Menu
What's new
By:
Filters Better Search

OpenSSL update coming this Friday

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Marc66 said:
Side question: why is the firmware not using the latest OpenSSL version (1.0.2)?
Click to expand...

1.0.0 is still actively maintained just like 1.0.1 and 1.0.2, with the exact same security fixes. So technically, 1.0.0 is just has "latest" as 1.0.2.

I'm sticking to 1.0.0 because that's what Asus is linking their closed-source binaries against, so I can't change it. There is no drawback security-wise.
 
This is a common practice for vendors. Many enterprise vendors are running very old versions of OpenSSL for various reasons. Some of which are stability and no requirement for additional features...which often leads to less stability and more room for vulnerability.

Newest != Most Stable/Most Secure
 
RMerlin said:
1.0.0 is still actively maintained just like 1.0.1 and 1.0.2, with the exact same security fixes. So technically, 1.0.0 is just has "latest" as 1.0.2.

I'm sticking to 1.0.0 because that's what Asus is linking their closed-source binaries against, so I can't change it. There is no drawback security-wise.
Click to expand...
I do hope that by the time OpenVPN 2.4 comes out, ASUS will have upgraded to OpenSSL 1.0.2, since 1.0.0 lacks TLS1.2 and newer EC ciphers (which require much shorter keys, and therefore much less NVRAM space).
 
eak said:
I do hope that by the time OpenVPN 2.4 comes out, ASUS will have upgraded to OpenSSL 1.0.2, since 1.0.0 lacks TLS1.2 and newer EC ciphers (which require much shorter keys, and therefore much less NVRAM space).
Click to expand...

ECDSA is already supported, at least it is n Dropbear. I use an ECDSA key to ssh/scp into my router.

I wouldn't hold my breath on seeing such upgrades happen however. There's a lot of other components in Asuswrt that are far more in need of upgrading, such as miniupnpd or dropbear. Asus tends to limit what they upgrade to only the essential. dnsmasq has been regularly upgraded these last two years mostly as they were after the new IPv6 support that was being developed/debugged these past months.
 
RMerlin said:
1.0.0 is still actively maintained just like 1.0.1 and 1.0.2, with the exact same security fixes. So technically, 1.0.0 is just has "latest" as 1.0.2.

I'm sticking to 1.0.0 because that's what Asus is linking their closed-source binaries against, so I can't change it. There is no drawback security-wise.
Click to expand...

1.0.0 has no TLS 1.1 or 1.2, which is quite a big security drawback, 1.0.0 is now basically a legacy version.

Are asus going to wait for more bad publicised security reports before been pushed?

https://mta.openssl.org/pipermail/openssl-announce/2014-December/000000.html
 
Chrysalis said:
1.0.0 has no TLS 1.1 or 1.2, which is quite a big security drawback, 1.0.0 is now basically a legacy version.

Are asus going to wait for more bad publicised security reports before been pushed?

https://mta.openssl.org/pipermail/openssl-announce/2014-December/000000.html
Click to expand...

Lack of TLS 1.1 and 1.2 support isn't that critical, as the router doesn't even host any public website. A recent RFC (published last week) mentioned that TLS 1.0 was considered good enough in the absence of 1.1 or 1.2 support.

BTW, Asuswrt does not support TLS at all. That's something I added to Asuswrt-Merlin last October. Some other router manufacturers out there are still on 0.9.7 and 0.9.8, with SSLv2 and SSLv3 enabled...

I agree that upgrading to 1.0.2 would definitely be a good thing, but it's not an emergency.
 
oh nice. and policy routing becomes more agile. looking forward to it.
 
Marc66 said:
I see you had time to upgrade openssl to 1.0.2. Thank you !
Click to expand...

I was able to do it myself because the OpenSSL devs confirmed that 1.0.2 is backward compatible with binaries linked against 1.0.0. So, no need to wait for Asus to do it (and recompile asuswebstorage against it).

I still need to re-test asuswebstorage against 1.0.2 tho, I didn't have the time yet.
 
You must log in or register to reply here.

Similar threads

Yota
Plans to migrate to OpenSSL 3.0?
2
Replies
36
Views
4K
bluepoint
bluepoint
octopus
  • Locked
[ 3006.102 alpha Build(s) ] Testing available build(s)
2 3
Replies
43
Views
8K
octopus
octopus
Voxel
Voxel Custom firmware build for Orbi LBR20 v. 9.2.5.2.44SF-HW
Replies
7
Views
834
Voxel
Voxel
Voxel
Voxel Custom firmware build for Orbi RBK50/RBK53 (RBR50, RBS50) v. 9.2.5.2.34SF-HW
2
Replies
27
Views
3K
rocknine
R
RMerlin
  • Locked
Beta Asuswrt-Merlin 3006.102.2 Beta is now available for Wifi 7 devices
2 3 4
Replies
70
Views
11K
RMerlin
RMerlin
Similar threads
Thread starter Title Forum Replies Date
B RT-BE96U unable to update from stock 3.0.0.6.102_37024 Asuswrt-Merlin 9
E Question about DDNS forced update interval RT-AX86U Asuswrt-Merlin 3
U Entware How to update wireguard? Asuswrt-Merlin 3
T 5G Frequency issue on RT-AX86U after update 3004.388.8_2 Asuswrt-Merlin 2
E RT AX88U problem with update 3004 388-8-1 and 2: loss of internet access Asuswrt-Merlin 8
N FW Update Issue from 386.3_2 to latest on ASUS RT-AX88U Asuswrt-Merlin 10
M name.com DDNS update script Asuswrt-Merlin 0
onthego41 FYI: Merlin update 3004.388.8_2 wiped my MAC Asuswrt-Merlin 3
D One Last Unsupported Update? Asuswrt-Merlin 9
M RT-AC86U Errors after latest firmware update (386.14) Asuswrt-Merlin 3

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 564 (members: 14, guests: 550)
Top