[Bro-Dev] [JIRA] (BIT-1499) Updates for newer version of OpenSSL/LibreSSL
Seth Hall (JIRA)
jira at bro-tracker.atlassian.net
Fri Oct 30 06:31:00 PDT 2015
Seth Hall created BIT-1499:
------------------------------
Summary: Updates for newer version of OpenSSL/LibreSSL
Key: BIT-1499
URL: https://bro-tracker.atlassian.net/browse/BIT-1499
Project: Bro Issue Tracker
Issue Type: Problem
Components: Bro, Broccoli
Affects Versions: git/master
Reporter: Seth Hall
Attachments: patch-aux_broccoli_src_bro__openssl.c, patch-src_ChunkedIO.cc
A comment from Christoph Pietsch:
{quote}Currently bro fails to build when openssl libraries have been built
without SSLv3 (configure --no-ssl2 --nossl3). This has
surfaced when building with the latest LibreSSL 2.3.
Attached patches address all these issues. These can be improved upon
by using only SSLv23_ methods or even TLS_ methods and setting
SSL_CTX_set_options(ctx, SSL_OP_NO_SSL2 | SSL_OP_NO_SSL3) but I've
tried to make the patches minimally intrusive. OpenSSL 1.1.0 will
deprecate SSLv23_ methods and introduces compatible TLS_ methods.{quote}
The patches are attached. Fortunately all of this code is slated to be removed but it does introduce the question how we manage this moving forward. I'd like to avoid having to add compiler directives to use alternate implementations and detect which version of OpenSSL someone has installed.
Alternately, what does everyone think about deprecating the existing communication mechanism by making it a configure-time option? We can just not compile those by default which means that almost everyone would just see everything work correctly and our effort would be minimal. People that need the existing built in communication still can deal with the complications of compiling Bro with the option and having the correct version of OpenSSL.
--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-002#70107)
More information about the bro-dev
mailing list