[Bro-Dev] [JIRA] (BIT-1499) Updates for newer version of OpenSSL/LibreSSL

Seth Hall (JIRA) jira at bro-tracker.atlassian.net
Fri Oct 30 06:31:00 PDT 2015

Seth Hall created BIT-1499:

             Summary: Updates for newer version of OpenSSL/LibreSSL
                 Key: BIT-1499
                 URL: https://bro-tracker.atlassian.net/browse/BIT-1499
             Project: Bro Issue Tracker
          Issue Type: Problem
          Components: Bro, Broccoli
    Affects Versions: git/master
            Reporter: Seth Hall
         Attachments: patch-aux_broccoli_src_bro__openssl.c, patch-src_ChunkedIO.cc

A comment from Christoph Pietsch:

{quote}Currently bro fails to build when openssl libraries have been built
without SSLv3  (configure --no-ssl2 --nossl3). This has
surfaced when building with the latest LibreSSL 2.3.

Attached patches address all these issues. These can be improved upon
by using only SSLv23_ methods or even TLS_ methods and setting
SSL_CTX_set_options(ctx, SSL_OP_NO_SSL2 | SSL_OP_NO_SSL3) but I've
tried to make the patches minimally intrusive. OpenSSL 1.1.0 will
deprecate SSLv23_ methods and introduces compatible TLS_ methods.{quote}

The patches are attached.  Fortunately all of this code is slated to be removed but it does introduce the question how we manage this moving forward.  I'd like to avoid having to add compiler directives to use alternate implementations and detect which version of OpenSSL someone has installed. 

Alternately, what does everyone think about deprecating the existing communication mechanism by making it a configure-time option?  We can just not compile those by default which means that almost everyone would just see everything work correctly and our effort would be minimal.  People that need the existing built in communication still can deal with the complications of compiling Bro with the option and having the correct version of OpenSSL.

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list