[Bro-Dev] [JIRA] (BIT-1499) Updates for newer version of OpenSSL/LibreSSL

Robin Sommer (JIRA) jira at bro-tracker.atlassian.net
Thu Nov 5 10:05:00 PST 2015


     [ https://bro-tracker.atlassian.net/browse/BIT-1499?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Robin Sommer updated BIT-1499:
------------------------------
      Status: Merge Request  (was: Open)
    Assignee:     (was: Robin Sommer)

> Updates for newer version of OpenSSL/LibreSSL
> ---------------------------------------------
>
>                 Key: BIT-1499
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1499
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro, Broccoli
>    Affects Versions: git/master
>            Reporter: Seth Hall
>             Fix For: 2.5
>
>         Attachments: patch-aux_broccoli_src_bro__openssl.c, patch-src_ChunkedIO.cc
>
>
> A comment from Christoph Pietsch:
> {quote}Currently bro fails to build when openssl libraries have been built
> without SSLv3  (configure --no-ssl2 --nossl3). This has
> surfaced when building with the latest LibreSSL 2.3.
> Attached patches address all these issues. These can be improved upon
> by using only SSLv23_ methods or even TLS_ methods and setting
> SSL_CTX_set_options(ctx, SSL_OP_NO_SSL2 | SSL_OP_NO_SSL3) but I've
> tried to make the patches minimally intrusive. OpenSSL 1.1.0 will
> deprecate SSLv23_ methods and introduces compatible TLS_ methods.{quote}
> The patches are attached.  Fortunately all of this code is slated to be removed but it does introduce the question how we manage this moving forward.  I'd like to avoid having to add compiler directives to use alternate implementations and detect which version of OpenSSL someone has installed. 
> Alternately, what does everyone think about deprecating the existing communication mechanism by making it a configure-time option?  We can just not compile those by default which means that almost everyone would just see everything work correctly and our effort would be minimal.  People that need the existing built in communication still can deal with the complications of compiling Bro with the option and having the correct version of OpenSSL.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-005#70107)



More information about the bro-dev mailing list