TLS 1.2 support

[mitche...@gmail.com]

Hi folks,

I am wondering if there is any plan to update mingw OpenSSL to something beyond 0.98, for example 1.0.1 in the near future? 

Given the security vunlerabilities associated with TLS 1.0, 1.1, I would like to use TLS 1.2 to talk to a GIT server but the TLS 1.2 support is not available until OpenSSL 1.0.1.

Thanks,

Mitchell 

[Johannes Schindelin]

Hi Mitchell,

We are currently switching to MSys2 which already updated to OpenSSL
1.0.2. If you want to have a sneak peek, feel free to download and run
the Git SDK installer (which installs MSys2 core, all MSys2 packages
required to build Git, and then builds Git and installs it into the
MSys2 fakeroot): https://git-for-windows.github.io/#download-sdk

Ciao,
Johannes

[Mitchell Lee]

Hi Johannes,

Thank you for the information and great work on the distribution.

I notice the latest git-for-windows build is still labelled as not for production use. Are there any major issues or missing features that prevent it from reaching the state like in MSYSGIT? 

By the way, is there a road map for the git-for-windows releases available?

Cheers,

Mitchell

[Johannes Schindelin]

Hi Mitchell,

On 2015-04-08 23:18, Mitchell Lee wrote:

> Thank you for the information and great work on the distribution.

You're welcome.

> I notice the latest git-for-windows build is still labelled as not for
> production use. Are there any major issues or missing features that
> prevent
> it from reaching the state like in MSYSGIT?

Oh, I just expect a couple of bugs lurking still undiscovered. As far as
I am concerned, the current pre-release might be good enough for daily
use, but please keep in mind that I am one of those lucky bastards who
can fix a bug when they are bitten by it... ;-)

So if you have coding skills, feel free to give it a try
(https://git-for-windows.github.io/#download). And if you encounter a
bug, you should be very easy – I worked very hard on that, at least – to
install the Git SDK (https://git-for-windows.github.io/#download-sdk)
and give it a try to fix the bug.

> By the way, is there a road map for the git-for-windows releases
> available?

"Road map" as in "project management"? Well, we have a milestone:
https://github.com/git-for-windows/git/milestones. But no definitive
time yet. I am at the Git Merge right now and I really hoped to be able
to release the new, shiny Git for Windows 2.x here, but I'll have to
discuss that with a couple of good people who happen to be here.

I could imagine that we just release it the same way we released the Git
for Windows 1.x versions: as "preview" until the time when I can be
reasonably certain that it is reasonably bug-free.

Ciao,
Johannes

[Thomas Braun]

Am 02.04.2015 um 15:46 schrieb mitche...@gmail.com:
> Hi folks,
>
> I am wondering if there is any plan to update mingw OpenSSL to something
> beyond 0.98, for example 1.0.1 in the near future?

I'm the one preparing the latest release 1.9.5.msysgit.1.

As Johannes pointed out the MSYS 1->2 switch is in progress.
So we have no concrete plans on upgrading openssl from 0.9.8 to
something more recent. At least until we either have a solid MSYS2 based
solution or the end of 2015 is reached (security support for 0.9.8 is
ending 12/31/2015).

In case someone wants to tackle that I'm open for accepting a pull
request. In this case please stick to version 1.0.2x, and have a look at
[1] for some patches as basis.

In the msysgit tree (master branch) /usr/src/openssl/release.sh is the
starting point.

[1]:
https://github.com/sschuberth/gfw-msys1-packages/tree/master/mingw32-openssl

[Mitchell Lee]

Hi Thomas,

I am able to recompile the OpenSSL shared libraries (1.0.1m and 1.0.2a) for the MinGW MSYS environment.  However, the DLLs that are generated are named libeay32.dll and ssleay32.dll, rather than libcrypto.dll and libssl.dll that you have generated for the last portable GIT release. Is there something that I have missed during my compilation process? 

Thanks,

Mitchell

[Thomas Braun]

Am Sa, 11.04.2015, 01:34 schrieb Mitchell Lee:
> Hi Thomas,
>
> I am able to recompile the OpenSSL shared libraries (1.0.1m and 1.0.2a)
> for
> the MinGW MSYS environment. However, the DLLs that are generated are
> named
> libeay32.dll and ssleay32.dll, rather than libcrypto.dll and libssl.dll
> that you have generated for the last portable GIT release. Is there
> something that I have missed during my compilation process?

Hi Mitchell,

that's excellent news!

In what environment are you compiling MSYS or MINGW? In msysgit this is
determined by the checked out branch, master = mingw, msys = msys.

The dll renaming is hidden in
https://github.com/msysgit/msysgit/blob/master/src/openssl/patches/0004-openssl-build-DLL-directly.patch.
I guess that most of the other patches are also still required.

Thomas

[Mitchell Lee]

Hi Thomas,

I am working with the MASTER (mingw) branch.

Does your config command looks something similar to this?

perl config shared no-ssl2 no-ssl3

BTW, I did apply all of the existing patches (except 0002 and 0007 as they do not seem to be needed anymore).

Cheers,

Mitchell

[Thomas Braun]

Am 13.04.2015 um 20:16 schrieb Mitchell Lee:
> Hi Thomas,
>

> I am working with the MASTER (mingw) branch.
>
> Does your config command looks something similar to this?
> perl config shared no-ssl2 no-ssl3
>
> BTW, I did apply all of the existing patches (except 0002 and 0007 as
> they do not seem to be needed anymore).

Hi Mitchell,

I'm using the release.sh script in src/openssl which just executes
ms\\mingw32.bat.

Can you share your current state?

Thomas

[Thomas Braun]

Am 15.04.2015 um 00:03 schrieb Mitchell Lee:
> Hi Thomas,
>

> I have pushed my current state to:
>
> https://github.com/mitchell8888/msysgit/tree/leem/upgrade_openssl_1.0.1m
>
> When I just run the release.sh command like you suggested, I will see
> the following error messages:
>
> perl crypto\x86cpuid.pl <http://x86cpuid.pl> -DL_ENDIAN -DDSO_WIN32
> -fomit-frame-pointer -O3 -mcpu=i
> 486 -Wall -DBN_ASM -DMD5_ASM -DSHA1_ASM -DOPENSSL_BN_ASM_PART_WORDS
> -DOPENSSL_NO
> _RC5 -DOPENSSL_NO_MD2 -DOPENSSL_NO_KRB5 -DOPENSSL_NO_JPAKE
> -DOPENSSL_NO_DYNAMIC_
> ENGINE >tmp\x86cpuid.asm
> Pick one target type from
> elf - Linux, FreeBSD, Solaris x86, etc.
> a.out - DJGPP, elder OpenBSD, etc.
> coff - GAS/COFF such as Win32 targets
> win32n - Windows 95/Windows NT NASM format
> nw-nasm - NetWare NASM format
> macosx - Mac OS X
> mingw32-make: *** [tmp\x86cpuid.asm] Error 1
>
> For me to continue, I run the following commands:

>
> perl config shared no-ssl2 no-ssl3

> make depend
> make
>
> I wonder if the difference is I am not compiling assembly code using the
> perl config script.
>
> Thank you for looking into this!

Hi Mitchell,

(please keep the list in CC)

it turns out the old method of compilation is discouraged [1].
I've applied a quick and dirty hack and now it at least compiles.

See https://github.com/t-b/msysgit/tree/leem/upgrade_openssl_1.0.1m.

I'll pass the stick back to you here :)

Thomas

[1]:
http://openssl.6102.n7.nabble.com/PATCH-for-compiling-OpenSSL-1-0-0-3-29-10-using-MinGW-td38343.html

[Thomas Braun]

One more thing.

Why stop at openssl 1.0.1 and not just upgrade to openssl 1.0.2?

[Mitchell Lee]

Initially I was trying to make minimal changes to support TLS 1.2 so that is why I pick the 1.0.1 stream and expect it will be more stable than 1.0.2. Having said that, I have also tried patching 1.0.2 and I believe the patches that I have made could still apply. 

By the way, I am able to rebuild curl and openssl with release.sh script only. However, the OpenSSL dlls are now generated with the names ssleay32.dll and libeay32.dll. Is that OK? I do see that these names are common for mingw builds and the new Git for Windows distribution is using these names as well. 

Mitchell

[Thomas Braun]

Am 16.04.2015 um 00:46 schrieb Mitchell Lee:
> Initially I was trying to make minimal changes to support TLS 1.2 so
> that is why I pick the 1.0.1 stream and expect it will be more stable
> than 1.0.2. Having said that, I have also tried patching 1.0.2 and I
> believe the patches that I have made could still apply.
>
> By the way, I am able to rebuild curl and openssl with release.sh script
> only. However, the OpenSSL dlls are now generated with the names
> ssleay32.dll and libeay32.dll. Is that OK? I do see that these names are
> common for mingw builds and the new Git for Windows distribution is
> using these names as well.

Nice progress!

I would prefer the old dll names, in order to keep the changes to a minimum.

Thomas