[Ach] Killing openssl cruft compile time
L. Aaron Kaplan
kaplan at cert.at
Wed Apr 23 13:08:44 CEST 2014
On Apr 23, 2014, at 12:48 PM, Hanno Böck <hanno at hboeck.de> wrote:
> Hi,
>
> I'm currently trying to build a stripped-down openssl. The basic idea
> is obvious: Everything that isn't supported by my libs won't be used
> and won't provide any attack surface.
I believe this is a really good idea.
It reminds me of this excellent talk:
http://synaptic-labs.com/resources/security-bibliography/87-biographies/191-bio-brian-snow.html
"Our Cyber Security Status is Grim (and the way ahead will be hard)" ICT Gozo Malta Nov 2011.
>
> I'm on Gentoo so replacing openssl with a self-compiled version is a bit
> easier than on other distros.
>
> What seems to work reasonably well so far:
> * Disable heartbeat
> * Disable zlib-support / compression
> * Disable SSL3
> * Disable IDEA, RC2, RC5, MD2, MD4, CAST, SEED, GOST algs
>
> What causes trouble:
> * Disabling MD5 (openssl won't compile)
> * Disabling DSS or RC4 (openssl will compile, but openssh won't compile
> against an openssl without these algs)
>
> I already disabled heartbeat on my servers. If I don't see issues
> popping up I'll probably deploy the other changes to my servers soon.
>
> Any others with experience with this? Any other things you'd disable?
>
> If you want to test, Gentoo ebuild here:
> https://svn.hboeck.de/overlay/dev-libs/openssl
>
> cu,
> --
> Hanno Böck
> http://hboeck.de/
>
> mail/jabber: hanno at hboeck.de
> GPG: BBB51E42
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
---
// L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20140423/82ec2fcc/attachment.sig>
More information about the Ach
mailing list