[CentOS] Can we trust RedHAt encryption tools?

Mon Jan 6 16:28:15 UTC 2014
James B. Byrne <byrnejb at harte-lyne.ca>

Recently I have been deeply troubled by evidence revealing the degree to which
U.S. based corporations (well actually all resident in any of the so-called
5-eyes countries) appear to have rolled over and assumed the position with
respect to NSA inspired pressure to cripple public key encryption and
facilitate intrusions into their software products.  This has engendered in me
a significant degree of doubt surrounding the integrity of RHEL; and therefore
of CentOS since it claims to be a bug for bug, and therefore an exploit for
exploit, copy of RHEL.

Reinforcing my doubt is the tale surrounding the long outstanding bug report
respecting OpenSSL (https://bugzilla.redhat.com/show_bug.cgi?id=319901) opened
in October of 2007. This probelm was only recently addressed and then only
after a good deal of pointed public questioning by numerous security
commentators.  RedHat's reference to 'patent' issues surrounding this 'bug'
are unsubstantiated by any documented evidence.  The only response justifying
Redhat's lack of movement is some hand-waving about corporate legal opinion.
Despite suggestive language by some RH employees
(https://bugzilla.redhat.com/show_bug.cgi?id=612265#c3) the exact nature of
the patent legal problem was never specifically laid out for public comment. 
Equally troubling to me is the complete lack of any information on what patent
issue was finally resolved and how it was resolved so that the related bugs
could be fixed.

As patents (with very,very few exceptions) are by their very nature not secret
one wonders if the so-called legal problem was of a fundamentally different
nature, no less real but somewhat less savoury from a PR standpoint.

In consequence, after a good deal of agonizing over what was within my means
to do, I have spent the weekend rebuilding Apache httpd from Apache sources to
obtain TLSv1.2.  While I still do not have a working copy (yet) I did learn a
great deal of how RH back-porting patch policy appears to work.  But in the
process of researching how to get this package built I ran across a number of
discussions respecting OpenSSL, which is the fundamental layer upon which pki
rests, and RedHat
(http://www.linuxadvocates.com/2013/09/is-openssls-cryptography-broken.html).
None of them were very comforting.

Where this discourse is leading is to is the question of whether or not CentOS
should provide OpenSSL built from clean sources as an extra or plus package
and perhaps httpd, sshd and ssh-client and related pki based/reliant packages
as well. Similarly, should CentOS.org provide tested spec files that will
provide individual system admins a simple method of building these packages
from source?

I think that CentOS.org probably should provide this but I am afraid that I
cannot make a strong public case.  Suffice that my belief is informed from
personal previous experience with federal agencies investigative techniques
and the all too frequent willingness of commercial interests to take the road
of least resistance when pressured.  Particularly where the spectres of
expensive litigation and targeted regulatory enforcement looms in the
background.

I believe that the issue is of pressing interest to the entire community and I
would like to read what others have to say on the matter.


-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3