

> Stephen Hoffman wrote:
> 
> 
>> — and it all increases the likelihood of crypto problems.
> 
> Why? I can imagine that both versions share the same crypto engine. I 
> can even imagine that it is a shared library.

Then you're back to tracking OpenSSL and quite probably two or more 
versions, if that's the pieces at your core.

There's that the ABIs have changed incompatibility.  Hopefully that 
doesn't happen again, but there was just a bug where the ABI did 
change, though that got reverted.

The LibreSSL folks are planning to make API changes, and probably for 
the better.

There's also rather more to OpenSSL than just the two major libraries, 
too.  There are a number of tools involved in the environment.

>> Crypto implementation source code is complex and can be very subtle — 
>> e.g. timing vulnerabilities — and most or all implementations — whether 
>> open source and ubiquitous, or private and platform-specific 
>> implementations — of crypto will almost invariably contain 
>> implementation errors and/or cases where the code can or will need to 
>> be updated.  The effective deprecation of SSLv3 and various cipher 
>> vulnerabilities, for instance.
> 
> Were those implementation errors or more fundamental errors?

Both.

Crypto is complex, very hard to get entirely correct, and attacks can 
be quite subtle.

Even if VSI has a crypto expert or two around, it's still no small effort.

>> Backing up a few steps, solving the more general problems lurking here 
>> would be helpful, too — OpenSSL is not at all unique,
> 
> No, there are more SSL implemenations

The problems you are addressing — specifically for SSL, here — are much 
more generic, and effect tools and applications far beyond the SSL 
giblets.

>> nor is the need to incorporate specific versions into specific 
>> applications, nor will the current mess in the startups resolve itself, 
>> nor will we stay in the world of singleton or one-off deployments, nor 
>> will the need to more easily and more quickly and more cleanly install 
>> and remove software lessen, nor will the speed and the urgency and the 
>> necessity of the upgrade cycles do anything other than increase.   Etc. 
>>   Outside of the installed base, this is just the very tip of the 
>> expectations and the effort involved, too.

FWIW, have you used SSL?  If not, please do go try it.  The OpenSSL ABI 
is unfortunately somewhat complex.

Then there's that more than a few folks don't really understand how 
certificates and DH and the rest work, and there's absolutely no 
integration with OpenVMS at present — there are four different 
certificate stores commonly encountered, if not more.  (CDSA, OpenSSL, 
ssh and sshd, Apache, and probably some others.)


-- 
Pure Personal Opinion | HoffmanLabs LLC