eggdrop icon indicating copy to clipboard operation
eggdrop copied to clipboard
verified publisher icon eggheads

openssl-3.0.0-alpha11 deprecated-declarations

Open michaelortmann opened this issue 5 years ago • 2 comments 

tls.c: In function ‘ssl_init’:
tls.c:234:7: warning: ‘PEM_read_DHparams’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  234 |       dh = PEM_read_DHparams(paramfile, NULL, NULL, NULL);
      |       ^~
In file included from /home/michael/opt/openssl-3.0.0-alpha11/include/openssl/ssl.h:36,
                 from eggdrop.h:266,
                 from main.h:90,
                 from tls.c:27:
/home/michael/opt/openssl-3.0.0-alpha11/include/openssl/pem.h:70:11: note: declared here
   70 |     type *PEM_##readname##_##name(INTYPE *out, type **x,                \
      |           ^~~~
/home/michael/opt/openssl-3.0.0-alpha11/include/openssl/pem.h:234:10: note: in expansion of macro ‘PEM_read_cb_fnsig’
  234 |     attr PEM_read_cb_fnsig(name, type, FILE, read);
      |          ^~~~~~~~~~~~~~~~~
/home/michael/opt/openssl-3.0.0-alpha11/include/openssl/pem.h:333:5: note: in expansion of macro ‘DECLARE_PEM_read_fp_attr’
  333 |     DECLARE_PEM_read_fp_attr(attr, name, type)
      |     ^~~~~~~~~~~~~~~~~~~~~~~~
/home/michael/opt/openssl-3.0.0-alpha11/include/openssl/pem.h:342:5: note: in expansion of macro ‘DECLARE_PEM_read_att ’
  342 |     DECLARE_PEM_read_attr(attr, name, type)                                 \
      |     ^~~~~~~~~~~~~~~~~~~~~
/home/michael/opt/openssl-3.0.0-alpha11/include/openssl/pem.h:469:1: note: in expansion of macro ‘DECLARE_PEM_rw_attr’
  469 | DECLARE_PEM_rw_attr(OSSL_DEPRECATEDIN_3_0, DHparams, DH)
      | ^~~~~~~~~~~~~~~~~~~
tls.c:241:9: warning: ‘DH_free’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  241 |         DH_free(dh);
      |         ^~~~~~~
In file included from /home/michael/opt/openssl-3.0.0-alpha11/include/openssl/dsa.h:51,
                 from /home/michael/opt/openssl-3.0.0-alpha11/include/openssl/x509.h:37,
                 from /home/michael/opt/openssl-3.0.0-alpha11/include/openssl/ssl.h:31,
                 from eggdrop.h:266,
                 from main.h:90,
                 from tls.c:27:
/home/michael/opt/openssl-3.0.0-alpha11/include/openssl/dh.h:197:28: note: declared here
  197 | OSSL_DEPRECATEDIN_3_0 void DH_free(DH *dh);
      |                            ^~~~~~~

michaelortmann avatar Jan 31 '21 16:01 michaelortmann

This is no API deprecation. So we cant simply switch to a high level openssl API here. There is none. The wont be one. OpenSSL does this to strongly discourage the use of custom dh parameters. I dont know why. Does anyone? We introduce new ssl-dhparam config option with eggdrop 1.9.0. So now i think, we may want to hide/disable this new functionality before we release eggdrop 1.9.0.

michaelortmann avatar Jan 31 '21 17:01 michaelortmann

See also

https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_tmp_dh.html

https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf:

Our calculations suggest that it is plausibly within NSA’sresources to have performed number field sieve precomputa-tions for at least a small number of 1024-bit Diffie-Hellmangroups. This would allow them to break any key exchangesmade with those groups in close to real time

Thats why i thought to have custom dh parameters would be a good idea. But security is never simple. And so my thinking was probably faulty. So what do the openssl ppl know, that i dont?

michaelortmann avatar Jan 31 '21 17:01 michaelortmann

we should investigate the usage of dh params, see:

https://security.stackexchange.com/questions/56214/what-are-the-openssl-standard-diffie-hellman-parameters-primes

michaelortmann avatar Nov 28 '23 08:11 michaelortmann

Fixed by 1345 (?)

vanosg avatar Dec 30 '23 22:12 vanosg