Message ID | 20170327222622.8015-1-rosenp@gmail.com |
---|---|
State | Deferred |
Headers | show |
The topic and patch is about OpenSSL but description is about OpenSSH. What has OpenSSL to do with OpenSSH? kind regards txt.file -- This message is signed. Rosen Penev: > The commit that removed no-ripemd stated that it was needed for openssh. > However with recent OpenSSH releases (7.4), RIPEMD-160 is run-time disabled. > I've verified this with ssh -vvv making no mention of RIPEMD-160 anywhere. > --- > package/libs/openssl/Makefile | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile > index 2543a46..a2d3ce3 100644 > --- a/package/libs/openssl/Makefile > +++ b/package/libs/openssl/Makefile > @@ -100,7 +100,7 @@ endef > > > OPENSSL_NO_CIPHERS:= no-idea no-md2 no-mdc2 no-rc5 no-sha0 no-camellia no-krb5 \ > - no-whrlpool no-whirlpool no-seed no-jpake > + no-whrlpool no-whirlpool no-seed no-jpake no-ripemd > OPENSSL_OPTIONS:= shared no-err no-sse2 no-ssl2 no-ssl2-method no-heartbeats > > ifdef CONFIG_OPENSSL_ENGINE_CRYPTO >
On Tue, Mar 28, 2017 at 1:45 AM, txt.file <txt.file@txtfile.eu> wrote: > The topic and patch is about OpenSSL but description is about OpenSSH. > What has OpenSSL to do with OpenSSH? > > kind regards > txt.file > -- > This message is signed. > > Rosen Penev: >> The commit that removed no-ripemd stated that it was needed for openssh. >> However with recent OpenSSH releases (7.4), RIPEMD-160 is run-time disabled. >> I've verified this with ssh -vvv making no mention of RIPEMD-160 anywhere. >> --- >> package/libs/openssl/Makefile | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile >> index 2543a46..a2d3ce3 100644 >> --- a/package/libs/openssl/Makefile >> +++ b/package/libs/openssl/Makefile >> @@ -100,7 +100,7 @@ endef >> >> >> OPENSSL_NO_CIPHERS:= no-idea no-md2 no-mdc2 no-rc5 no-sha0 no-camellia no-krb5 \ >> - no-whrlpool no-whirlpool no-seed no-jpake >> + no-whrlpool no-whirlpool no-seed no-jpake no-ripemd >> OPENSSL_OPTIONS:= shared no-err no-sse2 no-ssl2 no-ssl2-method no-heartbeats >> >> ifdef CONFIG_OPENSSL_ENGINE_CRYPTO >> > > > _______________________________________________ > Lede-dev mailing list > Lede-dev@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/lede-dev > as far as things go, openssh is part of the package feeds here: https://github.com/openwrt/packages/tree/master/net/openssh while openssl is part of the core packages removing this cipher if unused, makes sense also to reduce openssl size my 2c :) thanks Alex
> On Mar 28, 2017, at 12:09 AM, Alexandru Ardelean <ardeleanalex@gmail.com> wrote: > > On Tue, Mar 28, 2017 at 1:45 AM, txt.file <txt.file@txtfile.eu> wrote: >> The topic and patch is about OpenSSL but description is about OpenSSH. >> What has OpenSSL to do with OpenSSH? >> >> kind regards >> txt.file >> -- >> This message is signed. >> >> Rosen Penev: >>> The commit that removed no-ripemd stated that it was needed for openssh. >>> However with recent OpenSSH releases (7.4), RIPEMD-160 is run-time disabled. >>> I've verified this with ssh -vvv making no mention of RIPEMD-160 anywhere. >>> --- >>> package/libs/openssl/Makefile | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile >>> index 2543a46..a2d3ce3 100644 >>> --- a/package/libs/openssl/Makefile >>> +++ b/package/libs/openssl/Makefile >>> @@ -100,7 +100,7 @@ endef >>> >>> >>> OPENSSL_NO_CIPHERS:= no-idea no-md2 no-mdc2 no-rc5 no-sha0 no-camellia no-krb5 \ >>> - no-whrlpool no-whirlpool no-seed no-jpake >>> + no-whrlpool no-whirlpool no-seed no-jpake no-ripemd >>> OPENSSL_OPTIONS:= shared no-err no-sse2 no-ssl2 no-ssl2-method no-heartbeats >>> >>> ifdef CONFIG_OPENSSL_ENGINE_CRYPTO >>> >> >> >> _______________________________________________ >> Lede-dev mailing list >> Lede-dev@lists.infradead.org >> http://lists.infradead.org/mailman/listinfo/lede-dev >> > > as far as things go, openssh is part of the package feeds here: > https://github.com/openwrt/packages/tree/master/net/openssh > > while openssl is part of the core packages > removing this cipher if unused, makes sense also to reduce openssl size > > my 2c :) > > thanks > Alex What happens if someone has a private package feed and they’re still using it? I think we should remove ciphers when they’re proven weak or otherwise vulnerable, like AES128-CBC… not when we’re unaware of anyone using it. -Philip
On 2017-03-28 00:26, Rosen Penev wrote: > The commit that removed no-ripemd stated that it was needed for openssh. > However with recent OpenSSH releases (7.4), RIPEMD-160 is run-time disabled. > I've verified this with ssh -vvv making no mention of RIPEMD-160 anywhere. Last time I tried to remove this, some other things in packages/ broke as well. If you really care about this, please do a full build with *all* feeds and all packages that use openssl enabled to ensure that this doesn't break anything. - Felix
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 2543a46..a2d3ce3 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -100,7 +100,7 @@ endef OPENSSL_NO_CIPHERS:= no-idea no-md2 no-mdc2 no-rc5 no-sha0 no-camellia no-krb5 \ - no-whrlpool no-whirlpool no-seed no-jpake + no-whrlpool no-whirlpool no-seed no-jpake no-ripemd OPENSSL_OPTIONS:= shared no-err no-sse2 no-ssl2 no-ssl2-method no-heartbeats ifdef CONFIG_OPENSSL_ENGINE_CRYPTO