[Bro] Bro and OpenSSL 1.1

Hilko Bengen bengen--bro at hilluzination.de
Mon Nov 14 04:16:38 PST 2016


TL;DR: Good news, Bro is going to be part of Debian 9 "stretch", but we
need some advice.

Hi,

as Debian is transitioning to using OpenSSL 1.1 in the upcoming release
(9.x "stretch"), we are forced to deal with widespread API breakage
because many data structures that had previously been considered part of
the API have been made opaque. Many of these changes are fairly easy to
implement by using getter/setter functions instead. (The main time-sink
for me was locating those functions in the OpenSSL sources.)

For the bro package, some work-in-progress patches can be found in our
bug tracking system[1].

One missing piece (apart from running tests with real packet trace data)
is that some OCSP details cannot yet be accessed through OpenSSL 1.1's
current set of API functions. Specifically, the function

    X509* x509_get_ocsp_signer(STACK_OF(X509) *certs, OCSP_RESPID *rid)

from src/file_analysis/analyzer/x509/functions.bif cannot currently be
ported. There's ongoing work to fix that[2] in upstream OpenSSL, but we
don't know yet whether this change will be ready in time for the freeze
leading to the next Debian release. So, we are thinking that we may have
to disable the x509_ocsp_verify function and anything that uses it.

Does anyone have any advice on what to look for when disabling that
functionality? Or is there maybe a less intrusive alternative that we
haven't discovered yet?

Cheers,
-Hilko

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828254
[2] https://github.com/openssl/openssl/pull/1876


More information about the Bro mailing list