[squeak-dev] https

Phil B pbpublist at gmail.com
Wed Feb 7 01:40:10 UTC 2018


Ron,

I appreciate the arguments pro and con of static vs dynamic linking.
Unfortunately, the reality on Linux (due to that bazaar nature of distros
and their library versions) is that it doesn't tend to work out all that
well for out-of-distro/non-local builds.  Re: the legal situation, is there
any recent (i.e. last 10 years) legal advice indicating that this is still
an issue?

Anyway, seeing how I am yet again having library problems with bintray
builds, I would disagree with the whole simplifies deployment argument...

(Sorry to be so grumpy on this issue but my experience on Linux with out of
distro / non-local builds tells me over the course of decades that the
'shared libraries for everything' mantra for separately distributed builds
is wrong)

Phil

On Feb 6, 2018 7:24 PM, "Ron Teitelbaum" <ron at usmedrec.com> wrote:

Hi Phil,

There are a few downsides to statically linked.  First crypto errors can't
be patched by OS providers.  Statically linking crypto modules could be
disastrous for users WHEN crypto bugs are found and can't be easily or
quickly patched. Also, there are a number of regulations in the USA that
prevent software from exporting crypto.  By leaving the crypto to the OS
provider and only looking up crypto modules or dynamically linking you are
not exporting crypto.  One can not overstress how much this simplifies
deployment.  Having a few issues on deployment is a small price to pay for
the benefits we gain.

All the best,

Ron Teitelbaum

On Tue, Feb 6, 2018 at 7:14 PM, Phil B <pbpublist at gmail.com> wrote:

> I'll give it a shot.  Really, I'm not at all surprised to be having an SSL
> issue on Debian as I previously went over a year not being able to use the
> builds specifically due to a Ubuntu/Debian SSL lib version incompatibility
> (I *really* wish the Linux VM builds were statically linked as out of
> distro shared lib builds are just begging to break.  Been dealing with this
> sort of thing since the early 90s on Linux)
>
> On Feb 6, 2018 7:00 PM, "Tobias Pape" <Das.Linux at gmx.de> wrote:
>
>> Hi Phil,
>>
>> > On 07.02.2018, at 00:50, Phil B <pbpublist at gmail.com> wrote:
>> >
>> > /usr/lib/i386-linux-gnu/libssl.so.1.0.0
>> > /usr/lib/i386-linux-gnu/libssl.so.1.0.2
>> > /usr/lib/i386-linux-gnu/libssl.so.1.1
>> > /usr/lib/i386-linux-gnu/i586/libssl.so.1.0.0
>> > /usr/lib/i386-linux-gnu/i686/cmov/libssl.so.1.0.0
>>
>> Good!
>> Or not, I'm puzzled ;)
>> Could you please compile/run a debug-vm? It has some output, maybe it
>> helps :)
>>
>> Best regards
>>         -Tobias
>>
>>
>> >
>> >
>> > On Feb 6, 2018 5:56 PM, "Tobias Pape" <Das.Linux at gmx.de> wrote:
>> >
>> > Hi Phil,
>> >
>> > > On 06.02.2018, at 23:49, Phil B <pbpublist at gmail.com> wrote:
>> > >
>> > > It never gets that far (i.e. to log anything): the error occurs in
>> #primitiveSSLCreate and there is no log output.  I've confirmed that the
>> plugin exists in the 20180206 VM (and the image appears to be otherwise
>> working).  When I switch back to the 20171214 build with the same image, no
>> error loading the plugin (other than the issue we're discussing re: some
>> urls failing with -5)
>> >
>> > can you give me the output of "locate libssl.so"?
>> >
>> > Best regards
>> >         -Tobias
>> >
>> > >
>> > > On Feb 6, 2018 4:43 PM, "Tobias Pape" <Das.Linux at gmx.de> wrote:
>> > > Hi Phil
>> > > > On 06.02.2018, at 22:26, Phil B <pbpublist at gmail.com> wrote:
>> > > >
>> > > > Tobias,
>> > > >
>> > > > I tried the 32-bit 20180206 build and got Error: primitiveSSLCreate
>> failed.  (I'd expect the same result on 64-bit but will give it a shot)
>> This is using Cuis on Debian 9 stable.  Assuming there are no image-side
>> changes needed, this is probably be a shared library issue as I've seen
>> this in the past when the VM is built on/for Ubuntu which was using a
>> different SSL lib version than Debian stable.  I'll try building a VM and
>> report back the results (it will probably be late this week before I'll
>> have time to get into it)
>> > >
>> > > I have recently changed the SqueakSSL plugin. As long as you have
>> libssl:i386 installed, everything should work.
>> > > Can you give me the console output with logLeve:1 again?
>> > >
>> > > Best regards
>> > >         -Tobias
>> > >
>> > > >
>> > > > Thanks,
>> > > > Phil
>> > > >
>> > > > On Feb 1, 2018 1:51 PM, "Tobias Pape" <Das.Linux at gmx.de> wrote:
>> > > > Hi Phil,
>> > > >
>> > > >
>> > > > > On 22.12.2017, at 21:29, Phil B <pbpublist at gmail.com> wrote:
>> > > > >
>> > > > > Tobias,
>> > > > >
>> > > > > I saw there was a recent change to the VM related to this issue
>> so I downloaded a recent build from bintray (specifically the
>> cogspurlinuxht 32- and 64-bit builds dated 201712142058) and tried them out
>> on Debian 9. Unfortunately, this didn't seem to change very much for me
>> (the majority of pages I was getting -5 on, I still do)
>> > > > >
>> > > > > Here are a few sample urls I was having problems with:
>> > > > > https://blog.jessfraz.com/post/containers-zones-jails-vms
>> > > > > https://blog.keras.io/the-future-of-deep-learning.html
>> > > > > https://danluu.com/cpu-bugs
>> > > > >
>> > > >
>> > > > Can you try with one of the latest vms?
>> > > >
>> > > > https://bintray.com/opensmalltalk/vm/cog/
>> > > >
>> > > > Best regards
>> > > >         -Tobias
>> > > >
>> > > > > Thanks,
>> > > > > Phil
>> > > > >
>> > > > > On Aug 29, 2017 5:49 AM, "Tobias Pape" <Das.Linux at gmx.de> wrote:
>> > > > > Hi Phil
>> > > > >
>> > > > > > On 24.08.2017, at 22:30, Phil B <pbpublist at gmail.com> wrote:
>> > > > > >
>> > > > > > Also, if you ignore the name checking of the cert (i.e. just
>> blindly accept it... dangerous to do with anything important) I've found
>> that you'll often either get a connection timeout or -5 error from the
>> plugin.  Not sure if this is specifically related to SAN support (i.e. is
>> there additional negotiation that needs to be done?) or if there are some
>> newer https features that need to be added...
>> > > > >
>> > > > > can you tell me your platform and the plugin version you are
>> using? I'd really like to get rid of those -5's :)
>> > > > >
>> > > > > Best regard
>> > > > >         -tobias
>> > > > >
>> > > > >
>> > > > > >
>> > > > > > On Aug 23, 2017 2:37 AM, "Marcel Taeumel" <
>> marcel.taeumel at hpi.de> wrote:
>> > > > > > Note that due to incomplete or missing SAN support on some
>> platforms, using alternative names can still raise a
>> SqueakSSLCertificateError:
>> > > > > >
>> > > > > > WebClient httpGet: 'https://google.com'
>> > > > > >
>> > > > > > Best,
>> > > > > > Marcel
>> > > > > >> Am 22.08.2017 22:14:38 schrieb Ron Teitelbaum <
>> ron at usmedrec.com>:
>> > > > > >>
>> > > > > >> SqueakSSL
>> > > > > >>
>> > > > > >> WebClient httpGet: 'https://www.google.com'
>> > > > > >>
>> > > > > >> Ron
>> > > > > >>
>> > > > > >> On Tue, Aug 22, 2017 at 3:09 PM, Eliot Miranda <
>> eliot.miranda at gmail.com> wrote:
>> > > > > >> Hi All,
>> > > > > >>
>> > > > > >>    what are people using for https support?
>> > > > > >>
>> > > > > >> _,,,^..^,,,_
>> > > > > >> best, Eliot
>> > > > > >>
>> > > > > >>
>> > > > > >>
>> > > > > >>
>> > > > > >
>> > > > > >
>> > > > > >
>> > > > > >
>> > > > > >
>> > > > >
>> > > > >
>> > > > >
>> > > >
>> > >
>> >
>> >
>>
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squeakfoundation.org/pipermail/squeak-dev/attachments/20180206/abc8c064/attachment.html>


More information about the Squeak-dev mailing list