[Pkg-openssl-devel] syncing up openssl dev efforts, DEfO making custom packages for ECH support
Sebastian Andrzej Siewior
sebastian at breakpoint.cc
Wed Aug 30 20:33:58 BST 2023
On 2023-08-30 19:46:59 [+0200], Hans-Christoph Steiner wrote:
>
> Hello, we're part of the DEfO project (https://defo.ie), we are working on
> implementing the TLS Encrypted ClientHello standard in OpenSSL and things
> that depend on OpenSSL. We want to start shipping binary Debian packages of
> our development fork of OpenSSL so that it is easy for people to try ECH.
> We currently follow OpenSSL's main branch pretty closely, so I we will
> probably have to change the Debian packaging to support OpenSSL that (since
> its currently on 3.1.x from what I can tell).
>
> So I'm opening this discussion to figure out how best we can push our work
> upstream to your package, and sync up with your development efforts. I'm a
> DD and have maintained some shared libraries, so I'm familiar with that
> work, but not so skilled at it.
>
> We have received two years of funding from the Open Tech Fund, so we should
> have time to put into this. We would also consider contracting with an
> OpenSSL package maintainer to do this work.
There is OpenSSL 3.1.x in experimental. I can't upload it unstable
because of OpenSSH (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035623).
Once that is resolved and nothing else pops up, then the version from
experimental can go to unstable. For your packaging efforts, I would
suggest to take the package from experimental and then rebuild the
current openssh package against it.
Now integrating ECH into the Debian package. This will be tough. I would
need to sync with Kurt on this, too. However, if it is not in upstream
then it is some out-of-tree that asks to be included. Adding just a
cipher would be "easier" since it would be isolated piece of code
without any exported symbols. This however is part of every TLS
handshake and there critical in terms security and or memory leaks and
so on.
Should this be included in the Debian package as of 3.1.x which becomes
part of Trixie and upstream integrated it into 3.2.x or later then there
is the question of maintenance and security fixes. Right now, everything
in the package is from upstream.
Sould this ECH trigger bugs (either on remote servers or somewhere in
between like we have this TLS 1.3 disguised as 1.2) then it would be
nice if people could opt-in for ECH as long as it is not part of an
official upstream release. So there are bug compatible with everyone
else.
So this would be my source of concern.
> .hc
Sebastian
More information about the Pkg-openssl-devel
mailing list