|
2015-12-28
, 14:14
|
Posts: 2,154 |
Thanked: 8,464 times |
Joined on May 2010
|
#2
|
|
2015-12-28
, 14:16
|
Posts: 2,154 |
Thanked: 8,464 times |
Joined on May 2010
|
#3
|
|
2015-12-28
, 14:17
|
Posts: 2,154 |
Thanked: 8,464 times |
Joined on May 2010
|
#4
|
|
2015-12-28
, 22:30
|
Posts: 567 |
Thanked: 2,965 times |
Joined on Oct 2009
|
#6
|
|
2015-12-28
, 23:00
|
Posts: 1,293 |
Thanked: 4,319 times |
Joined on Oct 2014
|
#7
|
TLS1.0 is still quite secure, please do not drop it as many server will need it.
|
2015-12-28
, 23:51
|
|
Posts: 4,118 |
Thanked: 8,901 times |
Joined on Aug 2010
@ Ruhrgebiet, Germany
|
#8
|
NIST (And PCI-SSC) certainly disagrees on that statement.
http://nvlpubs.nist.gov/nistpubs/Spe...P.800-52r1.pdf
|
2015-12-29
, 00:43
|
Posts: 567 |
Thanked: 2,965 times |
Joined on Oct 2009
|
#9
|
|
2015-12-29
, 00:46
|
Posts: 567 |
Thanked: 2,965 times |
Joined on Oct 2009
|
#10
|
1.Get the latest OpenSSL (or LibreSSL) building and working properly on Fremantle (including all the newest algorithms and features and protocols as well as correct debian packaging, optimization flags etc for Fremantle)
2.Examine the OpenSSL 0.9.8n source code for Maemo (in the SDK repos) and identify any local patches vs upstream 0.9.8n and if those patches are actually necessary, forward-port them to the new OpenSSL version from #1 (or otherwise deal with them)
3.Put this new OpenSSL version into CSSU as "openssl", "libsslx.y.z", "libssl-dev" and "libsslx.y.z-dbg" (depending on the exact version we are porting or whatever)
4.Ensure that the root certificates in https://github.com/community-ssu/maemo-security-certman are up-to-date and match with what they should be for best security
5.Recompile/Port-to-new-OpenSSL-version/Put into CSSU maemo-security-certman, maemo-security-certman-applet, xorg-server, clinkc, loudmouth, microb-eal, sofia-sip, qt4-x11 and curl. (as well as anything else using OpenSSL that is FOSS and isn't present on a stock root filesystem). If bringing in a newer (but still ABI compatible) curl is easier, do that.
6.Update any security defaults or other things chosen by libcurl and libqt4-network so that they are only using things considered secure (e.g. dropping SSL2/SSL3/TLS1.0)
7.Identify any cases in the APIs where its possible for a user of libcurl or libqt4-network to specify security settings so we can audit for users of those functions and make sure nothing (especially closed source things) is doing anything insecure that should be updated.
8.Remove obsolete packages nokiamessaging and sharing-service-ovi (they are now useless and they use OpenSSL)
9.Audit the use of OpenSSL by as-daemon-0, tablet-browser-ui, osso-wlan-security, connui-iapsettings, adobe-flashplayer, location-proxy, osso-backup, ota-settings and signond0 and figure out which uses are a potential security risk and figure out what to do about those cases (e.g. cloning things)
This should cover all the things we need to do if we want the newest OpenSSL on Maemo Fremantle (and we want software to be using that new version)