Update openssl to 1.0.1o

[mhdawson]

List of changes:
https://github.com/openssl/openssl/blob/OpenSSL_1_0_1-stable/CHANGES

Skimming through them the one most likely to affect end users is:

*) Reject DH handshakes with parameters shorter than 768 bits.
[Kurt Roeckx and Emilia Kasper]

There are also some related changes we may want to make at the same time:

From io.js:

nodejs/node#1739

• Is this still needed given the openssl update, possibly as it could provide better error info.

nodejs/node#1831

• Do we still need this one given the limitation in the new version of open ssl
• patch likely applies ok to 0.12.X but 0.10.X would require refactoring

Joyent/node issue

Drop at DH group modp1 from as suggsted in -#25366

Some related docs:

• http://www.internet-computer-security.com/VPN-Guide/Diffie-Hellman.html
• https://weakdh.org/imperfect-forward-secrecy.pdf (From 25366)

[mhdawson]

@shigeki and @indutny comments or suggestions ?

[indutny]

It is not only this, but ECParameters thing too. It mainly affects the clients and node.js has tls.connect() that is vulnerable to this.

Overall, I'm +1 on upgrading it in v0.12

[mhdawson]

I was assuming but probably should have stated that we need to update both 0.10.X and 0.12.X for openssl.

@indutny, any comments on whether we want/need to also try to pull in the changes in the other PR/issues mentioned ?

[mhdawson]

Looking more closely at #25366. This test case using modp1 passes with the openssl fix to limit the size to be >768 (openssl/openssl@6383038) so its seems changing getDiffieHellman() is separate from any impact from openssl changes. This would mean we could chose to do this independently, and if we do in 0.10.X and 0.12X guard with an option to revert to the original behavior.

var crypto = require('crypto');
var alice = crypto.getDiffieHellman('modp1');
var bob = crypto.getDiffieHellman('modp1');
alice.generateKeys();
bob.generateKeys();
var alice_secret = alice.computeSecret(bob.getPublicKey(), null, 'hex');
var bob_secret = bob.computeSecret(alice.getPublicKey(), null, 'hex');
/* alice_secret and bob_secret should be the same */
console.log(alice_secret == bob_secret);

[shigeki]

@mhdawson I will submit a PR to upgrade openssl-1.0.1n today. Please wait for a moment.

[misterdjules]

@joyent/node-tsc @shigeki Moved into the 0.10.39 milestone as the OpenSSL upgrade will need to happen there too.

[sxa]

Hi, I had a play with the upgrade today before I saw @shigeki's comment in https://github.com/sxa555/node/tree/v0.10-ssl101n and https://github.com/sxa555/node/tree/v0.12-ssl101n

I'm getting a TIMEOUT failure in simple/test-tls-dhe which I haven't gone into yet but otherwise it looks ok (I also got a failure in the SSL test 707 on 0.10 but not in 0.12, although that seems reproducible with a plain 0.10.38_101m bulid on the same RHEL machine) I've tested that the branch builds cleanly on Windows too.

@shigeki If you've tried it do you get the same failure on test-tls-dhe?

[sxa]

Actually it may not matter since I've just seen that 1.0.1o has just been released to fix an ABI breakage:
https://twitter.com/mancha140/status/609386942489178112

[shigeki]

@sxa555 You need #25514 for the test-tls-dhe on v0.12. I'm going to work on upgrading to openssl-1.0.1o

[sxa]

@shigeki Cheers - I've got branches for them both at https://github.com/sxa555/node/tree/v0.12-ssl101n and https://github.com/sxa555/node/tree/v0.10-ssl101o but I'm running out of time now so all yours :)