FS#53026 - [openssl-1.0] Please ship openssl binary with package

Attached to Project: Arch Linux
Opened by Pascal Ernster (hardfalcon) - Sunday, 19 February 2017, 23:38 GMT
Last edited by Jan de Groot (JGC) - Saturday, 25 February 2017, 22:39 GMT
Task Type Feature Request
Category Packages: Testing
Status Closed
Assigned To Pierre Schmitz (Pierre)
Architecture All
Severity Very Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

The current openssl-1.0 package in the staging repository lacks the openssl binary. Please add this binary (with some version suffix) because both versions support different sets of cipher suites, and use cipher suites with different ordering/priorities. For example, version 1.0 simply orders them by the strength of the symmetric cipher used, whilst version 1.1 also considers things like perfect forward secrecy. Also, version 1.0 prioritizes RSA over ECDSA whilst version 1.1 prioritizes ECDSA over RSA.

To enable users to properly evaluate the implications of a certain "ciphers" string when configuring software that uses OpenSSL 1.0, the corresponding "/usr/bin/openssl" binary is required.
This task depends upon

Closed by  Jan de Groot (JGC)
Saturday, 25 February 2017, 22:39 GMT
Reason for closing:  Implemented
Additional comments about closing:  implemented in -2.
Comment by Jan de Groot (JGC) - Monday, 20 February 2017, 12:53 GMT
Looking at the Debian they don't provide the openssl binary either:
https://packages.debian.org/source/sid/openssl1.0

The openssl-1.0 package is only meant to provide compatibility for binary applications that haven't been recompiled against OpenSSL 1.1.x, so I see no reason to have the openssl tool for those.
Comment by Pascal Ernster (hardfalcon) - Wednesday, 22 February 2017, 21:54 GMT
Like I have written above: If people are using software (in my case prosody, which relies on lua51-sec) that still requires openssl-1.0, chances are that they might want to configure (select and reorder) TLS ciphersuites for that software. The only way to reliably tell which ciphersuites in which order a certain "ciphersuite selection string" will produce is to use the "openssl" executable for that version/branch of OpenSSL.

The very same "ciphers" string will yield quite different results/behaviour for different versions of OpenSSL, which is why you can't use the OpenSSL 1.1 version of the binary if you want to configure software using OpenSSL 1.0. Just compare the output of "openssl ciphers AESGCM" for both OpenSSL versions - you'll note quite a bunch of differences.

To be honest, I don't see a reason why that executable should *not* be shipped. Not shipping it does not save anybody any work, it only creates more work for those who need the binary. The only thing it would cost is about 600KB disk space or 200KB in compressed package size.

Loading...