Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenSSL 3 support #904

Open
kalos opened this issue Jun 16, 2022 · 12 comments
Open

OpenSSL 3 support #904

kalos opened this issue Jun 16, 2022 · 12 comments

Comments

@kalos
Copy link
Contributor

kalos commented Jun 16, 2022

Hello,

Is there any plan to support for openssl 3 in burp?

Burp debian package is marked for autoremoval from Debian testing due lack of OpenSSL 3 support.

Bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011540

Thanks!
@grke
Copy link
Owner

grke commented Jun 16, 2022

Hello,
Thank you for letting me know, I will look into it.

@vanElden
Copy link

FYI: burp has stopped working on Fedora 36 for this reason, too. Other distributions will likely follow, so let's hope this isn't too difficult...

@grke
Copy link
Owner

grke commented Jun 19, 2022

It shouldn't be too hard, I just have to

  1. update the Windows cross-tools/depkgs to download and build the latest openssl package
  2. update burp to use the non-deprecated functions
  3. fix any issues with my build / test pipeline using older openssl packages and not liking the use of the non-deprecated functions
  4. release and wait for any bug reports, and fix them too

(1) was quite annoying, but I'm currently at (2) now.

@grke
Copy link
Owner

grke commented Jun 21, 2022

I did (2) but I found that (3) is very annoying.
I think I have to go back to (2) and make burp support both old and new functions.

@grke
Copy link
Owner

grke commented Jul 10, 2022

Still on (3). Windows is playing up.

@grke
Copy link
Owner

grke commented Jul 10, 2022

Was not Windows - rather, openssl3 has deprecated blowfish.

@grke
Copy link
Owner

grke commented Jul 21, 2022

I've tried very hard to get openssl3 to load the "legacy provider" on Windows, but I'm not getting anywhere.
I think I will probably have to update burp to use a different kind of encryption other than blowfish if you are using openssl3.

@grke
Copy link
Owner

grke commented Aug 14, 2022

RE: deprecated blowfish file encryption

There is now a change in burp master that will make it encrypt new files with AES-CBC-256, but will still be able to decrypt files encrypted with blowfish as long as your openssl library supports it.
This is one step closer to openssl3 support.

This was referenced Aug 14, 2022
Closed
Merged
@grke
Copy link
Owner

grke commented Aug 31, 2022

Git master now supports openssl3, ready for the next release, which I will try to do today:

Blowfish has been deprecated by openssl.
Burp will now encrypt new files with AES-CBC-256, but will still be able to decrypt files encrypted with blowfish as long as your openssl library supports it.
The Windows installer will continue to come with openssl-1.1 for a few months, to allow time for people to switch from blowfish.

@grke grke closed this as completed Aug 31, 2022
@pablodav pablodav mentioned this issue Sep 4, 2022
Closed
@vt-alt
Copy link
Contributor

vt-alt commented Jul 17, 2023

@grke In ALT Linux we upgraded to openssl-3 and encryption_password (functionality) is breaked (including utest/protocol1/test_handy.c utest which calls enc_setup). (Your unit testing helped to detect that on build.). This occurs to me like a potentially major failure because for backups using encryption:

  1. old backups become inaccessible;
  2. new backups would stop performing (and there is chance user don't notice it).

Of course user can fix this by editing openssl.cnf and enabling legacy provider there (which would require googling). But burp error message is not explanatory in that regard (EVP_CipherInit_ex failed). In compare raw openssl error message (if printed) mention that BF-CBC is unsupported: 404731913C7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:341:Global default library context, Algorithm (BF-CBC : 14), Properties (). (And then user can google that it's obsoleted but still usable if legacy provider is enabled).

You can do additionaly help to users by enabling legacy provider on openssl 3 like described there: https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers that would be two calls somewhere in main before starting using openssl (I think):

OSSL_PROVIDER_load(NULL, "legacy");
OSSL_PROVIDER_load(NULL, "default");

I've tried very hard to get openssl3 to load the "legacy provider" on Windows, but I'm not getting anywhere.

In absence of details, I would say it should just load legacy DLL from appropriate location (depending where openssl is installed). This location is also printed in openssl error message which you would see in output of ERR_print_errors_fp.

I hope this helps.

@vt-alt
Copy link
Contributor

vt-alt commented Jul 17, 2023

BTW, for backward compatibility even if openssl does not provide BF-CBC (this is possible if legacy provider is not built/installed) you could use it directly (including source in burp), there is MIT licensed implementation: https://github.com/tombonner/blowfish-api

@grke
Copy link
Owner

grke commented Jul 18, 2023

Hello,

Like I mentioned, I've tried very hard to get openssl3 to load the "legacy provider" on Windows.
I don't think that is a valid way forward.

However, your other idea of just adding the code directly sounds interesting!

So, I will re-open this issue, and I will look at doing that.

@grke grke reopened this Jul 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kalos @grke @vanElden @vt-alt