merge topic/jsiwek/openssl-1.1

Description

The topic/jsiwek/openssl-1.1 branch in bro and cmake repos adds OpenSSL 1.1 support. There were some oddities, but the commit messages may explain those well enough.

can be closed if these changes get merged.

Environment

None

Activity

Show:
Johanna Amann
July 31, 2018, 8:34 PM

@robin - you put your comment into the wrong ticket.

I took a look at this - and this looks pretty great, thanks a lot Jon. It also looks like it was a pain to get to work correctly.

I will get this merged either today or tomorrow.

Johanna Amann
July 31, 2018, 8:57 PM

So - one thing that I wonder about:

If I understand everything correctly, this will make us unable to correctly parse the certificates from RDP connections.

Which from my point of view is sad - but not the hugest loss - and potentially also a bit hard to avoid. The old way of fixing this was a bit hacky.

Should we warn people about this somehow?

Johanna Amann
July 31, 2018, 8:57 PM

Ah, but it is only the key material that does not work. So - less of a problem probably...

Johanna Amann
July 31, 2018, 8:58 PM

I guess we could add this in a "known issues" field in the NEWS, depending on how everyone feels about it.

Jon Siwek
August 1, 2018, 1:10 AM

A "known issues" field may be fine – it was indeed just a problem w/ OpenSSL 1.1 and extracting key info from RDP certs.

Underlying issue seems to be Microsoft sets the wrong algorithm in the cert and the trickery of manually overwriting it no longer works. Not sure if there's some other way to update that hack, here was maybe one reference to code that looked a bit different and intended for OpenSSL 1.1 compatibility, but still didn't work for me:

https://github.com/vanhauser-thc/thc-hydra/blob/7f4d8fc6e9be3ff7024acbfa80cd3a8c8242a84d/hydra-rdp.c#L921-L933

Merged

Assignee

Johanna Amann

Reporter

Jon Siwek

Labels

None

External issue ID

None

Components

Fix versions

Priority

Normal