SWORD 1.8.0RC3

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

SWORD 1.8.0RC3

Troy A. Griffitts
Again, thank you to all the testers and reporters of problems for the
previous RC and those who contributed fixes.  Hopefully, this will stand
any scrutiny and become 1.8.0.  Please let me know if you have any feedback.

http://crosswire.org/sword/alpha/alpha/sword-1.7.903.tar.gz


Included since last RC:

------------------------------------------------------------------------
r3482 | scribe | 2017-06-25 07:36:23 -0700 (Sun, 25 Jun 2017) | 2 lines

Reworked strongs and lemma filters to better support any combo of toggle
Added osisxhtml lemma type= support for other than Greek, Hebrew strongs
------------------------------------------------------------------------
r3481 | scribe | 2017-06-25 04:45:04 -0700 (Sun, 25 Jun 2017) | 3 lines

moved examples/simple.cpp to examples/tasks/simpleverselookup.cpp

also updated CMakeList.txt to build new examples
------------------------------------------------------------------------
r3480 | scribe | 2017-06-25 04:44:29 -0700 (Sun, 25 Jun 2017) | 1 line

added listbiblebooknames example
------------------------------------------------------------------------
r3479 | scribe | 2017-06-25 04:44:01 -0700 (Sun, 25 Jun 2017) | 1 line

added flatapi installmgr example
------------------------------------------------------------------------
r3478 | refdoc | 2017-06-10 15:28:11 -0700 (Sat, 10 Jun 2017) | 2 lines

added Belarussian locale file

------------------------------------------------------------------------
r3477 | domcox | 2017-06-04 11:18:34 -0700 (Sun, 04 Jun 2017) | 1 line

French translation update (Contrib. from Cyrille)
------------------------------------------------------------------------


_______________________________________________
sword-devel mailing list: [hidden email]
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SWORD 1.8.0RC3

Jaak Ristioja-2
Hi Troy!

It seems that no fixes from Sword++ were considered for inclusion in SVN
trunk, not even the two I explicitly proposed on this list in response
to the RC2 announcement: one fixing hangs in front ends and the other
fixing a pure security negligence which rendered SSL/TLS susceptible to
MitM attacks.

?!?!

J

On 25.06.2017 18:51, Troy A. Griffitts wrote:

> Again, thank you to all the testers and reporters of problems for the
> previous RC and those who contributed fixes.  Hopefully, this will stand
> any scrutiny and become 1.8.0.  Please let me know if you have any feedback.
>
> http://crosswire.org/sword/alpha/alpha/sword-1.7.903.tar.gz
>
>
> Included since last RC:
>
> ------------------------------------------------------------------------
> r3482 | scribe | 2017-06-25 07:36:23 -0700 (Sun, 25 Jun 2017) | 2 lines
>
> Reworked strongs and lemma filters to better support any combo of toggle
> Added osisxhtml lemma type= support for other than Greek, Hebrew strongs
> ------------------------------------------------------------------------
> r3481 | scribe | 2017-06-25 04:45:04 -0700 (Sun, 25 Jun 2017) | 3 lines
>
> moved examples/simple.cpp to examples/tasks/simpleverselookup.cpp
>
> also updated CMakeList.txt to build new examples
> ------------------------------------------------------------------------
> r3480 | scribe | 2017-06-25 04:44:29 -0700 (Sun, 25 Jun 2017) | 1 line
>
> added listbiblebooknames example
> ------------------------------------------------------------------------
> r3479 | scribe | 2017-06-25 04:44:01 -0700 (Sun, 25 Jun 2017) | 1 line
>
> added flatapi installmgr example
> ------------------------------------------------------------------------
> r3478 | refdoc | 2017-06-10 15:28:11 -0700 (Sat, 10 Jun 2017) | 2 lines
>
> added Belarussian locale file
>
> ------------------------------------------------------------------------
> r3477 | domcox | 2017-06-04 11:18:34 -0700 (Sun, 04 Jun 2017) | 1 line
>
> French translation update (Contrib. from Cyrille)
> ------------------------------------------------------------------------
>
>
> _______________________________________________
> sword-devel mailing list: [hidden email]
> http://www.crosswire.org/mailman/listinfo/sword-devel
> Instructions to unsubscribe/change your settings at above page
>


_______________________________________________
sword-devel mailing list: [hidden email]
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SWORD 1.8.0RC3

Troy A. Griffitts
In reply to this post by Troy A. Griffitts
Hi Jaak,

We have included some of your patches in the past (thank you again), but not these. The first is intentional. We want to work with self signed certs if necessary. Non of our content is private, only the fact that a user might access our server and for this, we ask all our frontends to warn against this for persecuted countries. The second goes against our policy in the library that all threading should be handled by the client, not the library. The client should instantiate an InstallMgr in its own thread and register threads are callbacks, if they wish to install in the background. If we start trying to handle threading in the library itself, it is a huge switch from current policy and depends on support for threading in all our compilers. Easy enough to just instantiate separate SWMgr instances per thread. But thank you for offering.
Troy

On June 25, 2017 8:33:53 PM GMT+02:00, Jaak Ristioja <[hidden email]> wrote:
Hi Troy!

It seems that no fixes from Sword++ were considered for inclusion in SVN
trunk, not even the two I explicitly proposed on this list in response
to the RC2 announcement: one fixing hangs in front ends and the other
fixing a pure security negligence which rendered SSL/TLS susceptible to
MitM attacks.

?!?!

J

On 25.06.2017 18:51, Troy A. Griffitts wrote:
Again, thank you to all the testers and reporters of problems for the
previous RC and those who contributed fixes. Hopefully, this will stand
any scrutiny and become 1.8.0. Please let me know if you have any feedback.

http://crosswire.org/sword/alpha/alpha/sword-1.7.903.tar.gz


Included since last RC:



r3482 | scribe | 2017-06-25 07:36:23 -0700 (Sun, 25 Jun 2017) | 2 lines

Reworked strongs and lemma filters to better support any combo of toggle
Added osisxhtml lemma type= support for other than Greek, Hebrew strongs


r3481 | scribe | 2017-06-25 04:45:04 -0700 (Sun, 25 Jun 2017) | 3 lines

moved examples/simple.cpp to examples/tasks/simpleverselookup.cpp

also updated CMakeList.txt to build new examples


r3480 | scribe | 2017-06-25 04:44:29 -0700 (Sun, 25 Jun 2017) | 1 line

added listbiblebooknames example


r3479 | scribe | 2017-06-25 04:44:01 -0700 (Sun, 25 Jun 2017) | 1 line

added flatapi installmgr example


r3478 | refdoc | 2017-06-10 15:28:11 -0700 (Sat, 10 Jun 2017) | 2 lines

added Belarussian locale file



r3477 | domcox | 2017-06-04 11:18:34 -0700 (Sun, 04 Jun 2017) | 1 line

French translation update (Contrib. from Cyrille)






sword-devel mailing list: [hidden email]
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page





sword-devel mailing list: [hidden email]
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
sword-devel mailing list: [hidden email]
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SWORD 1.8.0RC3

Jaak Ristioja-2
Regarding TLS, I think the choice of whether to trust a self-signed
certificate should explicitly be left to the user at run-time (e.g like
browsers do), rather than blindly accepting any (even expired?)
certificates.

Regarding the other fix, frontends can (and already do) handle threading
by themselves, but afaik even for a single-threaded process the
callbacks accepted by Sword have no direct means to terminate the
installation process (e.g. by return value, or via a another callback
provided to the callback). So it seems that you're either saying that

1) Sword users have no means to terminate potentially long-running
processes (and there's no plan to add such means), or
2) RemoteTransport::terminate() should never be called separately, but
exclusively only from inside callbacks invoked by Sword.

In the latter case, this should be made clear in the documentation.

Blessings,
J

On 25.06.2017 21:53, Troy A. Griffitts wrote:

> We have included some of your patches in the past (thank you again), but
> not these. The first is intentional. We want to work with self signed
> certs if necessary. Non of our content is private, only the fact that a
> user might access our server and for this, we ask all our frontends to
> warn against this for persecuted countries. The second goes against our
> policy in the library that all threading should be handled by the
> client, not the library. The client should instantiate an InstallMgr in
> its own thread and register threads are callbacks, if they wish to
> install in the background. If we start trying to handle threading in the
> library itself, it is a huge switch from current policy and depends on
> support for threading in all our compilers. Easy enough to just
> instantiate separate SWMgr instances per thread. But thank you for offering.
> Troy
>
> On June 25, 2017 8:33:53 PM GMT+02:00, Jaak Ristioja <[hidden email]>
> wrote:
>
>     Hi Troy!
>
>     It seems that no fixes from Sword++ were considered for inclusion in SVN
>     trunk, not even the two I explicitly proposed on this list in response
>     to the RC2 announcement: one fixing hangs in front ends and the other
>     fixing a pure security negligence which rendered SSL/TLS susceptible to
>     MitM attacks.
>
>     ?!?!
>
>     J
>
>     On 25.06.2017 18:51, Troy A. Griffitts wrote:
>
>         Again, thank you to all the testers and reporters of problems
>         for the
>         previous RC and those who contributed fixes. Hopefully, this
>         will stand
>         any scrutiny and become 1.8.0. Please let me know if you have
>         any feedback.
>
>         http://crosswire.org/sword/alpha/alpha/sword-1.7.903.tar.gz
>
>
>         Included since last RC:
>
>         ------------------------------------------------------------------------
>
>         r3482 | scribe | 2017-06-25 07:36:23 -0700 (Sun, 25 Jun 2017) |
>         2 lines
>
>         Reworked strongs and lemma filters to better support any combo
>         of toggle
>         Added osisxhtml lemma type= support for other than Greek, Hebrew
>         strongs
>         ------------------------------------------------------------------------
>
>         r3481 | scribe | 2017-06-25 04:45:04 -0700 (Sun, 25 Jun 2017) |
>         3 lines
>
>         moved examples/simple.cpp to examples/tasks/simpleverselookup.cpp
>
>         also updated CMakeList.txt to build new examples
>         ------------------------------------------------------------------------
>
>         r3480 | scribe | 2017-06-25 04:44:29 -0700 (Sun, 25 Jun 2017) |
>         1 line
>
>         added listbiblebooknames example
>         ------------------------------------------------------------------------
>
>         r3479 | scribe | 2017-06-25 04:44:01 -0700 (Sun, 25 Jun 2017) |
>         1 line
>
>         added flatapi installmgr example
>         ------------------------------------------------------------------------
>
>         r3478 | refdoc | 2017-06-10 15:28:11 -0700 (Sat, 10 Jun 2017) |
>         2 lines
>
>         added Belarussian locale file
>
>         ------------------------------------------------------------------------
>
>         r3477 | domcox | 2017-06-04 11:18:34 -0700 (Sun, 04 Jun 2017) |
>         1 line
>
>         French translation update (Contrib. from Cyrille)
>         ------------------------------------------------------------------------
>
>
>
>         ------------------------------------------------------------------------
>
>         sword-devel mailing list: [hidden email]
>         http://www.crosswire.org/mailman/listinfo/sword-devel
>         Instructions to unsubscribe/change your settings at above page
>
>
>
>     ------------------------------------------------------------------------
>
>     sword-devel mailing list: [hidden email]
>     http://www.crosswire.org/mailman/listinfo/sword-devel
>     Instructions to unsubscribe/change your settings at above page
>
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
>
> _______________________________________________
> sword-devel mailing list: [hidden email]
> http://www.crosswire.org/mailman/listinfo/sword-devel
> Instructions to unsubscribe/change your settings at above page
>


_______________________________________________
sword-devel mailing list: [hidden email]
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SWORD 1.8.0RC3

Greg Hellings
Jaak,

Can you provide a version of that patch for 1.7 (and 1.8, if there is a difference)? Or point me to where it lives? I will definitely wrap that into the packaging for Fedora and SuSE as it is absolutely inappropriate to have SSL checking skipped at the library level without it being a very explicit step for users.

If Troy won't fix this glaring security hole, it can at least be fixed by the packagers. I would encourage any Debian and/or Ubuntu users to file bugs against Sword packaging in their environments (if their maintainer isn't here) and the same for any other distribution users.

--Greg

On Sun, Jun 25, 2017 at 6:56 PM, Jaak Ristioja <[hidden email]> wrote:
Regarding TLS, I think the choice of whether to trust a self-signed
certificate should explicitly be left to the user at run-time (e.g like
browsers do), rather than blindly accepting any (even expired?)
certificates.

Regarding the other fix, frontends can (and already do) handle threading
by themselves, but afaik even for a single-threaded process the
callbacks accepted by Sword have no direct means to terminate the
installation process (e.g. by return value, or via a another callback
provided to the callback). So it seems that you're either saying that

1) Sword users have no means to terminate potentially long-running
processes (and there's no plan to add such means), or
2) RemoteTransport::terminate() should never be called separately, but
exclusively only from inside callbacks invoked by Sword.

In the latter case, this should be made clear in the documentation.

Blessings,
J

On <a href="tel:25.06.2017%2021" value="+12506201721">25.06.2017 21:53, Troy A. Griffitts wrote:
> We have included some of your patches in the past (thank you again), but
> not these. The first is intentional. We want to work with self signed
> certs if necessary. Non of our content is private, only the fact that a
> user might access our server and for this, we ask all our frontends to
> warn against this for persecuted countries. The second goes against our
> policy in the library that all threading should be handled by the
> client, not the library. The client should instantiate an InstallMgr in
> its own thread and register threads are callbacks, if they wish to
> install in the background. If we start trying to handle threading in the
> library itself, it is a huge switch from current policy and depends on
> support for threading in all our compilers. Easy enough to just
> instantiate separate SWMgr instances per thread. But thank you for offering.
> Troy
>
> On June 25, 2017 8:33:53 PM GMT+02:00, Jaak Ristioja <[hidden email]>
> wrote:
>
>     Hi Troy!
>
>     It seems that no fixes from Sword++ were considered for inclusion in SVN
>     trunk, not even the two I explicitly proposed on this list in response
>     to the RC2 announcement: one fixing hangs in front ends and the other
>     fixing a pure security negligence which rendered SSL/TLS susceptible to
>     MitM attacks.
>
>     ?!?!
>
>     J
>
>     On <a href="tel:25.06.2017%2018" value="+12506201718">25.06.2017 18:51, Troy A. Griffitts wrote:
>
>         Again, thank you to all the testers and reporters of problems
>         for the
>         previous RC and those who contributed fixes. Hopefully, this
>         will stand
>         any scrutiny and become 1.8.0. Please let me know if you have
>         any feedback.
>
>         http://crosswire.org/sword/alpha/alpha/sword-1.7.903.tar.gz
>
>
>         Included since last RC:
>
>         ------------------------------------------------------------------------
>
>         r3482 | scribe | 2017-06-25 07:36:23 -0700 (Sun, 25 Jun 2017) |
>         2 lines
>
>         Reworked strongs and lemma filters to better support any combo
>         of toggle
>         Added osisxhtml lemma type= support for other than Greek, Hebrew
>         strongs
>         ------------------------------------------------------------------------
>
>         r3481 | scribe | 2017-06-25 04:45:04 -0700 (Sun, 25 Jun 2017) |
>         3 lines
>
>         moved examples/simple.cpp to examples/tasks/simpleverselookup.cpp
>
>         also updated CMakeList.txt to build new examples
>         ------------------------------------------------------------------------
>
>         r3480 | scribe | 2017-06-25 04:44:29 -0700 (Sun, 25 Jun 2017) |
>         1 line
>
>         added listbiblebooknames example
>         ------------------------------------------------------------------------
>
>         r3479 | scribe | 2017-06-25 04:44:01 -0700 (Sun, 25 Jun 2017) |
>         1 line
>
>         added flatapi installmgr example
>         ------------------------------------------------------------------------
>
>         r3478 | refdoc | 2017-06-10 15:28:11 -0700 (Sat, 10 Jun 2017) |
>         2 lines
>
>         added Belarussian locale file
>
>         ------------------------------------------------------------------------
>
>         r3477 | domcox | 2017-06-04 11:18:34 -0700 (Sun, 04 Jun 2017) |
>         1 line
>
>         French translation update (Contrib. from Cyrille)
>         ------------------------------------------------------------------------
>
>
>
>         ------------------------------------------------------------------------
>
>         sword-devel mailing list: [hidden email]
>         http://www.crosswire.org/mailman/listinfo/sword-devel
>         Instructions to unsubscribe/change your settings at above page
>
>
>
>     ------------------------------------------------------------------------
>
>     sword-devel mailing list: [hidden email]
>     http://www.crosswire.org/mailman/listinfo/sword-devel
>     Instructions to unsubscribe/change your settings at above page
>
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
>
> _______________________________________________
> sword-devel mailing list: [hidden email]
> http://www.crosswire.org/mailman/listinfo/sword-devel
> Instructions to unsubscribe/change your settings at above page
>


_______________________________________________
sword-devel mailing list: [hidden email]
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page


_______________________________________________
sword-devel mailing list: [hidden email]
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SWORD 1.8.0RC3

Greg Hellings


On Sun, Jun 25, 2017 at 8:10 PM, Greg Hellings <[hidden email]> wrote:
Jaak,

Can you provide a version of that patch for 1.7 (and 1.8, if there is a difference)? Or point me to where it lives? I will definitely wrap that into the packaging for Fedora and SuSE as it is absolutely inappropriate to have SSL checking skipped at the library level without it being a very explicit step for users.

If Troy won't fix this glaring security hole, it can at least be fixed by the packagers. I would encourage any Debian and/or Ubuntu users to file bugs against Sword packaging in their environments (if their maintainer isn't here) and the same for any other distribution users.

With apologies to Troy, this paragraph carried an implication that I did not intend. The state of this code in the library is intentionally set. However, these known and documented security weaknesses are intended to be closed up by package maintainers of libraries in most distributions (e.g. SSL/TLS libraries that include weak ciphers that get disabled by package maintainers, bundlers, etc).  This is one reason that packagers are encouraged to be and remain close to the development of upstream, as much as possible, so they can provide reasonably secure defaults in the package build even if those are not the default setting for upstream for whatever reason.

I did not mean to impugn Troy or cause him offense.

That said, perhaps a compile-time switch could be added to enable more security conscious options in the transport code? That way the task of packagers could be made easier by enabling a more security-conscious option at build time instead of patching the library.

--Greg


--Greg

On Sun, Jun 25, 2017 at 6:56 PM, Jaak Ristioja <[hidden email]> wrote:
Regarding TLS, I think the choice of whether to trust a self-signed
certificate should explicitly be left to the user at run-time (e.g like
browsers do), rather than blindly accepting any (even expired?)
certificates.

Regarding the other fix, frontends can (and already do) handle threading
by themselves, but afaik even for a single-threaded process the
callbacks accepted by Sword have no direct means to terminate the
installation process (e.g. by return value, or via a another callback
provided to the callback). So it seems that you're either saying that

1) Sword users have no means to terminate potentially long-running
processes (and there's no plan to add such means), or
2) RemoteTransport::terminate() should never be called separately, but
exclusively only from inside callbacks invoked by Sword.

In the latter case, this should be made clear in the documentation.

Blessings,
J

On <a href="tel:25.06.2017%2021" value="+12506201721" target="_blank">25.06.2017 21:53, Troy A. Griffitts wrote:
> We have included some of your patches in the past (thank you again), but
> not these. The first is intentional. We want to work with self signed
> certs if necessary. Non of our content is private, only the fact that a
> user might access our server and for this, we ask all our frontends to
> warn against this for persecuted countries. The second goes against our
> policy in the library that all threading should be handled by the
> client, not the library. The client should instantiate an InstallMgr in
> its own thread and register threads are callbacks, if they wish to
> install in the background. If we start trying to handle threading in the
> library itself, it is a huge switch from current policy and depends on
> support for threading in all our compilers. Easy enough to just
> instantiate separate SWMgr instances per thread. But thank you for offering.
> Troy
>
> On June 25, 2017 8:33:53 PM GMT+02:00, Jaak Ristioja <[hidden email]>
> wrote:
>
>     Hi Troy!
>
>     It seems that no fixes from Sword++ were considered for inclusion in SVN
>     trunk, not even the two I explicitly proposed on this list in response
>     to the RC2 announcement: one fixing hangs in front ends and the other
>     fixing a pure security negligence which rendered SSL/TLS susceptible to
>     MitM attacks.
>
>     ?!?!
>
>     J
>
>     On <a href="tel:25.06.2017%2018" value="+12506201718" target="_blank">25.06.2017 18:51, Troy A. Griffitts wrote:
>
>         Again, thank you to all the testers and reporters of problems
>         for the
>         previous RC and those who contributed fixes. Hopefully, this
>         will stand
>         any scrutiny and become 1.8.0. Please let me know if you have
>         any feedback.
>
>         http://crosswire.org/sword/alpha/alpha/sword-1.7.903.tar.gz
>
>
>         Included since last RC:
>
>         ------------------------------------------------------------------------
>
>         r3482 | scribe | 2017-06-25 07:36:23 -0700 (Sun, 25 Jun 2017) |
>         2 lines
>
>         Reworked strongs and lemma filters to better support any combo
>         of toggle
>         Added osisxhtml lemma type= support for other than Greek, Hebrew
>         strongs
>         ------------------------------------------------------------------------
>
>         r3481 | scribe | 2017-06-25 04:45:04 -0700 (Sun, 25 Jun 2017) |
>         3 lines
>
>         moved examples/simple.cpp to examples/tasks/simpleverselookup.cpp
>
>         also updated CMakeList.txt to build new examples
>         ------------------------------------------------------------------------
>
>         r3480 | scribe | 2017-06-25 04:44:29 -0700 (Sun, 25 Jun 2017) |
>         1 line
>
>         added listbiblebooknames example
>         ------------------------------------------------------------------------
>
>         r3479 | scribe | 2017-06-25 04:44:01 -0700 (Sun, 25 Jun 2017) |
>         1 line
>
>         added flatapi installmgr example
>         ------------------------------------------------------------------------
>
>         r3478 | refdoc | 2017-06-10 15:28:11 -0700 (Sat, 10 Jun 2017) |
>         2 lines
>
>         added Belarussian locale file
>
>         ------------------------------------------------------------------------
>
>         r3477 | domcox | 2017-06-04 11:18:34 -0700 (Sun, 04 Jun 2017) |
>         1 line
>
>         French translation update (Contrib. from Cyrille)
>         ------------------------------------------------------------------------
>
>
>
>         ------------------------------------------------------------------------
>
>         sword-devel mailing list: [hidden email]
>         http://www.crosswire.org/mailman/listinfo/sword-devel
>         Instructions to unsubscribe/change your settings at above page
>
>
>
>     ------------------------------------------------------------------------
>
>     sword-devel mailing list: [hidden email]
>     http://www.crosswire.org/mailman/listinfo/sword-devel
>     Instructions to unsubscribe/change your settings at above page
>
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
>
> _______________________________________________
> sword-devel mailing list: [hidden email]
> http://www.crosswire.org/mailman/listinfo/sword-devel
> Instructions to unsubscribe/change your settings at above page
>


_______________________________________________
sword-devel mailing list: [hidden email]
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page



_______________________________________________
sword-devel mailing list: [hidden email]
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SWORD 1.8.0RC3

Jaak Ristioja-2
In reply to this post by Greg Hellings
Sure! Verifying TLS certificates is explicitly disabled the file

  src/mgr/curlhttpt.cpp

by the lines:

  /* Disable checking host certificate */
  curl_easy_setopt(session, CURLOPT_SSL_VERIFYPEER, false);

I've attached a patch for Sword SVN trunk which removed these lines. For
the Sword++ commit, see
https://github.com/swordxx/swordxx/commit/49de93ca35f61601376fab0ac8689f48a76dd4d6

J


On 26.06.2017 04:10, Greg Hellings wrote:

> Jaak,
>
> Can you provide a version of that patch for 1.7 (and 1.8, if there is a
> difference)? Or point me to where it lives? I will definitely wrap that
> into the packaging for Fedora and SuSE as it is absolutely inappropriate
> to have SSL checking skipped at the library level without it being a
> very explicit step for users.
>
> If Troy won't fix this glaring security hole, it can at least be fixed
> by the packagers. I would encourage any Debian and/or Ubuntu users to
> file bugs against Sword packaging in their environments (if their
> maintainer isn't here) and the same for any other distribution users.
>
> --Greg
>
> On Sun, Jun 25, 2017 at 6:56 PM, Jaak Ristioja <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Regarding TLS, I think the choice of whether to trust a self-signed
>     certificate should explicitly be left to the user at run-time (e.g like
>     browsers do), rather than blindly accepting any (even expired?)
>     certificates.
>
>     Regarding the other fix, frontends can (and already do) handle threading
>     by themselves, but afaik even for a single-threaded process the
>     callbacks accepted by Sword have no direct means to terminate the
>     installation process (e.g. by return value, or via a another callback
>     provided to the callback). So it seems that you're either saying that
>
>     1) Sword users have no means to terminate potentially long-running
>     processes (and there's no plan to add such means), or
>     2) RemoteTransport::terminate() should never be called separately, but
>     exclusively only from inside callbacks invoked by Sword.
>
>     In the latter case, this should be made clear in the documentation.
>
>     Blessings,
>     J
>
>     On 25.06.2017 21 <tel:25.06.2017%2021>:53, Troy A. Griffitts wrote:
>     > We have included some of your patches in the past (thank you
>     again), but
>     > not these. The first is intentional. We want to work with self signed
>     > certs if necessary. Non of our content is private, only the fact
>     that a
>     > user might access our server and for this, we ask all our frontends to
>     > warn against this for persecuted countries. The second goes
>     against our
>     > policy in the library that all threading should be handled by the
>     > client, not the library. The client should instantiate an
>     InstallMgr in
>     > its own thread and register threads are callbacks, if they wish to
>     > install in the background. If we start trying to handle threading
>     in the
>     > library itself, it is a huge switch from current policy and depends on
>     > support for threading in all our compilers. Easy enough to just
>     > instantiate separate SWMgr instances per thread. But thank you for
>     offering.
>     > Troy
>     >
>     > On June 25, 2017 8:33:53 PM GMT+02:00, Jaak Ristioja
>     <[hidden email] <mailto:[hidden email]>>
>     > wrote:
>     >
>     >     Hi Troy!
>     >
>     >     It seems that no fixes from Sword++ were considered for
>     inclusion in SVN
>     >     trunk, not even the two I explicitly proposed on this list in
>     response
>     >     to the RC2 announcement: one fixing hangs in front ends and
>     the other
>     >     fixing a pure security negligence which rendered SSL/TLS
>     susceptible to
>     >     MitM attacks.
>     >
>     >     ?!?!
>     >
>     >     J
>     >
>     >     On 25.06.2017 18 <tel:25.06.2017%2018>:51, Troy A. Griffitts
>     wrote:
>     >
>     >         Again, thank you to all the testers and reporters of problems
>     >         for the
>     >         previous RC and those who contributed fixes. Hopefully, this
>     >         will stand
>     >         any scrutiny and become 1.8.0. Please let me know if you have
>     >         any feedback.
>     >
>     >      
>      http://crosswire.org/sword/alpha/alpha/sword-1.7.903.tar.gz
>     <http://crosswire.org/sword/alpha/alpha/sword-1.7.903.tar.gz>
>     >
>     >
>     >         Included since last RC:
>     >
>     >      
>      ------------------------------------------------------------------------
>     >
>     >         r3482 | scribe | 2017-06-25 07:36:23 -0700 (Sun, 25 Jun 2017) |
>     >         2 lines
>     >
>     >         Reworked strongs and lemma filters to better support any combo
>     >         of toggle
>     >         Added osisxhtml lemma type= support for other than Greek, Hebrew
>     >         strongs
>     >      
>      ------------------------------------------------------------------------
>     >
>     >         r3481 | scribe | 2017-06-25 04:45:04 -0700 (Sun, 25 Jun 2017) |
>     >         3 lines
>     >
>     >         moved examples/simple.cpp to examples/tasks/simpleverselookup.cpp
>     >
>     >         also updated CMakeList.txt to build new examples
>     >      
>      ------------------------------------------------------------------------
>     >
>     >         r3480 | scribe | 2017-06-25 04:44:29 -0700 (Sun, 25 Jun 2017) |
>     >         1 line
>     >
>     >         added listbiblebooknames example
>     >      
>      ------------------------------------------------------------------------
>     >
>     >         r3479 | scribe | 2017-06-25 04:44:01 -0700 (Sun, 25 Jun 2017) |
>     >         1 line
>     >
>     >         added flatapi installmgr example
>     >      
>      ------------------------------------------------------------------------
>     >
>     >         r3478 | refdoc | 2017-06-10 15:28:11 -0700 (Sat, 10 Jun 2017) |
>     >         2 lines
>     >
>     >         added Belarussian locale file
>     >
>     >      
>      ------------------------------------------------------------------------
>     >
>     >         r3477 | domcox | 2017-06-04 11:18:34 -0700 (Sun, 04 Jun 2017) |
>     >         1 line
>     >
>     >         French translation update (Contrib. from Cyrille)
>     >      
>      ------------------------------------------------------------------------
>     >
>     >
>     >
>     >      
>      ------------------------------------------------------------------------
>     >
>     >         sword-devel mailing list: [hidden email] <mailto:[hidden email]>
>     >         http://www.crosswire.org/mailman/listinfo/sword-devel
>     <http://www.crosswire.org/mailman/listinfo/sword-devel>
>     >         Instructions to unsubscribe/change your settings at above page
>     >
>     >
>     >
>     >  
>      ------------------------------------------------------------------------
>     >
>     >     sword-devel mailing list: [hidden email] <mailto:[hidden email]>
>     >     http://www.crosswire.org/mailman/listinfo/sword-devel
>     <http://www.crosswire.org/mailman/listinfo/sword-devel>
>     >     Instructions to unsubscribe/change your settings at above page
>     >
>     >
>     > --
>     > Sent from my Android device with K-9 Mail. Please excuse my brevity.
>     >
>     >
>     > _______________________________________________
>     > sword-devel mailing list: [hidden email] <mailto:[hidden email]>
>     > http://www.crosswire.org/mailman/listinfo/sword-devel
>     <http://www.crosswire.org/mailman/listinfo/sword-devel>
>     > Instructions to unsubscribe/change your settings at above page
>     >
>
>
>     _______________________________________________
>     sword-devel mailing list: [hidden email]
>     <mailto:[hidden email]>
>     http://www.crosswire.org/mailman/listinfo/sword-devel
>     <http://www.crosswire.org/mailman/listinfo/sword-devel>
>     Instructions to unsubscribe/change your settings at above page
>
>
>
>
> _______________________________________________
> sword-devel mailing list: [hidden email]
> http://www.crosswire.org/mailman/listinfo/sword-devel
> Instructions to unsubscribe/change your settings at above page
>

_______________________________________________
sword-devel mailing list: [hidden email]
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page

sword-fix-tls.diff (774 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SWORD 1.8.0RC3

Peter von Kaehne
In reply to this post by Greg Hellings
As a user I would want to be able to override this, does this patch make this impossible?

Sent from my mobile. Please forgive shortness, typos and weird autocorrects.


-------- Original Message --------
Subject: Re: [sword-devel] SWORD 1.8.0RC3
From: Jaak Ristioja
To: [hidden email]
CC:


Sure! Verifying TLS certificates is explicitly disabled the file

src/mgr/curlhttpt.cpp

by the lines:

/* Disable checking host certificate */
curl_easy_setopt(session, CURLOPT_SSL_VERIFYPEER, false);

I've attached a patch for Sword SVN trunk which removed these lines. For
the Sword++ commit, see
https://github.com/swordxx/swordxx/commit/49de93ca35f61601376fab0ac8689f48a76dd4d6

J


On 26.06.2017 04:10, Greg Hellings wrote:
> Jaak,
>
> Can you provide a version of that patch for 1.7 (and 1.8, if there is a
> difference)? Or point me to where it lives? I will definitely wrap that
> into the packaging for Fedora and SuSE as it is absolutely inappropriate
> to have SSL checking skipped at the library level without it being a
> very explicit step for users.
>
> If Troy won't fix this glaring security hole, it can at least be fixed
> by the packagers. I would encourage any Debian and/or Ubuntu users to
> file bugs against Sword packaging in their environments (if their
> maintainer isn't here) and the same for any other distribution users.
>
> --Greg
>
> On Sun, Jun 25, 2017 at 6:56 PM, Jaak Ristioja > > wrote:
>
> Regarding TLS, I think the choice of whether to trust a self-signed
> certificate should explicitly be left to the user at run-time (e.g like
> browsers do), rather than blindly accepting any (even expired?)
> certificates.
>
> Regarding the other fix, frontends can (and already do) handle threading
> by themselves, but afaik even for a single-threaded process the
> callbacks accepted by Sword have no direct means to terminate the
> installation process (e.g. by return value, or via a another callback
> provided to the callback). So it seems that you're either saying that
>
> 1) Sword users have no means to terminate potentially long-running
> processes (and there's no plan to add such means), or
> 2) RemoteTransport::terminate() should never be called separately, but
> exclusively only from inside callbacks invoked by Sword.
>
> In the latter case, this should be made clear in the documentation.
>
> Blessings,
> J
>
> On 25.06.2017 21 :53, Troy A. Griffitts wrote:
> > We have included some of your patches in the past (thank you
> again), but
> > not these. The first is intentional. We want to work with self signed
> > certs if necessary. Non of our content is private, only the fact
> that a
> > user might access our server and for this, we ask all our frontends to
> > warn against this for persecuted countries. The second goes
> against our
> > policy in the library that all threading should be handled by the
> > client, not the library. The client should instantiate an
> InstallMgr in
> > its own thread and register threads are callbacks, if they wish to
> > install in the background. If we start trying to handle threading
> in the
> > library itself, it is a huge switch from current policy and depends on
> > support for threading in all our compilers. Easy enough to just
> > instantiate separate SWMgr instances per thread. But thank you for
> offering.
> > Troy
> >
> > On June 25, 2017 8:33:53 PM GMT+02:00, Jaak Ristioja
> >
> > wrote:
> >
> > Hi Troy!
> >
> > It seems that no fixes from Sword++ were considered for
> inclusion in SVN
> > trunk, not even the two I explicitly proposed on this list in
> response
> > to the RC2 announcement: one fixing hangs in front ends and
> the other
> > fixing a pure security negligence which rendered SSL/TLS
> susceptible to
> > MitM attacks.
> >
> > ?!?!
> >
> > J
> >
> > On 25.06.2017 18 :51, Troy A. Griffitts
> wrote:
> >
> > Again, thank you to all the testers and reporters of problems
> > for the
> > previous RC and those who contributed fixes. Hopefully, this
> > will stand
> > any scrutiny and become 1.8.0. Please let me know if you have
> > any feedback.
> >
> >
> http://crosswire.org/sword/alpha/alpha/sword-1.7.903.tar.gz
>
> >
> >
> > Included since last RC:
> >
> >
> ------------------------------------------------------------------------
> >
> > r3482 | scribe | 2017-06-25 07:36:23 -0700 (Sun, 25 Jun 2017) |
> > 2 lines
> >
> > Reworked strongs and lemma filters to better support any combo
> > of toggle
> > Added osisxhtml lemma type= support for other than Greek, Hebrew
> > strongs
> >
> ------------------------------------------------------------------------
> >
> > r3481 | scribe | 2017-06-25 04:45:04 -0700 (Sun, 25 Jun 2017) |
> > 3 lines
> >
> > moved examples/simple.cpp to examples/tasks/simpleverselookup.cpp
> >
> > also updated CMakeList.txt to build new examples
> >
> ------------------------------------------------------------------------
> >
> > r3480 | scribe | 2017-06-25 04:44:29 -0700 (Sun, 25 Jun 2017) |
> > 1 line
> >
> > added listbiblebooknames example
> >
> ------------------------------------------------------------------------
> >
> > r3479 | scribe | 2017-06-25 04:44:01 -0700 (Sun, 25 Jun 2017) |
> > 1 line
> >
> > added flatapi installmgr example
> >
> ------------------------------------------------------------------------
> >
> > r3478 | refdoc | 2017-06-10 15:28:11 -0700 (Sat, 10 Jun 2017) |
> > 2 lines
> >
> > added Belarussian locale file
> >
> >
> ------------------------------------------------------------------------
> >
> > r3477 | domcox | 2017-06-04 11:18:34 -0700 (Sun, 04 Jun 2017) |
> > 1 line
> >
> > French translation update (Contrib. from Cyrille)
> >
> ------------------------------------------------------------------------
> >
> >
> >
> >
> ------------------------------------------------------------------------
> >
> > sword-devel mailing list: [hidden email]
> > http://www.crosswire.org/mailman/listinfo/sword-devel
>
> > Instructions to unsubscribe/change your settings at above page
> >
> >
> >
> >
> ------------------------------------------------------------------------
> >
> > sword-devel mailing list: [hidden email]
> > http://www.crosswire.org/mailman/listinfo/sword-devel
>
> > Instructions to unsubscribe/change your settings at above page
> >
> >
> > --
> > Sent from my Android device with K-9 Mail. Please excuse my brevity.
> >
> >
> > _______________________________________________
> > sword-devel mailing list: [hidden email]
> > http://www.crosswire.org/mailman/listinfo/sword-devel
>
> > Instructions to unsubscribe/change your settings at above page
> >
>
>
> _______________________________________________
> sword-devel mailing list: [hidden email]
>
> http://www.crosswire.org/mailman/listinfo/sword-devel
>
> Instructions to unsubscribe/change your settings at above page
>
>
>
>
> _______________________________________________
> sword-devel mailing list: [hidden email]
> http://www.crosswire.org/mailman/listinfo/sword-devel
> Instructions to unsubscribe/change your settings at above page
>


_______________________________________________
sword-devel mailing list: [hidden email]
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page

_______________________________________________
sword-devel mailing list: [hidden email]
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SWORD 1.8.0RC3

Jaak Ristioja-2
Overriding this setting was never possible with Sword in the first place.

On 26.06.2017 11:05, [hidden email] wrote:

> As a user I would want to be able to override this, does this patch make
> this impossible?
>
> Sent from my mobile. Please forgive shortness, typos and weird autocorrects.
>
>
> -------- Original Message --------
> Subject: Re: [sword-devel] SWORD 1.8.0RC3
> From: Jaak Ristioja
> To: [hidden email]
> CC:
>
>
>     Sure! Verifying TLS certificates is explicitly disabled the file
>
>     src/mgr/curlhttpt.cpp
>
>     by the lines:
>
>     /* Disable checking host certificate */
>     curl_easy_setopt(session, CURLOPT_SSL_VERIFYPEER, false);
>
>     I've attached a patch for Sword SVN trunk which removed these lines. For
>     the Sword++ commit, see
>     https://github.com/swordxx/swordxx/commit/49de93ca35f61601376fab0ac8689f48a76dd4d6
>
>     J
>
>
>     On 26.06.2017 04:10, Greg Hellings wrote:
>     > Jaak,
>     >
>     > Can you provide a version of that patch for 1.7 (and 1.8, if there
>     is a
>     > difference)? Or point me to where it lives? I will definitely wrap
>     that
>     > into the packaging for Fedora and SuSE as it is absolutely
>     inappropriate
>     > to have SSL checking skipped at the library level without it being a
>     > very explicit step for users.
>     >
>     > If Troy won't fix this glaring security hole, it can at least be fixed
>     > by the packagers. I would encourage any Debian and/or Ubuntu users to
>     > file bugs against Sword packaging in their environments (if their
>     > maintainer isn't here) and the same for any other distribution users.
>     >
>     > --Greg
>     >
>     > On Sun, Jun 25, 2017 at 6:56 PM, Jaak Ristioja > > wrote:
>     >
>     > Regarding TLS, I think the choice of whether to trust a self-signed
>     > certificate should explicitly be left to the user at run-time (e.g
>     like
>     > browsers do), rather than blindly accepting any (even expired?)
>     > certificates.
>     >
>     > Regarding the other fix, frontends can (and already do) handle
>     threading
>     > by themselves, but afaik even for a single-threaded process the
>     > callbacks accepted by Sword have no direct means to terminate the
>     > installation process (e.g. by return value, or via a another callback
>     > provided to the callback). So it seems that you're either saying that
>     >
>     > 1) Sword users have no means to terminate potentially long-running
>     > processes (and there's no plan to add such means), or
>     > 2) RemoteTransport::terminate() should never be called separately, but
>     > exclusively only from inside callbacks invoked by Sword.
>     >
>     > In the latter case, this should be made clear in the documentation.
>     >
>     > Blessings,
>     > J
>     >
>     > On 25.06.2017 21 :53, Troy A. Griffitts wrote:
>     > > We have included some of your patches in the past (thank you
>     > again), but
>     > > not these. The first is intentional. We want to work with self
>     signed
>     > > certs if necessary. Non of our content is private, only the fact
>     > that a
>     > > user might access our server and for this, we ask all our
>     frontends to
>     > > warn against this for persecuted countries. The second goes
>     > against our
>     > > policy in the library that all threading should be handled by the
>     > > client, not the library. The client should instantiate an
>     > InstallMgr in
>     > > its own thread and register threads are callbacks, if they wish to
>     > > install in the background. If we start trying to handle threading
>     > in the
>     > > library itself, it is a huge switch from current policy and
>     depends on
>     > > support for threading in all our compilers. Easy enough to just
>     > > instantiate separate SWMgr instances per thread. But thank you for
>     > offering.
>     > > Troy
>     > >
>     > > On June 25, 2017 8:33:53 PM GMT+02:00, Jaak Ristioja
>     > >
>     > > wrote:
>     > >
>     > > Hi Troy!
>     > >
>     > > It seems that no fixes from Sword++ were considered for
>     > inclusion in SVN
>     > > trunk, not even the two I explicitly proposed on this list in
>     > response
>     > > to the RC2 announcement: one fixing hangs in front ends and
>     > the other
>     > > fixing a pure security negligence which rendered SSL/TLS
>     > susceptible to
>     > > MitM attacks.
>     > >
>     > > ?!?!
>     > >
>     > > J
>     > >
>     > > On 25.06.2017 18 :51, Troy A. Griffitts
>     > wrote:
>     > >
>     > > Again, thank you to all the testers and reporters of problems
>     > > for the
>     > > previous RC and those who contributed fixes. Hopefully, this
>     > > will stand
>     > > any scrutiny and become 1.8.0. Please let me know if you have
>     > > any feedback.
>     > >
>     > >
>     > http://crosswire.org/sword/alpha/alpha/sword-1.7.903.tar.gz
>     >
>     > >
>     > >
>     > > Included since last RC:
>     > >
>     > >
>     >
>     ------------------------------------------------------------------------
>     > >
>     > > r3482 | scribe | 2017-06-25 07:36:23 -0700 (Sun, 25 Jun 2017) |
>     > > 2 lines
>     > >
>     > > Reworked strongs and lemma filters to better support any combo
>     > > of toggle
>     > > Added osisxhtml lemma type= support for other than Greek, Hebrew
>     > > strongs
>     > >
>     >
>     ------------------------------------------------------------------------
>     > >
>     > > r3481 | scribe | 2017-06-25 04:45:04 -0700 (Sun, 25 Jun 2017) |
>     > > 3 lines
>     > >
>     > > moved examples/simple.cpp to examples/tasks/simpleverselookup.cpp
>     > >
>     > > also updated CMakeList.txt to build new examples
>     > >
>     >
>     ------------------------------------------------------------------------
>     > >
>     > > r3480 | scribe | 2017-06-25 04:44:29 -0700 (Sun, 25 Jun 2017) |
>     > > 1 line
>     > >
>     > > added listbiblebooknames example
>     > >
>     >
>     ------------------------------------------------------------------------
>     > >
>     > > r3479 | scribe | 2017-06-25 04:44:01 -0700 (Sun, 25 Jun 2017) |
>     > > 1 line
>     > >
>     > > added flatapi installmgr example
>     > >
>     >
>     ------------------------------------------------------------------------
>     > >
>     > > r3478 | refdoc | 2017-06-10 15:28:11 -0700 (Sat, 10 Jun 2017) |
>     > > 2 lines
>     > >
>     > > added Belarussian locale file
>     > >
>     > >
>     >
>     ------------------------------------------------------------------------
>     > >
>     > > r3477 | domcox | 2017-06-04 11:18:34 -0700 (Sun, 04 Jun 2017) |
>     > > 1 line
>     > >
>     > > French translation update (Contrib. from Cyrille)
>     > >
>     >
>     ------------------------------------------------------------------------
>     > >
>     > >
>     > >
>     > >
>     >
>     ------------------------------------------------------------------------
>     > >
>     > > sword-devel mailing list: [hidden email]
>     > > http://www.crosswire.org/mailman/listinfo/sword-devel
>     >
>     > > Instructions to unsubscribe/change your settings at above page
>     > >
>     > >
>     > >
>     > >
>     >
>     ------------------------------------------------------------------------
>     > >
>     > > sword-devel mailing list: [hidden email]
>     > > http://www.crosswire.org/mailman/listinfo/sword-devel
>     >
>     > > Instructions to unsubscribe/change your settings at above page
>     > >
>     > >
>     > > --
>     > > Sent from my Android device with K-9 Mail. Please excuse my brevity.
>     > >
>     > >
>     > > _______________________________________________
>     > > sword-devel mailing list: [hidden email]
>     > > http://www.crosswire.org/mailman/listinfo/sword-devel
>     >
>     > > Instructions to unsubscribe/change your settings at above page
>     > >
>     >
>     >
>     > _______________________________________________
>     > sword-devel mailing list: [hidden email]
>     >
>     > http://www.crosswire.org/mailman/listinfo/sword-devel
>     >
>     > Instructions to unsubscribe/change your settings at above page
>     >
>     >
>     >
>     >
>     > _______________________________________________
>     > sword-devel mailing list: [hidden email]
>     > http://www.crosswire.org/mailman/listinfo/sword-devel
>     > Instructions to unsubscribe/change your settings at above page
>     >
>
>
>     _______________________________________________
>     sword-devel mailing list: [hidden email]
>     http://www.crosswire.org/mailman/listinfo/sword-devel
>     Instructions to unsubscribe/change your settings at above page
>
>
>
> _______________________________________________
> sword-devel mailing list: [hidden email]
> http://www.crosswire.org/mailman/listinfo/sword-devel
> Instructions to unsubscribe/change your settings at above page
>


_______________________________________________
sword-devel mailing list: [hidden email]
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SWORD 1.8.0RC3

Peter von Kaehne
In reply to this post by Peter von Kaehne
Fair point, but a change from one to the other may be preferable for philosophical reasons, but practically I - and others - need to be able as users to make a determination what we want to accept and what not, instead of being forced into one direction. And, as tool writer and user (not frontend writer) I need to be able to override such things mechanically, i.e. without further user interaction.  

> Gesendet: Montag, 26. Juni 2017 um 10:04 Uhr
> Von: "Jaak Ristioja" <[hidden email]>
> An: [hidden email]
> Betreff: Re: [sword-devel] SWORD 1.8.0RC3
>
> Overriding this setting was never possible with Sword in the first place.
>
> On 26.06.2017 11:05, [hidden email] wrote:
> > As a user I would want to be able to override this, does this patch make
> > this impossible?
> >
> > Sent from my mobile. Please forgive shortness, typos and weird autocorrects.
> >
> >
> > -------- Original Message --------
> > Subject: Re: [sword-devel] SWORD 1.8.0RC3
> > From: Jaak Ristioja
> > To: [hidden email]
> > CC:
> >
> >
> >     Sure! Verifying TLS certificates is explicitly disabled the file
> >
> >     src/mgr/curlhttpt.cpp
> >
> >     by the lines:
> >
> >     /* Disable checking host certificate */
> >     curl_easy_setopt(session, CURLOPT_SSL_VERIFYPEER, false);
> >
> >     I've attached a patch for Sword SVN trunk which removed these lines. For
> >     the Sword++ commit, see
> >     https://github.com/swordxx/swordxx/commit/49de93ca35f61601376fab0ac8689f48a76dd4d6
> >
> >     J
> >
> >
> >     On 26.06.2017 04:10, Greg Hellings wrote:
> >     > Jaak,
> >     >
> >     > Can you provide a version of that patch for 1.7 (and 1.8, if there
> >     is a
> >     > difference)? Or point me to where it lives? I will definitely wrap
> >     that
> >     > into the packaging for Fedora and SuSE as it is absolutely
> >     inappropriate
> >     > to have SSL checking skipped at the library level without it being a
> >     > very explicit step for users.
> >     >
> >     > If Troy won't fix this glaring security hole, it can at least be fixed
> >     > by the packagers. I would encourage any Debian and/or Ubuntu users to
> >     > file bugs against Sword packaging in their environments (if their
> >     > maintainer isn't here) and the same for any other distribution users.
> >     >
> >     > --Greg
> >     >
> >     > On Sun, Jun 25, 2017 at 6:56 PM, Jaak Ristioja > > wrote:
> >     >
> >     > Regarding TLS, I think the choice of whether to trust a self-signed
> >     > certificate should explicitly be left to the user at run-time (e.g
> >     like
> >     > browsers do), rather than blindly accepting any (even expired?)
> >     > certificates.
> >     >
> >     > Regarding the other fix, frontends can (and already do) handle
> >     threading
> >     > by themselves, but afaik even for a single-threaded process the
> >     > callbacks accepted by Sword have no direct means to terminate the
> >     > installation process (e.g. by return value, or via a another callback
> >     > provided to the callback). So it seems that you're either saying that
> >     >
> >     > 1) Sword users have no means to terminate potentially long-running
> >     > processes (and there's no plan to add such means), or
> >     > 2) RemoteTransport::terminate() should never be called separately, but
> >     > exclusively only from inside callbacks invoked by Sword.
> >     >
> >     > In the latter case, this should be made clear in the documentation.
> >     >
> >     > Blessings,
> >     > J
> >     >
> >     > On 25.06.2017 21 :53, Troy A. Griffitts wrote:
> >     > > We have included some of your patches in the past (thank you
> >     > again), but
> >     > > not these. The first is intentional. We want to work with self
> >     signed
> >     > > certs if necessary. Non of our content is private, only the fact
> >     > that a
> >     > > user might access our server and for this, we ask all our
> >     frontends to
> >     > > warn against this for persecuted countries. The second goes
> >     > against our
> >     > > policy in the library that all threading should be handled by the
> >     > > client, not the library. The client should instantiate an
> >     > InstallMgr in
> >     > > its own thread and register threads are callbacks, if they wish to
> >     > > install in the background. If we start trying to handle threading
> >     > in the
> >     > > library itself, it is a huge switch from current policy and
> >     depends on
> >     > > support for threading in all our compilers. Easy enough to just
> >     > > instantiate separate SWMgr instances per thread. But thank you for
> >     > offering.
> >     > > Troy
> >     > >
> >     > > On June 25, 2017 8:33:53 PM GMT+02:00, Jaak Ristioja
> >     > >
> >     > > wrote:
> >     > >
> >     > > Hi Troy!
> >     > >
> >     > > It seems that no fixes from Sword++ were considered for
> >     > inclusion in SVN
> >     > > trunk, not even the two I explicitly proposed on this list in
> >     > response
> >     > > to the RC2 announcement: one fixing hangs in front ends and
> >     > the other
> >     > > fixing a pure security negligence which rendered SSL/TLS
> >     > susceptible to
> >     > > MitM attacks.
> >     > >
> >     > > ?!?!
> >     > >
> >     > > J
> >     > >
> >     > > On 25.06.2017 18 :51, Troy A. Griffitts
> >     > wrote:
> >     > >
> >     > > Again, thank you to all the testers and reporters of problems
> >     > > for the
> >     > > previous RC and those who contributed fixes. Hopefully, this
> >     > > will stand
> >     > > any scrutiny and become 1.8.0. Please let me know if you have
> >     > > any feedback.
> >     > >
> >     > >
> >     > http://crosswire.org/sword/alpha/alpha/sword-1.7.903.tar.gz
> >     >
> >     > >
> >     > >
> >     > > Included since last RC:
> >     > >
> >     > >
> >     >
> >     ------------------------------------------------------------------------
> >     > >
> >     > > r3482 | scribe | 2017-06-25 07:36:23 -0700 (Sun, 25 Jun 2017) |
> >     > > 2 lines
> >     > >
> >     > > Reworked strongs and lemma filters to better support any combo
> >     > > of toggle
> >     > > Added osisxhtml lemma type= support for other than Greek, Hebrew
> >     > > strongs
> >     > >
> >     >
> >     ------------------------------------------------------------------------
> >     > >
> >     > > r3481 | scribe | 2017-06-25 04:45:04 -0700 (Sun, 25 Jun 2017) |
> >     > > 3 lines
> >     > >
> >     > > moved examples/simple.cpp to examples/tasks/simpleverselookup.cpp
> >     > >
> >     > > also updated CMakeList.txt to build new examples
> >     > >
> >     >
> >     ------------------------------------------------------------------------
> >     > >
> >     > > r3480 | scribe | 2017-06-25 04:44:29 -0700 (Sun, 25 Jun 2017) |
> >     > > 1 line
> >     > >
> >     > > added listbiblebooknames example
> >     > >
> >     >
> >     ------------------------------------------------------------------------
> >     > >
> >     > > r3479 | scribe | 2017-06-25 04:44:01 -0700 (Sun, 25 Jun 2017) |
> >     > > 1 line
> >     > >
> >     > > added flatapi installmgr example
> >     > >
> >     >
> >     ------------------------------------------------------------------------
> >     > >
> >     > > r3478 | refdoc | 2017-06-10 15:28:11 -0700 (Sat, 10 Jun 2017) |
> >     > > 2 lines
> >     > >
> >     > > added Belarussian locale file
> >     > >
> >     > >
> >     >
> >     ------------------------------------------------------------------------
> >     > >
> >     > > r3477 | domcox | 2017-06-04 11:18:34 -0700 (Sun, 04 Jun 2017) |
> >     > > 1 line
> >     > >
> >     > > French translation update (Contrib. from Cyrille)
> >     > >
> >     >
> >     ------------------------------------------------------------------------
> >     > >
> >     > >
> >     > >
> >     > >
> >     >
> >     ------------------------------------------------------------------------
> >     > >
> >     > > sword-devel mailing list: [hidden email]
> >     > > http://www.crosswire.org/mailman/listinfo/sword-devel
> >     >
> >     > > Instructions to unsubscribe/change your settings at above page
> >     > >
> >     > >
> >     > >
> >     > >
> >     >
> >     ------------------------------------------------------------------------
> >     > >
> >     > > sword-devel mailing list: [hidden email]
> >     > > http://www.crosswire.org/mailman/listinfo/sword-devel
> >     >
> >     > > Instructions to unsubscribe/change your settings at above page
> >     > >
> >     > >
> >     > > --
> >     > > Sent from my Android device with K-9 Mail. Please excuse my brevity.
> >     > >
> >     > >
> >     > > _______________________________________________
> >     > > sword-devel mailing list: [hidden email]
> >     > > http://www.crosswire.org/mailman/listinfo/sword-devel
> >     >
> >     > > Instructions to unsubscribe/change your settings at above page
> >     > >
> >     >
> >     >
> >     > _______________________________________________
> >     > sword-devel mailing list: [hidden email]
> >     >
> >     > http://www.crosswire.org/mailman/listinfo/sword-devel
> >     >
> >     > Instructions to unsubscribe/change your settings at above page
> >     >
> >     >
> >     >
> >     >
> >     > _______________________________________________
> >     > sword-devel mailing list: [hidden email]
> >     > http://www.crosswire.org/mailman/listinfo/sword-devel
> >     > Instructions to unsubscribe/change your settings at above page
> >     >
> >
> >
> >     _______________________________________________
> >     sword-devel mailing list: [hidden email]
> >     http://www.crosswire.org/mailman/listinfo/sword-devel
> >     Instructions to unsubscribe/change your settings at above page
> >
> >
> >
> > _______________________________________________
> > sword-devel mailing list: [hidden email]
> > http://www.crosswire.org/mailman/listinfo/sword-devel
> > Instructions to unsubscribe/change your settings at above page
> >
>
>
> _______________________________________________
> sword-devel mailing list: [hidden email]
> http://www.crosswire.org/mailman/listinfo/sword-devel
> Instructions to unsubscribe/change your settings at above page
>

_______________________________________________
sword-devel mailing list: [hidden email]
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SWORD 1.8.0RC3

Jaak Ristioja-2
I think we need to make a distinction between developers and end users
here. IMHO it were best if the end user were presented with a choice
about whether to trust the self-signed, unverified or invalid
certificates, and perhaps also provide means to trust the presented
certificate permanently.

PS: I haven't tested it, but adding the self-signed certificates to the
root CA store might be a valid workaround for development purposes.

On 26.06.2017 12:15, Peter Von Kaehne wrote:

> Fair point, but a change from one to the other may be preferable for philosophical reasons, but practically I - and others - need to be able as users to make a determination what we want to accept and what not, instead of being forced into one direction. And, as tool writer and user (not frontend writer) I need to be able to override such things mechanically, i.e. without further user interaction.  
>
>> Gesendet: Montag, 26. Juni 2017 um 10:04 Uhr
>> Von: "Jaak Ristioja" <[hidden email]>
>> An: [hidden email]
>> Betreff: Re: [sword-devel] SWORD 1.8.0RC3
>>
>> Overriding this setting was never possible with Sword in the first place.
>>
>> On 26.06.2017 11:05, [hidden email] wrote:
>>> As a user I would want to be able to override this, does this patch make
>>> this impossible?
>>>
>>> Sent from my mobile. Please forgive shortness, typos and weird autocorrects.
>>>
>>>
>>> -------- Original Message --------
>>> Subject: Re: [sword-devel] SWORD 1.8.0RC3
>>> From: Jaak Ristioja
>>> To: [hidden email]
>>> CC:
>>>
>>>
>>>     Sure! Verifying TLS certificates is explicitly disabled the file
>>>
>>>     src/mgr/curlhttpt.cpp
>>>
>>>     by the lines:
>>>
>>>     /* Disable checking host certificate */
>>>     curl_easy_setopt(session, CURLOPT_SSL_VERIFYPEER, false);
>>>
>>>     I've attached a patch for Sword SVN trunk which removed these lines. For
>>>     the Sword++ commit, see
>>>     https://github.com/swordxx/swordxx/commit/49de93ca35f61601376fab0ac8689f48a76dd4d6
>>>
>>>     J
>>>
>>>
>>>     On 26.06.2017 04:10, Greg Hellings wrote:
>>>     > Jaak,
>>>     >
>>>     > Can you provide a version of that patch for 1.7 (and 1.8, if there
>>>     is a
>>>     > difference)? Or point me to where it lives? I will definitely wrap
>>>     that
>>>     > into the packaging for Fedora and SuSE as it is absolutely
>>>     inappropriate
>>>     > to have SSL checking skipped at the library level without it being a
>>>     > very explicit step for users.
>>>     >
>>>     > If Troy won't fix this glaring security hole, it can at least be fixed
>>>     > by the packagers. I would encourage any Debian and/or Ubuntu users to
>>>     > file bugs against Sword packaging in their environments (if their
>>>     > maintainer isn't here) and the same for any other distribution users.
>>>     >
>>>     > --Greg
>>>     >
>>>     > On Sun, Jun 25, 2017 at 6:56 PM, Jaak Ristioja > > wrote:
>>>     >
>>>     > Regarding TLS, I think the choice of whether to trust a self-signed
>>>     > certificate should explicitly be left to the user at run-time (e.g
>>>     like
>>>     > browsers do), rather than blindly accepting any (even expired?)
>>>     > certificates.
>>>     >
>>>     > Regarding the other fix, frontends can (and already do) handle
>>>     threading
>>>     > by themselves, but afaik even for a single-threaded process the
>>>     > callbacks accepted by Sword have no direct means to terminate the
>>>     > installation process (e.g. by return value, or via a another callback
>>>     > provided to the callback). So it seems that you're either saying that
>>>     >
>>>     > 1) Sword users have no means to terminate potentially long-running
>>>     > processes (and there's no plan to add such means), or
>>>     > 2) RemoteTransport::terminate() should never be called separately, but
>>>     > exclusively only from inside callbacks invoked by Sword.
>>>     >
>>>     > In the latter case, this should be made clear in the documentation.
>>>     >
>>>     > Blessings,
>>>     > J
>>>     >
>>>     > On 25.06.2017 21 :53, Troy A. Griffitts wrote:
>>>     > > We have included some of your patches in the past (thank you
>>>     > again), but
>>>     > > not these. The first is intentional. We want to work with self
>>>     signed
>>>     > > certs if necessary. Non of our content is private, only the fact
>>>     > that a
>>>     > > user might access our server and for this, we ask all our
>>>     frontends to
>>>     > > warn against this for persecuted countries. The second goes
>>>     > against our
>>>     > > policy in the library that all threading should be handled by the
>>>     > > client, not the library. The client should instantiate an
>>>     > InstallMgr in
>>>     > > its own thread and register threads are callbacks, if they wish to
>>>     > > install in the background. If we start trying to handle threading
>>>     > in the
>>>     > > library itself, it is a huge switch from current policy and
>>>     depends on
>>>     > > support for threading in all our compilers. Easy enough to just
>>>     > > instantiate separate SWMgr instances per thread. But thank you for
>>>     > offering.
>>>     > > Troy
>>>     > >
>>>     > > On June 25, 2017 8:33:53 PM GMT+02:00, Jaak Ristioja
>>>     > >
>>>     > > wrote:
>>>     > >
>>>     > > Hi Troy!
>>>     > >
>>>     > > It seems that no fixes from Sword++ were considered for
>>>     > inclusion in SVN
>>>     > > trunk, not even the two I explicitly proposed on this list in
>>>     > response
>>>     > > to the RC2 announcement: one fixing hangs in front ends and
>>>     > the other
>>>     > > fixing a pure security negligence which rendered SSL/TLS
>>>     > susceptible to
>>>     > > MitM attacks.
>>>     > >
>>>     > > ?!?!
>>>     > >
>>>     > > J
>>>     > >
>>>     > > On 25.06.2017 18 :51, Troy A. Griffitts
>>>     > wrote:
>>>     > >
>>>     > > Again, thank you to all the testers and reporters of problems
>>>     > > for the
>>>     > > previous RC and those who contributed fixes. Hopefully, this
>>>     > > will stand
>>>     > > any scrutiny and become 1.8.0. Please let me know if you have
>>>     > > any feedback.
>>>     > >
>>>     > >
>>>     > http://crosswire.org/sword/alpha/alpha/sword-1.7.903.tar.gz
>>>     >
>>>     > >
>>>     > >
>>>     > > Included since last RC:
>>>     > >
>>>     > >
>>>     >
>>>     ------------------------------------------------------------------------
>>>     > >
>>>     > > r3482 | scribe | 2017-06-25 07:36:23 -0700 (Sun, 25 Jun 2017) |
>>>     > > 2 lines
>>>     > >
>>>     > > Reworked strongs and lemma filters to better support any combo
>>>     > > of toggle
>>>     > > Added osisxhtml lemma type= support for other than Greek, Hebrew
>>>     > > strongs
>>>     > >
>>>     >
>>>     ------------------------------------------------------------------------
>>>     > >
>>>     > > r3481 | scribe | 2017-06-25 04:45:04 -0700 (Sun, 25 Jun 2017) |
>>>     > > 3 lines
>>>     > >
>>>     > > moved examples/simple.cpp to examples/tasks/simpleverselookup.cpp
>>>     > >
>>>     > > also updated CMakeList.txt to build new examples
>>>     > >
>>>     >
>>>     ------------------------------------------------------------------------
>>>     > >
>>>     > > r3480 | scribe | 2017-06-25 04:44:29 -0700 (Sun, 25 Jun 2017) |
>>>     > > 1 line
>>>     > >
>>>     > > added listbiblebooknames example
>>>     > >
>>>     >
>>>     ------------------------------------------------------------------------
>>>     > >
>>>     > > r3479 | scribe | 2017-06-25 04:44:01 -0700 (Sun, 25 Jun 2017) |
>>>     > > 1 line
>>>     > >
>>>     > > added flatapi installmgr example
>>>     > >
>>>     >
>>>     ------------------------------------------------------------------------
>>>     > >
>>>     > > r3478 | refdoc | 2017-06-10 15:28:11 -0700 (Sat, 10 Jun 2017) |
>>>     > > 2 lines
>>>     > >
>>>     > > added Belarussian locale file
>>>     > >
>>>     > >
>>>     >
>>>     ------------------------------------------------------------------------
>>>     > >
>>>     > > r3477 | domcox | 2017-06-04 11:18:34 -0700 (Sun, 04 Jun 2017) |
>>>     > > 1 line
>>>     > >
>>>     > > French translation update (Contrib. from Cyrille)
>>>     > >
>>>     >
>>>     ------------------------------------------------------------------------
>>>     > >
>>>     > >
>>>     > >
>>>     > >
>>>     >
>>>     ------------------------------------------------------------------------
>>>     > >
>>>     > > sword-devel mailing list: [hidden email]
>>>     > > http://www.crosswire.org/mailman/listinfo/sword-devel
>>>     >
>>>     > > Instructions to unsubscribe/change your settings at above page
>>>     > >
>>>     > >
>>>     > >
>>>     > >
>>>     >
>>>     ------------------------------------------------------------------------
>>>     > >
>>>     > > sword-devel mailing list: [hidden email]
>>>     > > http://www.crosswire.org/mailman/listinfo/sword-devel
>>>     >
>>>     > > Instructions to unsubscribe/change your settings at above page
>>>     > >
>>>     > >
>>>     > > --
>>>     > > Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>>     > >
>>>     > >
>>>     > > _______________________________________________
>>>     > > sword-devel mailing list: [hidden email]
>>>     > > http://www.crosswire.org/mailman/listinfo/sword-devel
>>>     >
>>>     > > Instructions to unsubscribe/change your settings at above page
>>>     > >
>>>     >
>>>     >
>>>     > _______________________________________________
>>>     > sword-devel mailing list: [hidden email]
>>>     >
>>>     > http://www.crosswire.org/mailman/listinfo/sword-devel
>>>     >
>>>     > Instructions to unsubscribe/change your settings at above page
>>>     >
>>>     >
>>>     >
>>>     >
>>>     > _______________________________________________
>>>     > sword-devel mailing list: [hidden email]
>>>     > http://www.crosswire.org/mailman/listinfo/sword-devel
>>>     > Instructions to unsubscribe/change your settings at above page
>>>     >
>>>
>>>
>>>     _______________________________________________
>>>     sword-devel mailing list: [hidden email]
>>>     http://www.crosswire.org/mailman/listinfo/sword-devel
>>>     Instructions to unsubscribe/change your settings at above page
>>>
>>>
>>>
>>> _______________________________________________
>>> sword-devel mailing list: [hidden email]
>>> http://www.crosswire.org/mailman/listinfo/sword-devel
>>> Instructions to unsubscribe/change your settings at above page
>>>
>>
>>
>> _______________________________________________
>> sword-devel mailing list: [hidden email]
>> http://www.crosswire.org/mailman/listinfo/sword-devel
>> Instructions to unsubscribe/change your settings at above page
>>
>
> _______________________________________________
> sword-devel mailing list: [hidden email]
> http://www.crosswire.org/mailman/listinfo/sword-devel
> Instructions to unsubscribe/change your settings at above page
>


_______________________________________________
sword-devel mailing list: [hidden email]
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Self signed certs during module install [was: SWORD 1.8.0RC3]

Troy A. Griffitts
In reply to this post by Peter von Kaehne
So, the background and original thinking with this: It was originally
turned on because it wasn't too long ago that CrossWire used self-signed
certificates.

My thinking was, primary security concern are twofold: 1) It's not like
a browser where a user is sending data; we're not enabling user data
transmission, but instead just Bible downloads. 2) persecuted countries;
the destination isn't masked by using https, only which Bible. If
someone is monitoring the download from our site, an authenticated host
connection won't hide that, and if they are monitoring the content, then
it is only the Scriptures.

I'm certainly willing to add a compile flag to enable/disable
self-signed certs.  I'm also willing to make this a runtime option for
the client of the library.

Troy


On 06/26/2017 11:26 AM, Jaak Ristioja wrote:

> I think we need to make a distinction between developers and end users
> here. IMHO it were best if the end user were presented with a choice
> about whether to trust the self-signed, unverified or invalid
> certificates, and perhaps also provide means to trust the presented
> certificate permanently.
>
> PS: I haven't tested it, but adding the self-signed certificates to the
> root CA store might be a valid workaround for development purposes.
>
> On 26.06.2017 12:15, Peter Von Kaehne wrote:
>> Fair point, but a change from one to the other may be preferable for philosophical reasons, but practically I - and others - need to be able as users to make a determination what we want to accept and what not, instead of being forced into one direction. And, as tool writer and user (not frontend writer) I need to be able to override such things mechanically, i.e. without further user interaction.  
>>
>>> Gesendet: Montag, 26. Juni 2017 um 10:04 Uhr
>>> Von: "Jaak Ristioja" <[hidden email]>
>>> An: [hidden email]
>>> Betreff: Re: [sword-devel] SWORD 1.8.0RC3
>>>
>>> Overriding this setting was never possible with Sword in the first place.
>>>
>>> On 26.06.2017 11:05, [hidden email] wrote:
>>>> As a user I would want to be able to override this, does this patch make
>>>> this impossible?
>>>>
>>>> Sent from my mobile. Please forgive shortness, typos and weird autocorrects.
>>>>
>>>>
>>>> -------- Original Message --------
>>>> Subject: Re: [sword-devel] SWORD 1.8.0RC3
>>>> From: Jaak Ristioja
>>>> To: [hidden email]
>>>> CC:
>>>>
>>>>
>>>>     Sure! Verifying TLS certificates is explicitly disabled the file
>>>>
>>>>     src/mgr/curlhttpt.cpp
>>>>
>>>>     by the lines:
>>>>
>>>>     /* Disable checking host certificate */
>>>>     curl_easy_setopt(session, CURLOPT_SSL_VERIFYPEER, false);
>>>>
>>>>     I've attached a patch for Sword SVN trunk which removed these lines. For
>>>>     the Sword++ commit, see
>>>>     https://github.com/swordxx/swordxx/commit/49de93ca35f61601376fab0ac8689f48a76dd4d6
>>>>
>>>>     J
>>>>
>>>>
>>>>     On 26.06.2017 04:10, Greg Hellings wrote:
>>>>     > Jaak,
>>>>     >
>>>>     > Can you provide a version of that patch for 1.7 (and 1.8, if there
>>>>     is a
>>>>     > difference)? Or point me to where it lives? I will definitely wrap
>>>>     that
>>>>     > into the packaging for Fedora and SuSE as it is absolutely
>>>>     inappropriate
>>>>     > to have SSL checking skipped at the library level without it being a
>>>>     > very explicit step for users.
>>>>     >
>>>>     > If Troy won't fix this glaring security hole, it can at least be fixed
>>>>     > by the packagers. I would encourage any Debian and/or Ubuntu users to
>>>>     > file bugs against Sword packaging in their environments (if their
>>>>     > maintainer isn't here) and the same for any other distribution users.
>>>>     >
>>>>     > --Greg
>>>>     >
>>>>     > On Sun, Jun 25, 2017 at 6:56 PM, Jaak Ristioja > > wrote:
>>>>     >
>>>>     > Regarding TLS, I think the choice of whether to trust a self-signed
>>>>     > certificate should explicitly be left to the user at run-time (e.g
>>>>     like
>>>>     > browsers do), rather than blindly accepting any (even expired?)
>>>>     > certificates.
>>>>     >
>>>>     > Regarding the other fix, frontends can (and already do) handle
>>>>     threading
>>>>     > by themselves, but afaik even for a single-threaded process the
>>>>     > callbacks accepted by Sword have no direct means to terminate the
>>>>     > installation process (e.g. by return value, or via a another callback
>>>>     > provided to the callback). So it seems that you're either saying that
>>>>     >
>>>>     > 1) Sword users have no means to terminate potentially long-running
>>>>     > processes (and there's no plan to add such means), or
>>>>     > 2) RemoteTransport::terminate() should never be called separately, but
>>>>     > exclusively only from inside callbacks invoked by Sword.
>>>>     >
>>>>     > In the latter case, this should be made clear in the documentation.
>>>>     >
>>>>     > Blessings,
>>>>     > J
>>>>     >
>>>>     > On 25.06.2017 21 :53, Troy A. Griffitts wrote:
>>>>     > > We have included some of your patches in the past (thank you
>>>>     > again), but
>>>>     > > not these. The first is intentional. We want to work with self
>>>>     signed
>>>>     > > certs if necessary. Non of our content is private, only the fact
>>>>     > that a
>>>>     > > user might access our server and for this, we ask all our
>>>>     frontends to
>>>>     > > warn against this for persecuted countries. The second goes
>>>>     > against our
>>>>     > > policy in the library that all threading should be handled by the
>>>>     > > client, not the library. The client should instantiate an
>>>>     > InstallMgr in
>>>>     > > its own thread and register threads are callbacks, if they wish to
>>>>     > > install in the background. If we start trying to handle threading
>>>>     > in the
>>>>     > > library itself, it is a huge switch from current policy and
>>>>     depends on
>>>>     > > support for threading in all our compilers. Easy enough to just
>>>>     > > instantiate separate SWMgr instances per thread. But thank you for
>>>>     > offering.
>>>>     > > Troy
>>>>     > >
>>>>     > > On June 25, 2017 8:33:53 PM GMT+02:00, Jaak Ristioja
>>>>     > >
>>>>     > > wrote:
>>>>     > >
>>>>     > > Hi Troy!
>>>>     > >
>>>>     > > It seems that no fixes from Sword++ were considered for
>>>>     > inclusion in SVN
>>>>     > > trunk, not even the two I explicitly proposed on this list in
>>>>     > response
>>>>     > > to the RC2 announcement: one fixing hangs in front ends and
>>>>     > the other
>>>>     > > fixing a pure security negligence which rendered SSL/TLS
>>>>     > susceptible to
>>>>     > > MitM attacks.
>>>>     > >
>>>>     > > ?!?!
>>>>     > >
>>>>     > > J
>>>>     > >
>>>>     > > On 25.06.2017 18 :51, Troy A. Griffitts
>>>>     > wrote:
>>>>     > >
>>>>     > > Again, thank you to all the testers and reporters of problems
>>>>     > > for the
>>>>     > > previous RC and those who contributed fixes. Hopefully, this
>>>>     > > will stand
>>>>     > > any scrutiny and become 1.8.0. Please let me know if you have
>>>>     > > any feedback.
>>>>     > >
>>>>     > >
>>>>     > http://crosswire.org/sword/alpha/alpha/sword-1.7.903.tar.gz
>>>>     >
>>>>     > >
>>>>     > >
>>>>     > > Included since last RC:
>>>>     > >
>>>>     > >
>>>>     >
>>>>     ------------------------------------------------------------------------
>>>>     > >
>>>>     > > r3482 | scribe | 2017-06-25 07:36:23 -0700 (Sun, 25 Jun 2017) |
>>>>     > > 2 lines
>>>>     > >
>>>>     > > Reworked strongs and lemma filters to better support any combo
>>>>     > > of toggle
>>>>     > > Added osisxhtml lemma type= support for other than Greek, Hebrew
>>>>     > > strongs
>>>>     > >
>>>>     >
>>>>     ------------------------------------------------------------------------
>>>>     > >
>>>>     > > r3481 | scribe | 2017-06-25 04:45:04 -0700 (Sun, 25 Jun 2017) |
>>>>     > > 3 lines
>>>>     > >
>>>>     > > moved examples/simple.cpp to examples/tasks/simpleverselookup.cpp
>>>>     > >
>>>>     > > also updated CMakeList.txt to build new examples
>>>>     > >
>>>>     >
>>>>     ------------------------------------------------------------------------
>>>>     > >
>>>>     > > r3480 | scribe | 2017-06-25 04:44:29 -0700 (Sun, 25 Jun 2017) |
>>>>     > > 1 line
>>>>     > >
>>>>     > > added listbiblebooknames example
>>>>     > >
>>>>     >
>>>>     ------------------------------------------------------------------------
>>>>     > >
>>>>     > > r3479 | scribe | 2017-06-25 04:44:01 -0700 (Sun, 25 Jun 2017) |
>>>>     > > 1 line
>>>>     > >
>>>>     > > added flatapi installmgr example
>>>>     > >
>>>>     >
>>>>     ------------------------------------------------------------------------
>>>>     > >
>>>>     > > r3478 | refdoc | 2017-06-10 15:28:11 -0700 (Sat, 10 Jun 2017) |
>>>>     > > 2 lines
>>>>     > >
>>>>     > > added Belarussian locale file
>>>>     > >
>>>>     > >
>>>>     >
>>>>     ------------------------------------------------------------------------
>>>>     > >
>>>>     > > r3477 | domcox | 2017-06-04 11:18:34 -0700 (Sun, 04 Jun 2017) |
>>>>     > > 1 line
>>>>     > >
>>>>     > > French translation update (Contrib. from Cyrille)
>>>>     > >
>>>>     >
>>>>     ------------------------------------------------------------------------
>>>>     > >
>>>>     > >
>>>>     > >
>>>>     > >
>>>>     >
>>>>     ------------------------------------------------------------------------
>>>>     > >
>>>>     > > sword-devel mailing list: [hidden email]
>>>>     > > http://www.crosswire.org/mailman/listinfo/sword-devel
>>>>     >
>>>>     > > Instructions to unsubscribe/change your settings at above page
>>>>     > >
>>>>     > >
>>>>     > >
>>>>     > >
>>>>     >
>>>>     ------------------------------------------------------------------------
>>>>     > >
>>>>     > > sword-devel mailing list: [hidden email]
>>>>     > > http://www.crosswire.org/mailman/listinfo/sword-devel
>>>>     >
>>>>     > > Instructions to unsubscribe/change your settings at above page
>>>>     > >
>>>>     > >
>>>>     > > --
>>>>     > > Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>>>     > >
>>>>     > >
>>>>     > > _______________________________________________
>>>>     > > sword-devel mailing list: [hidden email]
>>>>     > > http://www.crosswire.org/mailman/listinfo/sword-devel
>>>>     >
>>>>     > > Instructions to unsubscribe/change your settings at above page
>>>>     > >
>>>>     >
>>>>     >
>>>>     > _______________________________________________
>>>>     > sword-devel mailing list: [hidden email]
>>>>     >
>>>>     > http://www.crosswire.org/mailman/listinfo/sword-devel
>>>>     >
>>>>     > Instructions to unsubscribe/change your settings at above page
>>>>     >
>>>>     >
>>>>     >
>>>>     >
>>>>     > _______________________________________________
>>>>     > sword-devel mailing list: [hidden email]
>>>>     > http://www.crosswire.org/mailman/listinfo/sword-devel
>>>>     > Instructions to unsubscribe/change your settings at above page
>>>>     >
>>>>
>>>>
>>>>     _______________________________________________
>>>>     sword-devel mailing list: [hidden email]
>>>>     http://www.crosswire.org/mailman/listinfo/sword-devel
>>>>     Instructions to unsubscribe/change your settings at above page
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> sword-devel mailing list: [hidden email]
>>>> http://www.crosswire.org/mailman/listinfo/sword-devel
>>>> Instructions to unsubscribe/change your settings at above page
>>>>
>>>
>>> _______________________________________________
>>> sword-devel mailing list: [hidden email]
>>> http://www.crosswire.org/mailman/listinfo/sword-devel
>>> Instructions to unsubscribe/change your settings at above page
>>>
>> _______________________________________________
>> sword-devel mailing list: [hidden email]
>> http://www.crosswire.org/mailman/listinfo/sword-devel
>> Instructions to unsubscribe/change your settings at above page
>>
>
> _______________________________________________
> sword-devel mailing list: [hidden email]
> http://www.crosswire.org/mailman/listinfo/sword-devel
> Instructions to unsubscribe/change your settings at above page


_______________________________________________
sword-devel mailing list: [hidden email]
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Self signed certs during module install [was: SWORD 1.8.0RC3]

DM Smith-5
Prior to LetsEncrypt, there was no real free opportunity for certs except self-signed. Other free certs ended the chain (root CA) in something that clients would not recognize without configuration.Practically it appears the same as a self-signed cert. It is unreasonable to have end-users configure for new root CA. (It is easy enough for an end user to do.) 

Ultimately a root CA is a self-signed certificate. The difference is that the public key is installed into the root CA store on the user’s computer or into the user’s “browser’s” store. Then certs signed by that CA are not self-signed. This is essentially what many companies do for internal communication. The DoD likewise.

At CrossWire, we are using LetsEncrypt to provide signed certs. I presume that if a front-end uses the patch in SWORD, that it will work, properly verifying the cert.

IMHO:
The front-end&/end-user should have the choice to use SSL or not. If SSL, the front-end&/end-user should be notified whether the cert:
a) doesn’t match the endpoint.
b) is expired.
c) is self-signed
d) is signed by an unknown CA

I don’t think it should be a hard fail in the SWORD engine.

Regarding a), I’ve noticed that proxies often do MiTM, substituting their own valid certs but not for the endpoint. In the past, this was not checked by clients. Some clients, e.g. FireFox, now do. (Example, in many airports https://google.com in FireFox won’t work.)

In Him,
DM

On Jun 26, 2017, at 5:38 AM, Troy A. Griffitts <[hidden email]> wrote:

So, the background and original thinking with this: It was originally
turned on because it wasn't too long ago that CrossWire used self-signed
certificates.

My thinking was, primary security concern are twofold: 1) It's not like
a browser where a user is sending data; we're not enabling user data
transmission, but instead just Bible downloads. 2) persecuted countries;
the destination isn't masked by using https, only which Bible. If
someone is monitoring the download from our site, an authenticated host
connection won't hide that, and if they are monitoring the content, then
it is only the Scriptures.

I'm certainly willing to add a compile flag to enable/disable
self-signed certs.  I'm also willing to make this a runtime option for
the client of the library.

Troy


On 06/26/2017 11:26 AM, Jaak Ristioja wrote:
I think we need to make a distinction between developers and end users
here. IMHO it were best if the end user were presented with a choice
about whether to trust the self-signed, unverified or invalid
certificates, and perhaps also provide means to trust the presented
certificate permanently.

PS: I haven't tested it, but adding the self-signed certificates to the
root CA store might be a valid workaround for development purposes.

On 26.06.2017 12:15, Peter Von Kaehne wrote:
Fair point, but a change from one to the other may be preferable for philosophical reasons, but practically I - and others - need to be able as users to make a determination what we want to accept and what not, instead of being forced into one direction. And, as tool writer and user (not frontend writer) I need to be able to override such things mechanically, i.e. without further user interaction.  

Gesendet: Montag, 26. Juni 2017 um 10:04 Uhr
Von: "Jaak Ristioja" <[hidden email]>
An: [hidden email]
Betreff: Re: [sword-devel] SWORD 1.8.0RC3

Overriding this setting was never possible with Sword in the first place.

On 26.06.2017 11:05, [hidden email] wrote:
As a user I would want to be able to override this, does this patch make
this impossible?

Sent from my mobile. Please forgive shortness, typos and weird autocorrects.


-------- Original Message --------
Subject: Re: [sword-devel] SWORD 1.8.0RC3
From: Jaak Ristioja
To: [hidden email]
CC:


   Sure! Verifying TLS certificates is explicitly disabled the file

   src/mgr/curlhttpt.cpp

   by the lines:

   /* Disable checking host certificate */
   curl_easy_setopt(session, CURLOPT_SSL_VERIFYPEER, false);

   I've attached a patch for Sword SVN trunk which removed these lines. For
   the Sword++ commit, see
   https://github.com/swordxx/swordxx/commit/49de93ca35f61601376fab0ac8689f48a76dd4d6

   J


   On 26.06.2017 04:10, Greg Hellings wrote:
Jaak,

Can you provide a version of that patch for 1.7 (and 1.8, if there
   is a
difference)? Or point me to where it lives? I will definitely wrap
   that
into the packaging for Fedora and SuSE as it is absolutely
   inappropriate
to have SSL checking skipped at the library level without it being a
very explicit step for users.

If Troy won't fix this glaring security hole, it can at least be fixed
by the packagers. I would encourage any Debian and/or Ubuntu users to
file bugs against Sword packaging in their environments (if their
maintainer isn't here) and the same for any other distribution users.

--Greg

On Sun, Jun 25, 2017 at 6:56 PM, Jaak Ristioja > > wrote:

Regarding TLS, I think the choice of whether to trust a self-signed
certificate should explicitly be left to the user at run-time (e.g
   like
browsers do), rather than blindly accepting any (even expired?)
certificates.

Regarding the other fix, frontends can (and already do) handle
   threading
by themselves, but afaik even for a single-threaded process the
callbacks accepted by Sword have no direct means to terminate the
installation process (e.g. by return value, or via a another callback
provided to the callback). So it seems that you're either saying that

1) Sword users have no means to terminate potentially long-running
processes (and there's no plan to add such means), or
2) RemoteTransport::terminate() should never be called separately, but
exclusively only from inside callbacks invoked by Sword.

In the latter case, this should be made clear in the documentation.

Blessings,
J

On 25.06.2017 21 :53, Troy A. Griffitts wrote:
We have included some of your patches in the past (thank you
again), but
not these. The first is intentional. We want to work with self
   signed
certs if necessary. Non of our content is private, only the fact
that a
user might access our server and for this, we ask all our
   frontends to
warn against this for persecuted countries. The second goes
against our
policy in the library that all threading should be handled by the
client, not the library. The client should instantiate an
InstallMgr in
its own thread and register threads are callbacks, if they wish to
install in the background. If we start trying to handle threading
in the
library itself, it is a huge switch from current policy and
   depends on
support for threading in all our compilers. Easy enough to just
instantiate separate SWMgr instances per thread. But thank you for
offering.
Troy

On June 25, 2017 8:33:53 PM GMT+02:00, Jaak Ristioja

wrote:

Hi Troy!

It seems that no fixes from Sword++ were considered for
inclusion in SVN
trunk, not even the two I explicitly proposed on this list in
response
to the RC2 announcement: one fixing hangs in front ends and
the other
fixing a pure security negligence which rendered SSL/TLS
susceptible to
MitM attacks.

?!?!

J

On 25.06.2017 18 :51, Troy A. Griffitts
wrote:

Again, thank you to all the testers and reporters of problems
for the
previous RC and those who contributed fixes. Hopefully, this
will stand
any scrutiny and become 1.8.0. Please let me know if you have
any feedback.


http://crosswire.org/sword/alpha/alpha/sword-1.7.903.tar.gz



Included since last RC:



   ------------------------------------------------------------------------

r3482 | scribe | 2017-06-25 07:36:23 -0700 (Sun, 25 Jun 2017) |
2 lines

Reworked strongs and lemma filters to better support any combo
of toggle
Added osisxhtml lemma type= support for other than Greek, Hebrew
strongs


   ------------------------------------------------------------------------

r3481 | scribe | 2017-06-25 04:45:04 -0700 (Sun, 25 Jun 2017) |
3 lines

moved examples/simple.cpp to examples/tasks/simpleverselookup.cpp

also updated CMakeList.txt to build new examples


   ------------------------------------------------------------------------

r3480 | scribe | 2017-06-25 04:44:29 -0700 (Sun, 25 Jun 2017) |
1 line

added listbiblebooknames example


   ------------------------------------------------------------------------

r3479 | scribe | 2017-06-25 04:44:01 -0700 (Sun, 25 Jun 2017) |
1 line

added flatapi installmgr example


   ------------------------------------------------------------------------

r3478 | refdoc | 2017-06-10 15:28:11 -0700 (Sat, 10 Jun 2017) |
2 lines

added Belarussian locale file



   ------------------------------------------------------------------------

r3477 | domcox | 2017-06-04 11:18:34 -0700 (Sun, 04 Jun 2017) |
1 line

French translation update (Contrib. from Cyrille)


   ------------------------------------------------------------------------





   ------------------------------------------------------------------------

sword-devel mailing list: [hidden email]
http://www.crosswire.org/mailman/listinfo/sword-devel

Instructions to unsubscribe/change your settings at above page





   ------------------------------------------------------------------------

sword-devel mailing list: [hidden email]
http://www.crosswire.org/mailman/listinfo/sword-devel

Instructions to unsubscribe/change your settings at above page


--
Sent from my Android device with K-9 Mail. Please excuse my brevity.


_______________________________________________
sword-devel mailing list: [hidden email]
http://www.crosswire.org/mailman/listinfo/sword-devel

Instructions to unsubscribe/change your settings at above page



_______________________________________________
sword-devel mailing list: [hidden email]

http://www.crosswire.org/mailman/listinfo/sword-devel

Instructions to unsubscribe/change your settings at above page




_______________________________________________
sword-devel mailing list: [hidden email]
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page



   _______________________________________________
   sword-devel mailing list: [hidden email]
   http://www.crosswire.org/mailman/listinfo/sword-devel
   Instructions to unsubscribe/change your settings at above page



_______________________________________________
sword-devel mailing list: [hidden email]
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page


_______________________________________________
sword-devel mailing list: [hidden email]
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page

_______________________________________________
sword-devel mailing list: [hidden email]
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page


_______________________________________________
sword-devel mailing list: [hidden email]
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page


_______________________________________________
sword-devel mailing list: [hidden email]
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page


_______________________________________________
sword-devel mailing list: [hidden email]
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Self signed certs during module install [was: SWORD 1.8.0RC3]

Peter von Kaehne
Von: "DM Smith" <[hidden email]>

> Ultimately a root CA is a self-signed certificate. The difference is that the public key is installed into the > root CA store on the user’s computer or into the user’s “browser’s” store. Then certs signed by that CA are   > not self-signed. This is essentially what many companies do for internal communication. The DoD likewise.

Which makes me think whether we could avoid the trouble we have annually or so with certs to now expand into module distribution by distributing our own cert/signature within the library?

Peter

_______________________________________________
sword-devel mailing list: [hidden email]
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Self signed certs during module install [was: SWORD 1.8.0RC3]

DM Smith-5

> On Jun 26, 2017, at 8:24 AM, Peter Von Kaehne wrote:
>
> Von: "DM Smith"
>> Ultimately a root CA is a self-signed certificate. The difference is that the public key is installed into the root CA store on the user’s computer or into the user’s “browser’s” store. Then certs signed by that CA are  not self-signed. This is essentially what many companies do for internal communication. The DoD likewise.
>
> Which makes me think whether we could avoid the trouble we have annually or so with certs to now expand into module distribution by distributing our own cert/signature within the library?

I don’t think this is a reasonable solution. I’ve installed such on my computers and it isn’t a simple mechanism. The mechanism differs by OS and by client program (e.g. browser). I’ve not figured out how to do it on a tablet or a phone. Companies that use such often control the connected computing devices.

LetsEncrypt is a better root CA as it is recognized by all modern OSes without user intervention. I.e. it is authoritative.

The problems we’ve had with renewing the cert is a solvable problem that I’m able to fix. BTW, I get emails from LetsEncrypt in advance of the cert expiring. If it expires, it is my fault for waiting. A couple of days before it expires, if I’m still getting emails I know that the automation has failed and needs my intervention.

In Him,
        DM


_______________________________________________
sword-devel mailing list: [hidden email]
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Self signed certs during module install [was: SWORD 1.8.0RC3]

Jaak Ristioja-2
In reply to this post by Troy A. Griffitts
On 26.06.2017 12:38, Troy A. Griffitts wrote:
> I'm certainly willing to add a compile flag to enable/disable
> self-signed certs.  I'm also willing to make this a runtime option for
> the client of the library.

Beware that the user prompt you added to utilities/installmgr.cpp in SVN
3485 ("Added configurable parameter in InstallMgr.conf,
UnverifiedPeerAllowed=true|false") is rather insecure:

    cout << "Would you like to allow unverified peers? [yes] ";

    char prompt[10];
    fgets(prompt, 9, stdin);
    allowed = (strcmp(prompt, "no\n"));
    cout << "\n";

If the user types "No", "NO" or " no" or "no " the variable allowed gets
set to true. I'd use something like !strcmp(prompt, "YES\n") instead to
be on the safer side. To be even more safe, only "YES" or "NO" should be
allowed as valid inputs, and if the user enters something else, the
prompt should be retried instead.

Additionally, if the user enters a long string, only part of it is
consumed by fgets and the rest is left in the input buffer (to be
consumed by some next fgets call?).

Best regards,
J


PS: I think you can pass size 10 instead of 9 to fgets.
PPS: Please consider using an enum instead of a bool for such variables.
They usually have the same size anyway, because enums usually have
sizeof(int) and so do bools on most platforms. As opposed to
createBasicBuffer(ENABLE_REMOTE, CROSSWIRE_REMOTE,
ALLOW_UNVERIFIED_TLS_PEERS); stuff like createBasicConfig(true, false,
false); is really cryptic, and the reader must jump through an extra
hoop to understand the exact semantics of such function calls.
PPPS: I'm not going to merge that into Sword++.

_______________________________________________
sword-devel mailing list: [hidden email]
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page
Loading...