Plans to migrate to OpenSSL 3.0?

[Yota]

The current firmware is using OpenSSL 1.1.1, which already ends support in September 2023. This means that it is no longer possible to get public security updates since last month. I still remember that it took about a year to migrate from OpenSSL 1.0.2 to 1.1.1 in 2019. I know there's so much to test out there, but luckily we got there in time, and now that we're out of time, does Asus have a plan for us to move forward?

Can some services used in Asuswrt-Merlin (such as OpenVPN) be linked to OpenSSL 3.0 for transition? like it was done in 384.10?

Don't get me wrong, I really appreciate what RMerlin and Asus are doing to improve router security, I just want to know if there are plans for the future, in fact in 3004.388.4 and 386.12, RMerlin once again brings us to the latest version of OpenSSL (1.1.1u), so thank you very much.

 

[RMerlin]

Having two separate versions of OpenSSL in parallel is very problematic, so I'd rather avoid that. Migration to OpenSSL 3.x will have to be done by Asus due to the large amount of closed source components also linking against it.

I already discussed it with Asus last spring, so they were aware that OpenSSL 1.1.1's EOL was coming this fall. I don't have anything else to share about their plans at this time. It will probably take them some time, some of their current components (like OpenVPN 2.4.x) are not compatible with it, so they will need to also update these other components first.

The move to OpenSSL 3.0 will be more complicated than moving to 1.1.1, as 3.0 is stricter. For instance, it will break a lot of existing OpenVPN configurations as 3.0 will reject older/weaker SHA signatures that are probably present on a lot of router's OpenVPN configurations that were done using these older hashes. Migrating to 3.0 will require all of these persons to reconfigure their OpenVPN servers, and deploy updated config files to all of their clients. So, it's not something trivial.

 

[Yota]

Having two separate versions of OpenSSL in parallel is very problematic, so I'd rather avoid that. Migration to OpenSSL 3.x will have to be done by Asus due to the large amount of closed source components also linking against it.

I already discussed it with Asus last spring, so they were aware that OpenSSL 1.1.1's EOL was coming this fall. I don't have anything else to share about their plans at this time. It will probably take them some time, some of their current components (like OpenVPN 2.4.x) are not compatible with it, so they will need to also update these other components first.

The move to OpenSSL 3.0 will be more complicated than moving to 1.1.1, as 3.0 is stricter. For instance, it will break a lot of existing OpenVPN configurations as 3.0 will reject older/weaker SHA signatures that are probably present on a lot of router's OpenVPN configurations that were done using these older hashes. Migrating to 3.0 will require all of these persons to reconfigure their OpenVPN servers, and deploy updated config files to all of their clients. So, it's not something trivial.

Thanks for the info, I have a feeling we won't see OpenSSL 3.0 for a long time. Maybe this is the end?

 

[bluepoint]

Having two separate versions of OpenSSL in parallel is very problematic, so I'd rather avoid that. Migration to OpenSSL 3.x will have to be done by Asus due to the large amount of closed source components also linking against it.

I already discussed it with Asus last spring, so they were aware that OpenSSL 1.1.1's EOL was coming this fall. I don't have anything else to share about their plans at this time. It will probably take them some time, some of their current components (like OpenVPN 2.4.x) are not compatible with it, so they will need to also update these other components first.

The move to OpenSSL 3.0 will be more complicated than moving to 1.1.1, as 3.0 is stricter. For instance, it will break a lot of existing OpenVPN configurations as 3.0 will reject older/weaker SHA signatures that are probably present on a lot of router's OpenVPN configurations that were done using these older hashes. Migrating to 3.0 will require all of these persons to reconfigure their OpenVPN servers, and deploy updated config files to all of their clients. So, it's not something trivial.

iOS openvpn connect app version 3.4.0 was recently updated to use Openssl 3.0.8 will it be compatible still to RMerlin's 388.4 Openvpn server? I know I can test it myself when I get back but for now just wondering? Base on your post above, my guess is it won't?

 

[Yota]

iOS openvpn connect app version 3.4.0 was recently updated to use Openssl 3.0.8 will it be compatible still to RMerlin's 388.4 Openvpn server? I know I can test it myself when I get back but for now just wondering?

I'm afraid you'll have to test it yourself, RMerlin's phone is not an iPhone.

 

[bluepoint]

I'm afraid you'll have to test it yourself, RMerlin's phone is not an iPhone.

Very true but openvpn usually update all their platforms at the same levels so I assume android, windows, etc will follow if not there.

 

[Yota]

Very true but openvpn usually update all their platforms at the same levels so I assume android, windows, etc will follow if not there.

Not sure if RMerlin has time to help with such testing, but here is some useful information that might answer your question:

https://github.com/OpenVPN/openvpn/...#common-errors-with-openssl-30-and-openvpn-26

https://wiki.ipfire.org/configuration/services/openvpn/openssl-3-transition

 

[RMerlin]

Maybe this is the end?

Why? Asus will definitely upgrade OpenSSL at some point.

 

[RMerlin]

iOS openvpn connect app version 3.4.0 was recently updated to use Openssl 3.0.8 will it be compatible still to RMerlin's 388.4 Openvpn server? I know I can test it myself when I get back but for now just wondering? Base on your post above, my guess is it won't?

If you configured your OpenVPN server with 3004.388.4 then it will be perfectly compatible. The issue is if you configured the OpenVPN server 4-5 years ago, in which case you will just need to re-generate new certificates, because you need certificates with a SHA256 signature instead of SHA1.

 

[Yota]

Why? Asus will definitely upgrade OpenSSL at some point.

Sorry, I meant there are multiple branches of Asuswrt currently and I'm pessimistic about some branches getting updates.

What do you think are the chances of getting OpenSSL 3.0 for those firmware branches that can't be updated to 3006?

 

[RMerlin]

Sorry, I meant there are multiple branches of Asuswrt currently and I'm pessimistic about some branches getting updates.

What do you think are the chances of getting OpenSSL 3.0 for those firmware branches that can't be updated to 3006?

Hard to tell for sure. I'm fairly certain that 388 will get 3.0 since they have a lot of current products on that branch. Unsure about 386. But that's just my personal speculations.

 

[Yota]

Hard to tell for sure. I'm fairly certain that 388 will get 3.0 since they have a lot of current products on that branch. Unsure about 386. But that's just my personal speculations.

OK, thank you for sharing your thoughts. I think wifi 5 is not far from going into the trash can.

 

[heysoundude]

I think wifi 5 is not far from going into the trash can.

That's a bit of a stretch - Wifi 4 (wireless N) and Wifi 3 (g/n) are still used and useful

 

[Tech9]

I think wifi 5 is not far from going into the trash can.

It will be used for many more years. Did Wi-Fi 4 go into the trash can?

 

[Yota]

That's a bit of a stretch - Wifi 4 (wireless N) and Wifi 3 (g/n) are still used and useful

It will be used for many more years.

Sorry for not making my point clear.

No one is talking about RT-N66U on this forum (Asuswrt-Merlin) today, I am not talking about wifi 5 technology, but wifi 5 routers, or to be precise Asus' RT-AC routers, to be more and more precise those routers that cannot get 388

 

[XIII]

the latest version of OpenSSL (1.1.1u)

One of my Raspberry Pi's is still on Raspbian OS 11 (Bullseye); it today updated OpenSSL to 1.1.1w (from 11 Sep 2023), so "u" is no longer the latest?

I upgraded another Pi to Raspbian OS 12 (Bookworm) yesterday; they now use OpenSSL 3.0.11 (from 19 Sep 2023) by default.

I hope Asus will indeed migrate to OpenSSL 3 in the 388 firmware (and even more that we get an Asuswrt-Merlin firmware based on that).

 

[Tech9]

but wifi 5 routers

Wi-Fi 5 routers will be killed for marketing purposes. Users have to upgrade to get further support.

 

[Yota]

One of my Raspberry Pi's is still on Raspbian OS 11 (Bullseye); it today updated OpenSSL to 1.1.1w (from 11 Sep 2023), so "u" is no longer the latest?

I upgraded another Pi to Raspbian OS 12 (Bookworm) yesterday; they now use OpenSSL 3.0.11 (from 19 Sep 2023) by default.

I hope Asus will indeed migrate to OpenSSL 3 in the 388 firmware (and even more that we get an Asuswrt-Merlin firmware based on that).

One thing to clarify there, when I say latest version, I'm talking about the latest available OpenSSL at the time of the firmware release, 3004.388.4 was released two months ago, and 386.12 is also a month old, when RMerlin released these firmwares, 1.1.1u was the latest version, after that, OpenSSL was updated to the final version 1.1.1w on September 11, that day is the day of EOL

Wi-Fi 5 routers will be killed for marketing purposes. Users have to upgrade to get further support.

That's what I'm talking about and worrying about.




Edit:
why is the headstone emoji on this forum with a bird on it, it looks like it is commemorating Twitter.

 

[Tech9]

That's what I'm talking about and worrying about.

This is how it works on the consumer market. Disposable hardware. Nothing to worry about. Upgrade.

 

[bluepoint]

iOS openvpn connect app version 3.4.0 was recently updated to use Openssl 3.0.8 will it be compatible still to RMerlin's 388.4 Openvpn server? I know I can test it myself when I get back but for now just wondering? Base on your post above, my guess is it won't?

Update
With the new Openvpn connect App V3.4.0 and set security level to "preferred", I got this.

I have to choose "Legacy" to successfully connect to the server.

It's less secure for now but it's fine until asus updates to Openssl 3.