[Replicant] [PATCHES] SSL related issues

Wolfgang Wiedmeyer wreg at wiedmeyer.de
Sat Dec 12 14:56:16 UTC 2015


>>> - no OCSP stapling
>
> Probably this could help a bit?
> https://github.com/CyanogenMod/android_external_chromium_org_third_party_boringssl_src/commit/6c7aed048ca0a335e02dfee10976c5dc8620783e
> But I fear this could be a lot of porting work, because the link is for 
> boringssl and chromium...

I think the openssl version in Replicant already supports ocsp
stapling. But we would have to integrate it in core libraries, likely
also webview and then we would have to make sure that at least the
browser provides the user with some useful feedback if a certificate is
revoked. So yes, this would be a lot of work.
Corresponding android bug:
https://code.google.com/p/android/issues/detail?id=68643
Interesting read linked in bug report with reasons against implementing
it: https://www.imperialviolet.org/2014/04/19/revchecking.html

> Thanks for reading until here :)

You're welcome :)

I already included two openssl patches in the patchset, but this is of
course only the tip of the iceberg as the openssl version is so old. I
did some additional work and merged the cm-11.0 branch. Only one commit
had to be reverted to make it work with Replicant 4.2:
https://code.fossencdi.org/replicant_openssl.git/commit/?id=716b36c2b1f66c939826a9437c70cf2f3b9116ff
The nice thing is that the version from the cm-11.0 branch is the exact
same as in Debian Wheezy. So all that I had to do to patch this version
was a simple git am <debian-security-patch>
The work is not complete as there are some patches left, but you can
find the current status here:
https://code.fossencdi.org/replicant_openssl.git/

-- 
OpenPGP: 0F30 D1A0 2F73 F70A 6FEE  048E 5816 A24C 1075 7FC4
download: https://wiedmeyer.de/keys/ww.asc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <http://lists.osuosl.org/pipermail/replicant/attachments/20151212/346b7653/attachment.asc>


More information about the Replicant mailing list