**** BEGIN LOGGING AT Mon Mar 28 02:59:58 2016 Mar 28 08:46:38 hmm, I have a weird bug with openssl, when connecting to tls1 only server, if I don't explicitly state which cipher to be used, the sll negotiation fails Mar 28 08:46:54 *ssl negotiation Mar 28 08:46:59 kerio: ^^^ any clue? Mar 28 08:47:01 freemangordon: with s_client? Mar 28 08:47:07 yes Mar 28 08:47:32 hmm, maybe s_client uses the sslv2/3 functions only by default Mar 28 08:47:33 bencoh: the same for curl Mar 28 08:47:37 well, our version Mar 28 08:47:49 yeah, curl does use the "wrong" function Mar 28 08:48:07 bencoh: well, I pass "-tls1 -no_ssl3" Mar 28 08:48:20 bencoh: I built the latest curl, no change Mar 28 08:48:32 7.44-DEV1 :) Mar 28 08:48:39 freemangordon: and it still doesn't work with s_client -tls1 -no_ssl3? Mar 28 08:48:44 yep Mar 28 08:48:51 strange, now that's something else Mar 28 08:49:34 I have to "--ciphers ECDHE-RSA-AES256-SHA" for curl or "-cipher ECDHE-RSA-AES256-SHA" for s_client, then everything is fine Mar 28 08:49:50 hmm Mar 28 08:50:04 maybe we need to disable deprecated ciphers (?) Mar 28 08:50:19 which one does it try to use by default? Mar 28 08:50:21 but why, isn;t it supposed to match what is supported? Mar 28 08:50:37 no idea Mar 28 08:51:08 or, hmm, maybe openssl does not report all the supported ciphers, lemme tcpdup Mar 28 08:51:12 *tcpdump Mar 28 08:51:44 maybe Mar 28 08:53:00 bencoh: any idea how to capture wlan0? Mar 28 08:53:11 tcpdump -i wlan0? Mar 28 08:53:20 oh, stupid me :) Mar 28 08:53:38 I wad doing "ifconfig -i wlan0 -o tcp.pcap" :D Mar 28 08:53:42 :D Mar 28 08:56:46 bencoh: yes, ECHDE_xxx ciphers are not offered :( Mar 28 08:57:37 bencoh: and openssl ciphers does not list them, even that they are suppoerted. WTF? Mar 28 09:43:55 freemangordon: openssl 0.9.8 doesn't do ECC Mar 28 09:44:18 kerio: hmm? Mar 28 09:44:39 how's that related to all ECDH(E) ciphers not being listed? Mar 28 09:48:25 kerio: bencoh: well, there is such a note "/* Don't include ECC in ALL because these ciphers are not yet official. */" Mar 28 09:48:35 oh lmao Mar 28 09:49:13 krkrkr Mar 28 09:50:45 https://github.com/openssl/openssl/blob/OpenSSL_0_9_8fg-stable/ssl/ssl_ciph.c#L169 Mar 28 09:51:21 "authored on 9 Aug 2002" Mar 28 09:51:23 :D Mar 28 09:51:48 I guess it should be safe to fix that Mar 28 09:52:01 hmm yeah, and "lol" sounds appropriate Mar 28 09:52:08 freemangordon: what about latest 0.9.8? Mar 28 09:52:19 see github ^^^ Mar 28 09:52:31 ah, zh Mar 28 09:52:34 lemme check Mar 28 09:52:35 yeah, zh Mar 28 09:52:41 can't change ALL like that Mar 28 09:52:45 it would break backwards compatibility Mar 28 09:52:53 why? Mar 28 09:53:07 kerio: they do it all the time afaict Mar 28 09:53:27 yeah but when they HAVE to Mar 28 09:53:47 I think we have to as well ;) Mar 28 09:55:50 :nod: Mar 28 09:55:59 also, see https://github.com/openssl/openssl/commit/c85c1e08ce4148b64a80497525fa5e5efc87d13a Mar 28 09:56:39 * freemangordon wonders what is left after that commit :) Mar 28 09:57:08 :)) Mar 28 09:57:31 not much, that's why you're having this issue ;) Mar 28 09:57:44 bencoh: we don;t have that in cssu, yet Mar 28 09:58:36 no I mean, remote servers dropped support for pretty much everything as well Mar 28 09:58:52 yeah Mar 28 09:59:22 * freemangordon is going to enable ACC ciphers in ALL and test Mar 28 09:59:26 *ECC Mar 28 10:04:29 * Don't include ECC in ALL because these ciphers are not yet official. Mar 28 10:04:31 in zh Mar 28 10:23:36 bencoh: yeah, it is like that eince 2002 Mar 28 10:23:39 *since Mar 28 10:24:32 the other option is the add ECC ciphers to DEFAULT Mar 28 10:25:59 instead of ALL? Mar 28 10:26:13 have you cecked 1.x? Mar 28 10:26:14 yes Mar 28 10:26:17 checked* Mar 28 10:26:26 Pali: look at the backscroll Mar 28 10:26:34 bencoh: no Mar 28 10:27:52 ecc ciphers? Mar 28 10:28:46 yep Mar 28 10:29:19 Pali: like ECDHE-RSA-AES256-SHA Mar 28 10:29:31 enable it Mar 28 10:29:42 :nod: Mar 28 10:30:05 building openssl atm Mar 28 10:46:32 hmm, it is way better with those ciphers enabled :D Mar 28 10:46:55 modest connection to exchange server started to work again Mar 28 10:47:41 Pali: now, what we're going to do with cssu releases? merlin1991 is nowhere to be seen Mar 28 10:48:32 freemangordon: do you have ssh keys and steps how to release new version and put packages to r.m.o? Mar 28 10:48:38 no Mar 28 10:48:58 then need to ask maemo admins for it Mar 28 10:49:15 not to say I don't have time (and will) to maintain yet another thing Mar 28 11:06:07 not sure about time&will but I'd be glad to help if possible Mar 28 11:08:17 * freemangordon builds 0.9.8zh Mar 28 11:08:59 bencoh: seems like we need a maintainer, but anyway, lets see what merlin1991 has to say about it Mar 28 11:09:15 freemangordon: what are our ALL and DEFAULT right now? Mar 28 11:13:08 kerio: see github link, roughly Mar 28 11:13:20 but he said that he added stuff Mar 28 11:13:26 kerio: ah Mar 28 11:13:53 kerio: before or after my change? Mar 28 11:13:53 freemangordon: hmm yeah ... and I'd still need a second phone anyway Mar 28 11:14:01 freemangordon: yes Mar 28 11:14:11 yes what? Mar 28 11:14:19 :D Mar 28 11:14:21 before and after Mar 28 11:14:25 "true" :] Mar 28 11:17:35 kerio: http://pastebin.com/zHYrS2tv Mar 28 11:17:46 kerio: for 'before' check on your device Mar 28 11:18:05 hold on is ALL supposed to have aNULL ciphers Mar 28 11:18:11 no Mar 28 11:18:25 hm, apparently yes Mar 28 11:18:32 ALL is everything except eNULL Mar 28 11:18:47 freemangordon: can we disable rc4 Mar 28 11:18:48 ah, yes Mar 28 11:18:53 it's disabled in 1.1.0 Mar 28 11:18:53 kerio: no idea Mar 28 11:18:58 no like, at compile time Mar 28 11:19:02 but why should we? Mar 28 11:19:27 it's icky ;< Mar 28 11:19:40 but yeah there's much worse stuff Mar 28 16:10:32 in the meanwhile http://talk.maemo.org/showpost.php?p=1502308&postcount=498 Mar 28 16:11:43 lol i'm asked to port sailfish to a random phone as a task to see if i suck Mar 28 16:15:10 You need to waste time to get the answer?!? Mar 28 16:25:04 L29Ah: wtf? :D Mar 28 16:25:18 sailfish/porter chan I guess? Mar 28 16:41:14 freemangordon: yep i do :] Mar 28 16:42:00 $2200/month net for a mostly FOSS embedded job is quite attractive there Mar 28 16:43:14 where is "there"? Mar 28 16:46:56 .ru Mar 28 17:41:02 Pali: where did you get those sre patches from? Mar 28 17:41:17 from sre repo on git.kernel.org Mar 28 17:41:46 ok Mar 28 22:25:35 Where's my phoneeeee. Hurry up postman, it's already 8:25am! **** ENDING LOGGING AT Tue Mar 29 02:59:58 2016