search

grobian / carbon-c-relay

Enhanced C implementation of Carbon relay, aggregator and rewriter
Apache License 2.0
380 stars 107 forks source link

Compiling on CentOS 7 with local OpenSSL shared libraries ? #445

Closed berrfred closed 2 years ago

berrfred commented 2 years ago

Carbon-C-Relay 3.7.4 running fine on CentOS 7 with TLS1.2 and strong ciphers (using protomin and ciphers parameters).

Just wanted to know if there is a way to compile it with a more recent OpenSSL release than 1.0.2k .. so that TLS1.3 is also available. I have compiled and installed OpenSSL 1.1.1m with --prefix=/usr/local/openssl ... is there a way to compile/link Carbon-C-Relay with those updated libraries ?

grobian commented 2 years ago

you should be able to export CPPFLAGS="-I/path/to" LDFLAGS="-L/path/to -Wl,-rpath=/path/to" so you link against your other openssl.

note that IMO TLS1.3 basically is a restricted set of TLS1.2 ciphers, where TLS1.2 is FIPS, 1.3 is not (guess because its ciphers are available in 1.2)

berrfred commented 2 years ago

Looks pretty good ...

./configure CPPFLAGS="-I/usr/local/openssl/include" LDFLAGS="-L/usr/local/openssl/lib -Wl,-rpath=/usr/local/openssl/lib"

checking for openssl/err.h... yes
checking for openssl/ssl.h... yes
checking for SSL_connect in -lssl... yes
checking for ERR_reason_error_string in -lcrypto... yes
checking for TLS_server_method... yes
checking for SSLv23_server_method... no
checking for SSL_CTX_set_cipher_list... yes
checking for SSL_CTX_set_ciphersuites... yes

ldd relay

    linux-vdso.so.1 =>  (0x00007ffdb2fec000)
    libz.so.1 => /lib64/libz.so.1 (0x00007f1703b59000)
    libssl.so.1.1 => /usr/local/openssl/lib/libssl.so.1.1 (0x00007f17038c6000)
    libcrypto.so.1.1 => /usr/local/openssl/lib/libcrypto.so.1.1 (0x00007f17033db000)
    libpcreposix.so.0 => /lib64/libpcreposix.so.0 (0x00007f17031d8000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007f1702fd4000)
    libm.so.6 => /lib64/libm.so.6 (0x00007f1702cd2000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f1702ab6000)
    libc.so.6 => /lib64/libc.so.6 (0x00007f17026e8000)
    libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f1702486000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f1703d6f000)

nmap --script ssl-enum-ciphers -p 8443 10.224.115.43

Starting Nmap 7.92SVN ( https://nmap.org ) at 2022-02-14 10:24 CET
Nmap scan report for sans-db.telecomitalia.local (10.224.115.43)
Host is up (0.0060s latency).

PORT     STATE SERVICE
8443/tcp open  https-alt
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Forward Secrecy not supported by any cipher
|   TLSv1.3: 
|     ciphers: 
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     cipher preference: client
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds