search

cloudflare / sslconfig

Cloudflare's Internet facing SSL configuration
BSD 3-Clause "New" or "Revised" License
1.3k stars 132 forks source link

Patch No Longer Applies Cleanly to 1.0.2g #27

Closed zx2c4 closed 8 years ago

Whissi commented 8 years ago

Works for me on Debian Jessie (own openssl-1.0.2g backport with removed chacha tests, see #23) and Gentoo's dev-libs/openssl-1.0.2g via euser_patch with the required sanity fixes from your issue #22).

I am using 3afa6467ad3b15db2f678f8b5a1f817e56874602

vkrasnov commented 8 years ago

We can not update the patch every time there is a minor change in OpenSSL version.

zx2c4 commented 8 years ago

"We can not update the patch every time there is a minor change in OpenSSL version."

That's pretty disheartening. I would think Cloudflare would want to update their publicly released code to adjust to version releases that address major top priority critical security vulnerabilities. This decision here flies in the face of everything Cloudflare tries to promote. What a shame.

vkrasnov commented 8 years ago

@zx2c4 I am afraid you misinterpreted me. You can see that we do care and do post updates. By "minor" changes, I mean that the relevant parts of OpenSSL where changed in a minor way. Although the patch does not apply cleanly anymore, it does apply, and it does work functionally.

In addition if you use the configuration that we advertise, you would not be vulnerable to the high priority vulnerabilities anyway.

zx2c4 commented 8 years ago

patch -p1 barfs. It doesn't apply. The issue appears to be tests/Makefile, which requires manual merging. The fixes to the buildsystem also have not been applied yet from #22. Nonetheless, I have taken the time to sort this out myself, and attached to this message is a patch that works well on 1.0.2g. Perhaps you'll add it to the repo.

openssl__chacha20_poly1305_1_0_2g.patch.zip

zx2c4 commented 8 years ago 
In addition if you use the configuration that we advertise, you would not be vulnerable to the high priority vulnerabilities anyway.

Yes, but other services on the same host may be using SSLv2 inadvertently, which is the real fear of the recent vulnerability. Being able to update the system openssl library to block SSLv2 is important.

chrcoluk commented 8 years ago

Patch doesnt apply cleanly here either, since 1.0.2g. Also thanks to zx2c4 for fixing it.