Bug 243724 - www/pound: Use -dsaparam for openssl dhparam to cut build time
Summary: www/pound: Use -dsaparam for openssl dhparam to cut build time
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-ports-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-01-30 11:15 UTC by Eirik Oeverby
Modified: 2020-02-18 11:12 UTC (History)
3 users (show)

See Also:
zeus: maintainer-feedback+


Attachments
Patch for files/patch-Makefile.in (774 bytes, text/plain)
2020-01-30 11:15 UTC, Eirik Oeverby
no flags Details
(fixed) Use dhparam -dsaparam and don't specify generator (640 bytes, patch)
2020-01-30 11:41 UTC, Eirik Oeverby
no flags Details | Diff
OPTION to pass -dsaparam (700 bytes, patch)
2020-02-17 15:34 UTC, Alexey Dokuchaev
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Eirik Oeverby 2020-01-30 11:15:38 UTC
Created attachment 211188 [details]
Patch for files/patch-Makefile.in

Building pound takes a long time due to openssl dhaparam being run during the build phase. Suggest speeding this up (for long keys) by using -dsaparam option.
Comment 1 Eirik Oeverby 2020-01-30 11:31:11 UTC
Comment on attachment 211188 [details]
Patch for files/patch-Makefile.in

Whitespace broken by copy/paste, will upload new patch.
Comment 2 Eirik Oeverby 2020-01-30 11:41:12 UTC
Created attachment 211190 [details]
(fixed) Use dhparam -dsaparam and don't specify generator
Comment 3 Zeus Panchenko 2020-02-03 12:21:50 UTC
(In reply to Eirik Oeverby from comment #2)

Obvious cryptography weakening just to speed up port building doesn't sound reasonable ...

`-dsaparam` stays, according to the manual, for `Read or generate DSA parameters, convert to DH`. So, to use weak DSA is not a good idea as well as switching generator off.

Why not use pkg if the speed is the main concern?
Comment 4 Eirik Oeverby 2020-02-03 12:34:53 UTC
(In reply to Zeus Panchenko from comment #3)

It's not terribly obvious (in fact it might be outright wrong), and anyone relying on params generated at compile time on the FreeBSD build cluster are not going to care anyway. We build our packages in-house and pound tends to get rebuilt quite often due to other dependencies.

See https://security.stackexchange.com/questions/42415/openvpn-dhparam for an excellent discussion about this - usual caveats about trusting stackexchange obviously apply; I'm referring to it because it's easily-digestable information.

Basic takeaways:
 - Not using -dsaparam offers no meaningful security benefit
 - Using -dsaparam has no appreciable negative side effects (performance is mentioned, but that's mostly theoretical)
 - Using different primes (dhparam) than the rest of the world is a good thing

All I'm asking for is a dramatic reduction in compile time (especially with system defaults of large primes) in exchange for zero reduction in security. :)
Comment 5 Alexey Dokuchaev freebsd_committer 2020-02-17 15:34:02 UTC
Created attachment 211719 [details]
OPTION to pass -dsaparam
Comment 6 Alexey Dokuchaev freebsd_committer 2020-02-17 15:44:54 UTC
(In reply to Eirik Oeverby from comment #4)
> All I'm asking for is a dramatic reduction in compile time
> (especially with system defaults of large primes) in exchange
> for zero reduction in security.
Would an option (off by default) be sufficient for your needs?
Comment 7 Eirik Oeverby 2020-02-17 15:53:40 UTC
(In reply to Alexey Dokuchaev from comment #6)

Thank you very much for your effort! This will do just fine.

Given the uselessness of the curret mode of operation, I'd prefer it to default to the "fast" mode - but I suspect that discussion will take until the end of time. :)
Comment 8 commit-hook freebsd_committer 2020-02-18 11:11:00 UTC
A commit references this bug:

Author: danfe
Date: Tue Feb 18 11:09:59 UTC 2020
New revision: 526452
URL: https://svnweb.freebsd.org/changeset/ports/526452

Log:
  Allow to cut the package build times by generating DH parameters without
  using "safe" primes.

  PR:		243724
  Submitted by:	Eirik Oeverby
  Approved by:	maintainer

Changes:
  head/www/pound/Makefile
Comment 9 Alexey Dokuchaev freebsd_committer 2020-02-18 11:12:56 UTC
Committed as ports r526452.