We need to switch to openssl 1.0.2 on jessie in support of multiple certs for ECDSA in the short term, and regardless of that we're going to need it by later this year to start trying out HTTP/2 + ALPN.
It's currently [[ https://packages.debian.org/stretch/openssl | available in Stretch ]], and I've installed the stretch binary packages straight onto a jessie test host without issue, but we'd want to rebuild for any real deployment.
Aside from the basic re-build on jessie, I think there's one extra patch we should consider, and one security non-issue that should at least be mentioned here:
- **Patch** - We could patch in [[ https://github.com/cloudflare/sslconfig/blob/master/patches/openssl__chacha20_poly1305_cf.patch | a high-perf implementation of chacha20poly1305 from Cloudflare ]]. Supposedly this is a secure option for reducing mobile CPU usage (and thus slowness) and is supported by at least some Android 5 devices. Deciding whether to include this patch would be separate from actually turning on support for it in our cipher list, but I think we may as well add the patch to give ourselves the option and then we can make the ciphersuite decision afterwards. Cloudflare's general blog post on the topic: https://blog.cloudflare.com/do-the-chacha-better-mobile-performance-with-cryptography/
- **Sec Non-Issue** According to [[ https://security-tracker.debian.org/tracker/source-package/openssl | Debian's Security Tracker ]], the Stretch 1.0.2c-1 package lacks fixes for [[ https://security-tracker.debian.org/tracker/CVE-2015-4000 | CVE-2015-4000 / Logjam ]] which our jessie 1.0.1 package already has. I bring this up mostly because if I didn't, someone else probably would, but I don't think we need to patch for this:
1. we're not enabling DHE or export-grade ciphers in our server configs, so we're not generally vulnerable to this in the first place due to our configuration, regardless of the code-level issue.
2. openssl-1.0.2 already limits the attack further by setting minimum key sizes for DHE and EC. Even if we did for some unfathomable reason turn DHE_EXPORT ciphers on, the downgrade would be limited to 768-bit rather than the 512-bit possible with unpatched 1.0.1.