What's new

OpenSSL update coming this Friday

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Side question: why is the firmware not using the latest OpenSSL version (1.0.2)?

1.0.0 is still actively maintained just like 1.0.1 and 1.0.2, with the exact same security fixes. So technically, 1.0.0 is just has "latest" as 1.0.2.

I'm sticking to 1.0.0 because that's what Asus is linking their closed-source binaries against, so I can't change it. There is no drawback security-wise.
 
This is a common practice for vendors. Many enterprise vendors are running very old versions of OpenSSL for various reasons. Some of which are stability and no requirement for additional features...which often leads to less stability and more room for vulnerability.

Newest != Most Stable/Most Secure
 
1.0.0 is still actively maintained just like 1.0.1 and 1.0.2, with the exact same security fixes. So technically, 1.0.0 is just has "latest" as 1.0.2.

I'm sticking to 1.0.0 because that's what Asus is linking their closed-source binaries against, so I can't change it. There is no drawback security-wise.
I do hope that by the time OpenVPN 2.4 comes out, ASUS will have upgraded to OpenSSL 1.0.2, since 1.0.0 lacks TLS1.2 and newer EC ciphers (which require much shorter keys, and therefore much less NVRAM space).
 
I do hope that by the time OpenVPN 2.4 comes out, ASUS will have upgraded to OpenSSL 1.0.2, since 1.0.0 lacks TLS1.2 and newer EC ciphers (which require much shorter keys, and therefore much less NVRAM space).

ECDSA is already supported, at least it is n Dropbear. I use an ECDSA key to ssh/scp into my router.

I wouldn't hold my breath on seeing such upgrades happen however. There's a lot of other components in Asuswrt that are far more in need of upgrading, such as miniupnpd or dropbear. Asus tends to limit what they upgrade to only the essential. dnsmasq has been regularly upgraded these last two years mostly as they were after the new IPv6 support that was being developed/debugged these past months.
 
1.0.0 is still actively maintained just like 1.0.1 and 1.0.2, with the exact same security fixes. So technically, 1.0.0 is just has "latest" as 1.0.2.

I'm sticking to 1.0.0 because that's what Asus is linking their closed-source binaries against, so I can't change it. There is no drawback security-wise.

1.0.0 has no TLS 1.1 or 1.2, which is quite a big security drawback, 1.0.0 is now basically a legacy version.

Are asus going to wait for more bad publicised security reports before been pushed?

https://mta.openssl.org/pipermail/openssl-announce/2014-December/000000.html
 
1.0.0 has no TLS 1.1 or 1.2, which is quite a big security drawback, 1.0.0 is now basically a legacy version.

Are asus going to wait for more bad publicised security reports before been pushed?

https://mta.openssl.org/pipermail/openssl-announce/2014-December/000000.html

Lack of TLS 1.1 and 1.2 support isn't that critical, as the router doesn't even host any public website. A recent RFC (published last week) mentioned that TLS 1.0 was considered good enough in the absence of 1.1 or 1.2 support.

BTW, Asuswrt does not support TLS at all. That's something I added to Asuswrt-Merlin last October. Some other router manufacturers out there are still on 0.9.7 and 0.9.8, with SSLv2 and SSLv3 enabled...

I agree that upgrading to 1.0.2 would definitely be a good thing, but it's not an emergency.
 
oh nice. and policy routing becomes more agile. looking forward to it.
 
I see you had time to upgrade openssl to 1.0.2. Thank you !

I was able to do it myself because the OpenSSL devs confirmed that 1.0.2 is backward compatible with binaries linked against 1.0.0. So, no need to wait for Asus to do it (and recompile asuswebstorage against it).

I still need to re-test asuswebstorage against 1.0.2 tho, I didn't have the time yet.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top