Security LibreSSL February 2017: LibreSSL 2.4.5 stable & 2.5.1 dev Releases

eva2000 · Feb 2, 2017

Centmin Mod + LibreSSL 2.4.5

LibreSSL 2.4.5 is now latest stable release https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.4.5-relnotes.txt. Also LibreSSL 2.5.1 development release is out too https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.5.1-relnotes.txt

LibreSSL 2.4.5

We have released LibreSSL 2.4.5, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon. It includes the following
changes:

* Avoid a side-channel cache-timing attack that can leak the ECDSA
private keys when signing. This is due to BN_mod_inverse() being
used without the constant time flag being set.

This issue was reported by Cesar Pereida Garcia and Billy Brumley
(Tampere University of Technology). The fix was developed by Cesar
Pereida Garcia.

* iOS and MacOS compatibility updates from Simone Basso and Jacob
Berkman.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.
Click to expand...

LibreSSL 2.5.1

We have released LibreSSL 2.5.1, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon. It includes the following
changes:

* X509_cmp_time() now passes a malformed GeneralizedTime field as an
error. Reported by Theofilos Petsios.

* Detect zero-length encrypted session data early, instead of when
malloc(0) fails or the HMAC check fails. Noted independently by
jsing@ and Kurt Cancemi.

* Check for and handle failure of HMAC_{Update,Final} or
EVP_DecryptUpdate().

* Massive update and normalization of manpages, conversion to
mandoc format. Many pages were rewritten for clarity and accuracy.
Portable doc links are up-to-date with a new conversion tool.

* Curve25519 Key Exchange support.

* Support for alternate chains for certificate verification.

* Code cleanups, CBB conversions, further unification of DTLS/SSL
handshake code, further ASN1 macro expansion and removal.

* Private symbol are now hidden in libssl and libcryto.

* Friendly certificate verification error messages in libtls, peer
verification is now always enabled.

* Added OCSP stapling support to libtls and netcat.

* Added ocspcheck utility to validate a certificate against its OCSP
responder and save the reply for stapling

* Enhanced regression tests and error handling for libtls.

* Added explicit constant and non-constant time BN functions,
defaulting to constant time wherever possible.

* Moved many leaked implementation details in public structs behind
opaque pointers.

* Added ticket support to libtls.

* Added support for setting the supported EC curves via
SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous
SSL{_CTX}_set1_curves{_list} names. This also changes the default
list of curves to be X25519, P-256 and P-384. All other curves must
be manually enabled.

* Added -groups option to openssl(1) s_client for specifying the curves
to be used in a colon-separated list.

* Merged client/server version negotiation code paths into one,
reducing much duplicate code.

* Removed error function codes from libssl and libcrypto.

* Fixed an issue where a truncated packet could crash via an OOB read.

* Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows
client-initiated renegotiation. This is the default for libtls
servers.

* Avoid a side-channel cache-timing attack that can leak the ECDSA
private keys when signing. This is due to BN_mod_inverse() being
used without the constant time flag being set. Reported by Cesar
Pereida Garcia and Billy Brumley (Tampere University of Technology).
The fix was developed by Cesar Pereida Garcia.

* iOS and MacOS compatibility updates from Simone Basso and Jacob
Berkman.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.
Click to expand...

Centmin Mod 123.08stable and 123.09beta01 Github branches corresponding to Centmin Mod 1.2.3-eva2000.08 stable and Centmin Mod 1.2.3-eva2000.09 beta01 have been updated to default to LibreSSL 2.4.5 for new fresh installs. For existing folks, follow below update instructions.

Centmin Mod Nginx Update LibreSSL

For Centmin Mod 1.2.3-eva2000.08 beta03, .08 stable and higher you can update to LibreSSL 2.4.5 via 2 steps.

Step 1. Updating centmin.sh LIBRESSL_VERSION variable to 2.4.5. Best way is to use centmin.sh menu option 23 submenu option 2 for auto updating Centmin Mod code as outlined at centminmod.com/upgrade.html and at https://community.centminmod.com/threads/new-08-beta-menu-option-updating-centmin-mod-via-git.3084/. That will auto update centmin.sh to latest version which already has LIBRESSL_VERSION='2.4.5' set.

Check your updated Centmin Mod centmin.sh to see if LIBRESSL_VERSION='2.4.5' is set. If not set and you do not have centmin.sh menu option 23 submenu option 1 for git environment setup, then you need to manually update and edit in your persistent config file (create it if it doesn't exist) at /etc/centminmod/custom_config.inc and add to it:
Code (Text):
# LibreSSL
LIBRESSL_SWITCH='y'        # if set to 'y' it overrides OpenSSL as the default static compiled option for Nginx server
LIBRESSL_VERSION='2.4.5'   # Use this version of LibreSSL http://www.libressl.org/
Step 2. Then select centmin.sh menu option #4 to upgrade/downgrade Nginx recompile Nginx and specify latest Nginx version i.e. 1.11.5+ or newer.

For example after recompile Nginx version output will show built with LibreSSL 2.4.5

for 123.09 beta01 with NGINXMODULE_ALTORDER=y enabled

Use command to verify update
Code (Text):
nginx -V
nginx -V
nginx version: nginx/1.11.9
built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
built with LibreSSL 2.4.5
TLS SNI support enabled
configure arguments: --with-ld-opt='-lrt -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -mtune=native -mfpmath=sse -g -O3 -fstack-protector -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-sign-compare -Wno-string-plus-int -Wno-deprecated-declarations -Wno-unused-parameter -Wno-unused-const-variable -Wno-conditional-uninitialized -Wno-mismatched-tags -Wno-sometimes-uninitialized -Wno-parentheses-equality -Wno-tautological-compare -Wno-self-assign -Wno-deprecated-register -Wno-deprecated -Wno-invalid-source-encoding -Wno-pointer-sign -Wno-parentheses -Wno-enum-conversion -Wno-c++11-compat-deprecated-writable-strings -Wno-write-strings -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_stub_status_module --with-http_secure_link_module --add-module=../nginx-module-vts --with-libatomic --with-http_gzip_static_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.0 --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../set-misc-nginx-module-0.31 --add-module=../echo-nginx-module-0.60 --add-module=../redis2-nginx-module-0.13 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.17 --add-module=../srcache-nginx-module-0.31 --add-module=../headers-more-nginx-module-0.32 --with-pcre=../pcre-8.40 --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-openssl=../libressl-2.4.5
Click to expand...

LibreSSL 2.4.5

You'll find latest LibreSSL 2.4.5 on official site.

eva2000 · Feb 2, 2017

If you want LibreSSL 2.5.1 instead of LibreSSL 2.4.5. Set in persistent config file /etc/centminmod/custom_config.inc the variable
Code (Text):
LIBRESSL_VERSION='2.5.1' 
This will override the centmin.sh set LIBRESSL_VERSION='2.4.5' when you run centmin.sh menu option 4 to recompile Nginx

end result

nginx -V
nginx version: nginx/1.11.9
built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
built with LibreSSL 2.5.1
TLS SNI support enabled
configure arguments: --with-ld-opt='-lrt -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -mtune=native -mfpmath=sse -g -O3 -fstack-protector -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-sign-compare -Wno-string-plus-int -Wno-deprecated-declarations -Wno-unused-parameter -Wno-unused-const-variable -Wno-conditional-uninitialized -Wno-mismatched-tags -Wno-sometimes-uninitialized -Wno-parentheses-equality -Wno-tautological-compare -Wno-self-assign -Wno-deprecated-register -Wno-deprecated -Wno-invalid-source-encoding -Wno-pointer-sign -Wno-parentheses -Wno-enum-conversion -Wno-c++11-compat-deprecated-writable-strings -Wno-write-strings -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_stub_status_module --with-http_secure_link_module --add-module=../nginx-module-vts --with-libatomic --with-http_gzip_static_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.0 --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../set-misc-nginx-module-0.31 --add-module=../echo-nginx-module-0.60 --add-module=../redis2-nginx-module-0.13 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.17 --add-module=../srcache-nginx-module-0.31 --add-module=../headers-more-nginx-module-0.32 --with-pcre=../pcre-8.40 --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-openssl=../libressl-2.5.1
Click to expand...

SFLC · Feb 2, 2017

After the update can
Code:
# LibreSSL
LIBRESSL_SWITCH='y'        # if set to 'y' it overrides OpenSSL as the default static compiled option for Nginx server
LIBRESSL_VERSION='2.4.5'   # Use this version of LibreSSL http://www.libressl.org/
be removed from the custom config file or does it have to stay there.

I'm assuming if it's removed, it won't auto downgrade on subsequent updates

eva2000 · Feb 3, 2017

you don't need those set in /etc/centminmod/custom_config.inc if they are already set as such in centmin.sh which is updated by me. Only time you set them is if new LibreSSL version is out but i have yet to update them in centmin.sh

Sunka · Feb 3, 2017

eva2000 said: ↑
If you want LibreSSL 2.5.1 instead of LibreSSL 2.4.5. Set in persistent config file /etc/centminmod/custom_config.inc the variable
Code (Text):
LIBRESSL_VERSION='2.5.1'
This will override the centmin.sh set LIBRESSL_VERSION='2.4.5' when you run centmin.sh menu option 4 to recompile Nginx

end result
Click to expand...
Why is centmin on 2.4.5 verison?
Some incompatible stuff or...?

eva2000 · Feb 3, 2017

LibreSSL stable release is 2.4.5. LibreSSL 2.5.1 is development release.

Log in / Register

Forums

Discover Centmin Mod today

Security LibreSSL February 2017: LibreSSL 2.4.5 stable & 2.5.1 dev Releases

eva2000 Administrator Staff Member

Centmin Mod + LibreSSL 2.4.5

Centmin Mod Nginx Update LibreSSL

LibreSSL 2.4.5

eva2000 Administrator Staff Member

SFLC Active Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Discover Centmin Mod today

Security LibreSSL February 2017: LibreSSL 2.4.5 stable & 2.5.1 dev Releases

eva2000 Administrator Staff Member

Centmin Mod + LibreSSL 2.4.5

Centmin Mod Nginx Update LibreSSL

LibreSSL 2.4.5

eva2000 Administrator Staff Member

SFLC Active Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

.