OpenSSL 1.1 EoL
Added by Mark Travis about 1 month ago
I just had to reinstall OpenSSL 1.1 on both of my Linux machines and it looks like it got removed from macOS Sequoia as well. All of my compiles blow up after not finding crypt. Evidently sudo apt upgrade gets rid of it on Linux, and I'm sure the last fixpack on Sequoia got rid of it.
I get a message now (post 1.1 re-install) when I start my Wt app that I didn't before: "Auth.HashFunction: ASVS recommends using BCrypt with at least 10 iterations."
I see an open ticket for something that might be closely related in the issues section.
I'm currently using compute() and verify() from the Wt::Auth::HashFunction.
Do we need to reinstall OpenSSL 1.1 until OpenSSL 3 gets implemented on the background? Or can we reconfigure to use OpenSSL 3 now?
And I may be completely misinformed, so feel free to set me straight.
Replies (3)
RE: OpenSSL 1.1 EoL - Added by Mark Travis about 1 month ago
I also had to re-install bootstrap 1.86 from scratch on both Linux machines. I'm starting to think the two might be related, but maybe not.
RE: OpenSSL 1.1 EoL - Added by Mark Travis about 1 month ago
I got rid of a #ifdef HAVE_CRIPT statement that has been in the code forever. Once I removed that and removed "crypt" from my CMakeLists.txt, no more errors. So, maybe I can delete OpenSSL 1.1 and not worry about it.
I don't currently have https turned on as it's in a very secure environment, but maybe it would be good to know from the Wt team if 1.1 is still needed for anything in the 4.11+ environment.
RE: OpenSSL 1.1 EoL - Added by Matthias Van Ceulebroeck 1 day ago
Hey Mark,
sorry about losing track of this. The new log ("ASVS recommends using BCrypt with at least 10 iterations." isn't related to OpenSSL itself, but to a default that was present in Wt. The default has been increased to comply with the recommendations, but the log is produced if BCrypt is run with less then 10 rounds.
Likely some developers will have a custom config of their Wt::Auth::PasswordService. Where the Wt::Auth::PasswordVerifier can be set, and the hash function can be specified. When using BCrypt, the generic warning can be triggered if rounds < 10.
I believe OpenSSL 3 should be a near drop⁻in replacement. But I haven't looked at it more closely yet. So if you are building Wt yourself, you should be able to SSL_PREFIX to the right path, and Wt will likely build with minimal errors (although that's not a guarantee by me).