From bryan@stansell.org Thu Oct 10 14:04:34 2002 Received: from underdog.stansell.org (localhost [127.0.0.1]) by underdog.stansell.org (8.12.6/8.12.6) with ESMTP id g9AL4YKW003659; Thu, 10 Oct 2002 14:04:34 -0700 (PDT) Received: (from bryan@localhost) by underdog.stansell.org (8.12.6/8.12.6/Submit) id g9AL4Y2b003658; Thu, 10 Oct 2002 14:04:34 -0700 (PDT) Date: Thu, 10 Oct 2002 14:04:34 -0700 From: Bryan Stansell To: users@conserver.com, announce@conserver.com Subject: beta OpenSSL patches available Message-ID: <20021010210434.GE13658@underdog.stansell.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i Sender: announce-admin@conserver.com Errors-To: announce-admin@conserver.com X-BeenThere: announce@conserver.com X-Mailman-Version: 2.0.13 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Conserver Announcements List-Unsubscribe: , List-Archive: The second round of patches for OpenSSL support within conserver is available. There are still some changes that will be necessary before they're all official, but it's a pretty strong set of code (at least on my boxes). The support for certificates may or may not actually work (I tried quickly one night with self-signed certificates and the OpenSSL library kept complaining about them - I'm pretty sure I created them wrong), and the encryption only current happens when you connect to a console (not when you're doing a 'console -i', for example). But, without the certificates and the 100% encryption, I've been very successful in hiding the client/server traffic from tcpdump. ;-) You can find them at ftp://ftp.conserver.com/conserver/openssl-patches/ or http://www.conserver.com/openssl-patches/ in the file 7.2.3-to-7.2.4-beta1.patch. I'm hoping that either one or two more rounds of changes will result in the final 7.2.4. I'm not expecting to get everything related to OpenSSL fully functional and stabilized, but it should be close. If you're able to spend a little time just doing a compile test on a system (especially HP-UX, AIX, or other "troublemakers"), I'd love to know if you run into issues (like the whole shadow password build bug in 7.2.3). And now, the complete list of changes... version 7.2.4 (): - added --with-openssl for client/server encryption - added -E option to client and server to allow for non-encrypted connections (encryption is the default if compiled in) - added -c option so credentials (certificate and key) can be exchanged between client and server - expanded -V output to show what optional bits actually got compiled into the code (libwrap, regex, etc) - compilation errors on non-shadow file systems without using --with-pam - reported by Jesper Frank Nemholt - client now prefers $LOGNAME, then $USER, then the current uid for it's -l default - suggested by Dave Stuit - putting back socklen_t usage - it's the right thing to do, so tell me where it breaks things Bryan From bryan@stansell.org Mon Oct 14 14:20:33 2002 Received: from underdog.stansell.org (localhost [127.0.0.1]) by underdog.stansell.org (8.12.6/8.12.6) with ESMTP id g9ELKXKW014249; Mon, 14 Oct 2002 14:20:33 -0700 (PDT) Received: (from bryan@localhost) by underdog.stansell.org (8.12.6/8.12.6/Submit) id g9ELKXlZ014248; Mon, 14 Oct 2002 14:20:33 -0700 (PDT) Date: Mon, 14 Oct 2002 14:20:33 -0700 From: Bryan Stansell To: announce@conserver.com, users@conserver.com Subject: conserver 7.2.4 is available Message-ID: <20021014212033.GD29063@underdog.stansell.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i Sender: announce-admin@conserver.com Errors-To: announce-admin@conserver.com X-BeenThere: announce@conserver.com X-Mailman-Version: 2.0.13 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Conserver Announcements List-Unsubscribe: , List-Archive: I've decided to go ahead and release 7.2.4 as it stands (there have been a couple changes since the 7.2.4-beta1 patch). There are a couple of reasons for this. First, the build issues with regard to shadow password support just made my stomach turn - I really goofed there and getting a working version out makes me much calmer. Second, there are some major changes necessary for the OpenSSL code to really work like I would want. 7.2.4 gives you basic console encryption without breaking any backwards-compatibility with older clients and servers (assuming you use the -E flag). It doesn't, however, encrypt things like 'console -w' output, and, even worse, 'console -q' (which could send the root password). To fix these things, I'm going to have to change the client-server protocol to such an extent that it will break backwards-compatibility and I figured I'd take conserver from 7.2.4 to 7.3.0 when doing so. The good news, however, is that encryption and certificates do work (for me, at least). I've provided my script (contrib/maketestcerts) to show how I created and tested things. Even without certificates, the encryption will be negotiated and things will look like garbage on the wire. Check the man pages for details on the new features. If anyone finds any problems, please let me know. I'm sure there will be some compatibility issues with platforms like HP-UX/64-bit and AIX (there always are), but I'd love to work through them with you and find a solid fix. And, for the official record, all the changes in this release... version 7.2.4 (Oct 14, 2002): - added --with-openssl for some client/server encryption - added -E option to client and server to allow for non-encrypted connections (encryption is the default if compiled in) - added -c option so credentials (certificate and key) can be exchanged between client and server - expanded -V output to show what optional bits actually got compiled into the code (libwrap, regex, etc) - compilation errors on non-shadow file systems without using --with-pam - reported by Jesper Frank Nemholt - client now prefers $LOGNAME, then $USER, then the current uid for its -l default - suggested by Dave Stuit - putting back socklen_t usage - it's the right thing to do, so tell me where it breaks things - configure options --with-cffile and --with-pwdfile now recognize fully-qualified pathnames - suggested by Kjell Andresen Bryan Stansell