openssl: update to version 1.1.1h

[th0ma7]

Motivation: Our version of OpenSSL is just way to old and needs to be updated. Suggesting to either update at same API level for now (e.g. 1.0.2) or to move to next version of openssl (e.g. 1.1.1g) and keep previous version for legacy purposes.
Linked issues: #3629, #3560 and possibly #3666, closes #4185

Checklist

• Build rule all-supported completed successfully

Package updates

• boxbackup-client 0.12-2
• fossil-scm 2.12.1-2
• git 2.28.0-16
• haproxy 1.8.26-21
• links 2.21-2
• synocli-file 1.2-4 (update midnight commander to 4.8.25)

Packages with new revision due to openssl update

• borgbackup
• deluge
• domoticz
• homeassistant
• icecast
• irssi
• itools
• lidarr
• mosquitto (ppc853x-5.2 is not supported anymore)
• mtproxy
• mutt
• ntopng
• nzbdrone (sonarr)
• python3
• python
• radarr
• synocli-disk
• synocli-monitor
• synocli-net
• transmission
• tvheadend
• umurmur
• znc

Dependent packages not updated due to WIP or failing build

• ejabberd
• ffsync
• monit
• rutorrent
• shairport-sync

Packages depending on python (2 or 3) - need only python update

• duplicity
• mercurial
• octoprint
• rdiff-backup
• sabnzbd
• vim

[th0ma7]

By the look of things only packages known to fail already on master have failed from the github-action. As such looking good for a merge unless I'm missing something.

[ymartin59]

As far as I remember, it is not so obvious because all most all applications depends on openssl and some (old) libraries have not received updates to support recent openssl api. May you please confirm @m4tt075 @hgy59

[th0ma7]

Its the reason why I've kept it to 1.0.2 API for now.
github-action output looked real good besides packages known to fail already.

[Safihre]

@ymartin59 as long as we stick with the 1.0.2 branch even the old ones should compile. Indeed the OpenSSL 1.1.0 is much different.
I imagine we will need 2 OpenSSL packages, since many up to date applications benefit from the stuff in OpenSSL 1.1.

[th0ma7]

Thnx @Safihre it's what I thought as well.

I imagine we will need 2 OpenSSL packages, since many up to date applications benefit from the stuff in OpenSSL 1.1.

An idea could be, with the upcoming arrival of DSM-7 (if ever), move current openssl 1.0.2 as openssl-legacy and create a new default openssl using latest version available (e.g. 2.x). Any application that do not build correctly gets adjusted to use openssl-legacy, and all that works continue using openssl. That could even be done before then I guess but could be a huge undertaking as github-actions won't provide in-depth build-testing on every platforms.

[publicarray]

FYI There is a new 🦝 "Raccoon" Attack (CVE-2020-1968) with a Severity: Low

https://www.openssl.org/news/secadv/20200909.txt

https://www.openssl.org/news/vulnerabilities.html

[th0ma7]

FYI There is a new raccoon "Raccoon" Attack (CVE-2020-1968) with a Severity: Low

Interesting although fixed in version 1.0.2w which is only available with premium support. Alghough this might lead into making version 1.0.2v publicly available.

OpenSSL 1.0.2f and above will only reuse a DH secret if a "static" DH
ciphersuite is used. These static "DH" ciphersuites are ones that start with the
text "DH-" (for example "DH-RSA-AES256-SHA"). The standard IANA names for these
ciphersuites all start with "TLS_DH_" but excludes those that start with
"TLS_DH_anon_".

[th0ma7]

BTW, with this update we address the following low security issues:

• CVE-2019-1551
• CVE-2019-1563
• CVE-2019-1559
• CVE-2018-5407

Anyone see blockers to this or does it sound reasonable?

[publicarray]

I quickly looked at the build logs and I'm a bit confused why the synocli-file package failed, It builds ok on master. I can spend some time looking at it once my power is back on ⚡ ...

[th0ma7]

I quickly looked at the build logs and I'm a bit confused why the synocli-file package failed, It builds ok on master. I can spend some time looking at it once my power is back on zap ...

May well be due to not being rebased against master where a fix might already be?

[th0ma7]

WARNING: This is a test for considerations, easy to roll-back to previous commit.

I wanted to have both a) an overview of the impact of migrating to openssl 1.1.1 branch and b) check the feasibility of telling openssl to use /etc/ssl by default for it's configurations, thus /etc/ssl/certs for its certificates.

As such, I've moved existing openssl to openssl-legacy and upgraded default openssl to 1.1.1 branch. This allow pointing incompatible application to older version of openssl.

Thoughts on this welcomed (while it gives it a try at compiling the entire stack) :-)

[Safihre]

Unless you want to manually try every single package (just making it compile isn't enough), I would suggest the opposite approach: create a openssl-11 package that maintainers of the SPK packages can include when they do an update. Makes it lot less of a big bang approach.

[publicarray]

I agree with @Safihre (mostly because that is how other package managers have handled the same condition) but I also do see the value of getting a one time report on what compiles with the new API. Which I think was your intent here anyway

[th0ma7]

Thnx @Safihre and @publicarray for your feedbacks. The good news is that the build output difference seems to be around a handful of packages (fossil-scm, haproxy, links, memcached, monit, python, tmux, transmission).

There are two aspects to this proposal if we're intersted at moving this further (let me know if I've missed something obvious):

1) Method:
a) Enforce usage of the new openssl with expectation that new builds will be fixed/tested by package maintainers and move back to older version of openssl as needed.
b) Keep the old, unsupported and insecure openssl as default and expect package maintainers to gradually migrate to the new version.

2) Naming:
a) What ever the default version is, keep it as cross/openssl
b) Use version schema: cross/openssl-1.0 and cross/openssl-1.1
c) Use default naming and -legacy

Personally I would use a conjunction of 1a) + mix of 2a) + 2b) where default is always openssl and other releases gets tagged with a version (e.g. cross/openssl-1.0).

[ymartin59]

@th0ma7 I agree with the method. My preference is 1a) with cross/openssl for latest and keep cross/openssl-1.0.

[th0ma7]

I've renamed openssl-legacy as openssl-1.0 and kept latest version as openssl + rebased to master.

By the look of things, and please let me know if I'm mistaking, looks like there is interest to this from multiple people.

@ymartin59, @Safihre, @publicarray, @BenjV, @hgy59 : Would there be someone able to try it out with one or a few package(s) that heavily depends on openssl to see how it behave with both version 1.1 and using default system-wide /etc/ssl ?

[BenjV]

If someone can build a python version with Openssl 1.1.1 for Armada38X I wil be happy to test it on my test Nas (DS116)

[th0ma7]

@BenjV I was able to build a python3 package set that I made available at:

• https://github.com/th0ma7/synology/tree/master/packages/openssl-1.1

python2 refuses to build. After investigating it seems M2Crypto requires to be updated to a newer version along with passing --openssl=$(STAGING_INSTALL_PREFIX) option at build time or something close to that. I guess other synocommunity developpoers more into python may have a better understanding on where the issue really is.

[ymartin59]

@th0ma7 Thanks for Python 3 testing. I really think we should not bother with Python 2.7 any longer.

[Safihre]

Agreed, Python 2.7 is end-of-life and I can tell from experience that it doesn't handle OpenSSL 1.1.1 well.
@th0ma7 So I would suggest to keep Python 2.7 on the openssl-1.0 package.

[th0ma7]

@hgy59 @th0ma7 OK so my fears are confirmed... I will have to re-publish in a bunch a large number of packages... the same as previous python 2.7.18 update. I hope not to miss one in the check list...

I've created an issue for your consideration @hgy59 and @ymartin59 in order to track publishing of all updated packages at #4211 . The intent is to be able to share the load for publishing and ensure we track of things as we move along.

Is this PR good for merge? I think both myself and @hgy59 tends to agree on that (again, awsome work!). But considering the scale of the PR I want to make sure you are OK with that @ymartin59 before merging.

[ymartin59]

Large amount of work. Looks good to me.
I still propose some minor improvements.

[ymartin59]

This looks look like standard default "make install" target. May you please confirm by discarding its replacement?

[hgy59]

@ymartin59 disagree, the small difference is prefix vs PREFIX

[ymartin59]

I think it would make sense to move this tool in synocli-net

[hgy59]

@ymartin59 agree, this should be done in #4195, I updated #4211 accordingly.

[hgy59]

rebased @ master

[hgy59]

Large amount of work.

@ymartin59 I could take some tasks (only today, afterwards I am off my development environment for two weeks).

My preferences:

1. synocli-net (merge Update synocli net #4195, build, test and publish)
2. synocli-file (build, test and publish)
3. ntopng (build, test and publish)

[hgy59]

Unfortunately arch-ppc853x fails to build libwebsockets and dependent mosquitto since update to openssl 1.1.