depends: bump openssl to 1.0.2o #13444

pull zhiyuan-lin wants to merge 1 commits into bitcoin:master from zhiyuan-lin:patch-1 changing 1 files +3 −3

zhiyuan-lin commented at 6:01 AM on June 12, 2018: none

Also fixed broken build scripts. make depend should be executed before make when you customize OpenSSL, it works unintended in earlier version, but the newer version requires it. Source: https://github.com/openssl/openssl/issues/492
fanquake added the label Build system on Jun 12, 2018
zhiyuan-lin commented at 7:44 AM on June 12, 2018: none

Build for Mac on Travis failed with clang: Command not found when building target cryptlib.o.

I might need some assistant, is the build script for Mac broken on current master or my change to OpenSSL break it?

in depends/packages/openssl.mk:71 in a48651b919 outdated

  66 | @@ -67,6 +67,7 @@ define $(package)_config_cmds
  67 |  endef
  68 |  
  69 |  define $(package)_build_cmds
  70 | +  $(MAKE) depend && \
  71 |    $(MAKE) -j1 build_libs libcrypto.pc libssl.pc openssl.pc

ken2812221 commented at 9:46 AM on June 12, 2018:

Put depend in front of build_libs would fix travis errors.

MarcoFalke commented at 12:01 PM on June 12, 2018: member

Please squash your commits according to https://github.com/bitcoin/bitcoin/blob/master/CONTRIBUTING.md#squashing-commits
MarcoFalke requested review from fanquake on Jun 12, 2018
MarcoFalke requested review from theuni on Jun 12, 2018

depends: bump openssl to 1.0.2o

Also fixed broken build scripts.
`make depend` should be executed before `make` when you customize OpenSSL, it works unintended in earlier version, but the newer version requires it.
Source: https://github.com/openssl/openssl/issues/492

Move `depend` in front of `build_libs`.

Thanks @ken2812221 for suggestion.

9741984342

fanquake commented at 12:57 PM on June 12, 2018: member

@edsgerlin What's the motivation for bumping OpenSSL?

How did you review the diff between 1.0.1k and 1.0.2o (last time an OpenSSL bump was proposed the diff was >500k lines IIRC)?

I'm pretty NACK on this as it's seemingly all risk/opportunity for breakage, for as far as I'm aware, not much gain?
laanwj commented at 1:12 PM on June 12, 2018: member
Is there any known security issue, that affects our use, fixed between the current version and 1.0.2.o that motivates this?

OpenSSL is only used for two things:
- as a randomness source
- in the GUI, to fetch payment requests
zhiyuan-lin commented at 1:16 PM on June 12, 2018: none

@fanquake The gain is, this fixes all know CVEs since 2015(currently 36).

https://www.cvedetails.com/vulnerability-list/vendor_id-217/product_id-383/version_id-180645/Openssl-Openssl-1.0.1k.html

The difference between 1.0.1 and 1.0.2 is mostly the removal of weak ciphers e.g. RC4 and support for SSLv2 according to the release notes. https://www.openssl.org/news/openssl-1.0.2-notes.html

There shouldn't be any breakage API-wise. There certainly are other risks in the upgrade, but depends on unmaintained OpenSSL version might have other risks too(i.e. Enable DoS attack using OpenSSL vulnerabilities).

The older version bump of OpenSSL are done by @theuni , could you give some advices?

Anyway, your guys are the maintainers of the project, your decision matters. I am merely giving a suggestion.
theuni commented at 8:40 PM on June 12, 2018: member

Agree with @fanquake. I'm pretty sure that our use of 1.0.1 rather than 1.0.2 has saved us in the past at some point, though the details are fuzzy now.
zhiyuan-lin closed this on Jun 13, 2018
MarcoFalke locked this on Sep 8, 2021

Contributors

Review Requested
theuni fanquake

Labels

Build system