Skip to content

Wired Client 2.5-50
Compare
Choose a tag to compare
@nark nark released this 21 Apr 22:01
· 49 commits to master since this release
2.5-50
afb5fab

Moving from old OpenSSL

Some part of libwired relies on OpenSSL when running on other OS than macOS. OpenSSL library evolved a lot these last years to provide patches and improve overall security. This also comes with downsides where it is very hard to keep old OpenSSL versions compliant with recent OpenSSL versions.

Regarding libwired, the following issues has been addressed:

  • The RSA Public Key is now 2048 bits as recommended (instead of 1024)
  • RSA initialisation now uses RSA_new()
  • Cipher context initialisation updated to use EVP_CIPHER_CTX_new
  • 2048 Public Key allow usage of bigger digest as SHA256 and SHA512

This Release of Wired Client already implements all these changes and it is highly recommended to update to this new version:

Broken Releases

Some of us already run the latest version of the server with latest OpenSSL on Linux, but the official macOS version is not yet released, because I mainly want more users to migrate to the latest version of the client.

In the process of updating to this new version, some existing Wired Client versions has been identified as « broken » and sometimes cannot connect or transfer data with Wired Server running latest OpenSSL versions. Those versions are the following:

  • Wired Client 2.1.1 (310) [cannot connect]
  • Wired Client 2.4 (363) [cannot connect]
  • Wired Client 2.5 (46) [transfer issue]

But maybe other versions in between are also affected. Again to be sure to not experience this issue, it is highly recommended to update to thes new client versions listed above.

NB: If you are using an old macOS version (< 10.10), I recommend you to use the version 2.1 (309) available here.

About SHA1/256/512

Wired 2.0 and upper currently uses SHA1 digest as default algorithm for 3 main purposes:

  • binary data checksum: integrity of each chunk of data transferred is validated using a SHA1 checksum
  • password of the AES private key: when handshaking, server and client exchange a secret key pair hashed with SHA1
  • user account password: user password are blind checked using SHA1 hash at login and stored as it in the database

SHA1 has been proven weak since some time now, so it was required to modernise the protocol.
The both first items of the list above are completely covered by the following update.

Wired protocol now provides SHA256 and SHA256 digests, and that introduces the 10 new following encryption schemes:

  • RSA - AES/128 - SHA256
  • RSA - AES/192 - SHA256
  • RSA - AES/256 - SHA256
  • RSA - BF/128 - SHA256
  • RSA - 3DES/192 - SHA256
  • RSA - AES/128 - SHA512
  • RSA - AES/192 - SHA512
  • RSA - AES/256 - SHA512
  • RSA - BF/128 - SHA512
  • RSA - 3DES/192 - SHA512

Wired Client default encryption scheme is RSA - AES/256 - SHA1 when creating new connection. These encryption cipher and digest will continue to work as default for both client and server. However, Wired Server now supports all the previously listed scheme, as Wired Client, that can enforce it in the Edit Bookmark panel.

If the requested encryption scheme is not supported by the server, the connection will fallback to RSA - AES/128 - SHA1, first of the list. If you want to use SHA256/512, be sure to configure it for servers that support it, otherwise it will weaken your encryption cipher.

About the user account password, this version of Wired will continue to use SHA1 for now, but I hope moving to bcrypt someday, which is now the recommended algorithm for password hashing and database storage. And it is a much sensitive affair.

To summarise, nothing change and everything should be totally transparent for you, as you update the client, nor the server, or nothing at all.

Assets 4
Loading