OpenSSL with Elliptic Curve

[Jeff Mendoza]

Hi Hans & All,

> Date: Sun, 12 May 2013 11:21:10 +0200
> From: j.w.r.degoede at gmail.com
> To: rpmfusion-developers at lists.rpmfusion.org
> Subject: Re: OpenSSL with Elliptic Curve
> CC: jeffmendoza at live.com
> 
> Hi,
> 
> On 05/12/2013 08:46 AM, Jeff Mendoza wrote:
>> Hi,
>>
>> I have worked a bit on:
>>
>> Request: OpenSSL with Elliptic Curve, IDEA, MDC-2, RC5 crypto algorithms
>> Summary: The OpenSSL toolkit provides support for secure communications between machines.
>> URL: http://www.openssl.org/
>> Why not in Fedora: Because of the problem with software patents: https://bugzilla.redhat.com/show_bug.cgi?id=319901
>> Notes: OpenSSL is included in Fedora but with Elliptic Curve, IDEA, MDC-2, RC5 crypto algorithms disabled.
>>
>> from the http://rpmfusion.org/Wishlist.
>>
>> I have a building and working rpm, but I don't know what the name/version should be. Is there a standard for packages that replace one in Fedora? I thought of calling it openssl-ec, and having it conflict with openssl, but you can't use yum to replace it without removing openssl and all it's dependent packages. Using 'rpm -e --nodeps' and then installing the replacement works fine.
> 
> Hmm, I didn't know we had this on our wish list, I must say that given the security implications,
> I'm not really enthusiastic about having a replacement for openssl in rpmfusion.
> 
> We do sometimes use conflicts for -freeworld versions of applications which are built with extra
> features.
> 
> But for libraries we should never use Conflicts, as they may change soname and then things will break
> hard. The usual approach is instead to install the rpmfusion version of the lib into a subdir
> of %{_libdir} and then drop in a .conf file into /etc/ld.so.conf.d/ adding that dir to the search path
> (such a dir will then be searched before %{_libdir}.
> 
> Given the special nature of openssl and its tendency to change soname every other release, the only
> acceptable solution to me would be to:
> 1) Not Conflict
> 2) Put the openssl so file in a subdir of %{_libdir}
> 3) Provide an example file for /etc/ld.so.conf.d/ as %doc
> 4) Add a README.rpmfusion explaining that the example file needs to be copied by the admin to
> /etc/ld.so.conf.d/ and containing a big fat warning that rpmfusion cannot guarantee timely
> security updates to its openssl package, and that the admin may need to disable it, falling back
> to the rpmfusion version, when a security update to openssl is needed.
> 
> Note that this means that a simple "yum install openssl-freeworld" will do nothing but eat some
> disk-space. This is by design, so that people doing "yum install openssl*" or
> "yum install *-freeworld" don't accidentally start depending on our openssl. The move to rpmfusion
> ssl REALLY needs to be a conscious decision, not a side effect of a badly constructed yum command.
> 
> Regards,
> 
> Hans

I have worked on an openssl-freeworld-libs that satisfies the 4 requirements. It can be installed next to openssl-libs, and not interfere. I had to rename the conf file (and patch the code), but the configuration directory is the same, so all your certs will be there when you switch over.

I elected to have openssl-freeworld and openssl-freeworld-devel conflict with the regular packages. openssl-freeworld has the binary openssl, this is not really needed, as the change is in the lib, and the regular openssl binary will work with openssl-freeworld-libs. openssl-freeworld-devel will conflict by installing the header files in the usual place. I had to modify the pkg-config files in the devel package to point to the new lib location.

If all this sounds good, I will follow the procedure to submit it for a review.

Thanks,
Jeff