How Kullo uses OpenSSL

Although Kullo uses the crypto library Botan for all it’s encryption jobs it needs OpenSSL. That is because The Open Kullo Protocol is an HTTP-based API that enforces TLS. Since we don’t want to reinvent the wheel and implement HTTPs on our own, we use a library for that. On the desktop platforms that is Qt Network at the moment. An alternative would be cURL and I am sure there are others. These libraries have in common that they depend on OpenSSL to implement the TLS. If there’s an Botan TLS based HTTP(s)-library for C++ out there, I’d appreciate a hint in the comments.

So OpenSSL is mandatory. But where do we get it from and in which version? That question has to be answered differently for every operating system.

Windows

Windows does not ship OpenSSL. Thus we get it from the OpenSSL download page in the latest version that includes all security fixes. Kullo 0.20.15 for Windows will come with OpenSSL 1.0.1m.

OS X

Apple still ships OpenSSL version 0.9.8x (including security fixes) from the year 2005. This version is not officially supported by Qt anymore and it does not come with TLS 1.1 and TLS 1.2 support. Thus we’re shipping our own copy on OpenSSL on OS X as well, which we take from the homebrew project. Kullo 0.20.15 for OS X will come with OpenSSL 1.0.1m.

Linux

All our supported Linux distributions have OpenSSL version >= 1.0 available out of the box. Thus we don’t need to ship it and you get updates directly from your Linux maintainer.

OpenSSL version on Ubuntu

OpenSSL version on Ubuntu

In some distributions, the OpenSSL version might appear a bit outdated, which confused our users in the past. On Debian based systems, such as Ubuntu and it’s┬áderivatives you might find version 1.0.1f from January 2014. This is because the package maintainer decided to freeze one OpenSSL version and apply security patches in that version. Thus on a current Ubuntu 14.10 you get 1.0.1f-1ubuntu9.4 (see $ dpkg -s openssl). This basically means: OpenSSL 1.0.1f from early 2014 plus all security fixes since than.

Which OpenSSL version is your Linux providing? Check $ openssl version!

2 thoughts on “How Kullo uses OpenSSL

  1. A hint on using LibreSSL on OSX.

    XCode 7 dropped OpenSSL from its installation.

    When compiling botan on OSX I gave LibreSSL 2.3.0 a try. The source package downloaded from the web site compiles cleanly with make and works nicely with Botan.

    • Thanks for your hint on this, Matej.

      Starting with Kullo 0.22.0 we switched from Qt Network to cURL as a HTTP library. In this transition we changed the SSL backends on Windows and OS X to the native system SSL implementations Secure Channel and Secure Transport.

      See also the changelog note on 2015-05-27:

      “Switch to cURL HTTPs implementation for syncer using OpenSSL on Linux, Secure Channel on Windows and Secure Transport on OS X”
      https://www.kullo.net/download/changelog/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.