Last active
August 29, 2015 14:07
-
-
Save Sp1l/197323f9b54c3d4f2ee3 to your computer and use it in GitHub Desktop.
FreeBSD LibreSSL info from frogs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
http://pastebin.com/raw.php?i=3J2M0qTU | |
switching freebsd ports from openssl to libressl | |
* identify which programs and libraries are using openssl | |
* for base programs (like openssh) you will need to switch to the ports equivalent | |
sh -c 'find /usr/local -type f -exec ldd {} + 2> /dev/null | \ | |
egrep ":|libcrypto.so" | \ | |
grep -B1 "`ls /lib/libcrypto.so.*`" | \ | |
grep -v -- --' | |
* deinstall programs and libraries that own the files printed | |
in /etc/make.conf | |
WITH_OPENSSL_PORT=yes | |
OPENSSL_PORT=security/libressl | |
OPENSSL_SHLIBVER=30 | |
* install the programs and libraries you previously deinstalled, they will now use libressl | |
* run the find command above again to check for any programs left behind | |
some programs use openssl but are missing USE_OPENSSL=yes from their port | |
Makefiles. this is a bug and should be reported. | |
* issues! | |
works: | |
inn-2.5.4_2 | |
nginx-1.6.2,2 | |
opensmtpd-5.4.2_4,1 | |
openssh-portable-6.6.p1_3,1 | |
postgresql93-client-9.3.5 | |
postgresql93-server-9.3.5 | |
ssmtp-2.64_1 | |
tor-devel-0.2.5.8.r | |
unbound-1.4.22_4 | |
some ports do not compile with libressl. | |
libressl has removed support for EGD | |
https://en.wikipedia.org/wiki//dev/random#EGD_as_an_alternative | |
EGD was only necessary for some commercial UNIX systems, versions that needed | |
it all reached end of life. | |
EGD needed until OS release End-of-support | |
IRIX 6.5.19 Feb 2003 Dec 2013 | |
Solaris 2.6 Jul 1997 Jul 2006 | |
AIX 5.2 Oct 2002 Apr 2009 | |
Tru64 5.1B Sep 2002 Dec 2012 | |
HP-UX 11i v2 Sep 2003 Dec 2015 | |
affected: | |
python27-2.7.8_5 http://bugs.python.org/issue21356 | |
/work/a/ports/lang/python27/work/Python-2.7.8/Modules/_ssl.c:1613:13: warning: implicit declaration of function 'RAND_egd' is invalid in C99 [-Wimplicit-function-declaration] | |
bytes = RAND_egd((((PyStringObject *)(arg))->ob_sval)); | |
^ | |
1 warning generated. | |
*** WARNING: renaming "_ssl" since importing it failed: build/lib.freebsd-9.3-STABLE-amd64-2.7/_ssl.so: Undefined symbol "RAND_egd" | |
wget-1.15_2 | |
openssl.c:91:5: warning: implicit declaration of function 'RAND_egd' is invalid in C99 [-Wimplicit-function-declaration] | |
RAND_egd (opt.egd_file); | |
^ | |
1 warning generated. | |
cc -O2 -pipe -fno-strict-aliasing -L/usr/local/lib -L/usr/local/lib -Wl,-rpath,/usr/local/lib -L/usr/local/lib -o wget cmpt.o connect.o convert.o cookies.o ftp.o css_.o css-url.o ftp-basic.o ftp-ls.o hash.o host.o html-parse.o html-url.o http.o init.o log.o main.o netrc.o progress.o ptimer.o recur.o res.o retr.o spider.o url.o warc.o utils.o exits.o build_info.o iri.o version.o ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a /usr/local/lib/libiconv.so -Wl,-rpath -Wl,/usr/local/lib /usr/local/lib/libintl.so -Wl,-rpath -Wl,/usr/local/lib /usr/local/lib/libssl.so /usr/local/lib/libcrypto.so -Wl,-rpath -Wl,/usr/local/lib -lz -lidn | |
openssl.o: In function `ssl_init': | |
/ccache/tmp/openssl.tmp.j9-dirty-amd64.31383.i:(.text+0x7d): undefined reference to `RAND_egd' | |
cc: error: linker command failed with exit code 1 (use -v to see invocation) | |
libressl has removed support for compression | |
https://en.wikipedia.org/wiki/Transport_Layer_Security#CRIME_and_BREACH_attacks | |
the next version of TLS (1.3) removes compression from the protocol. | |
affected: | |
socat-1.7.2.4 | |
In file included from xiohelp.c:8: | |
In file included from ./xioopen.h:15: | |
./sslcls.h:53:7: error: unknown type name 'COMP_METHOD' | |
const COMP_METHOD *sycSSL_get_current_compression(SSL *ssl); | |
^ | |
./sslcls.h:54:7: error: unknown type name 'COMP_METHOD' | |
const COMP_METHOD *sycSSL_get_current_expansion(SSL *ssl); | |
^ | |
./sslcls.h:55:40: error: unknown type name 'COMP_METHOD' | |
const char *sycSSL_COMP_get_name(const COMP_METHOD *comp); | |
^ | |
3 errors generated. | |
*** [xiohelp.o] Error code 1 | |
tor-0.2.4.24 | |
tor added support for libressl almost immediately but only in development branch. use | |
security/tor-devel instead until security/tor is 0.2.5 | |
src/common/tortls.c:1350:20: error: no member named 'comp_methods' in 'struct ssl_ctx_st' | |
if (result->ctx->comp_methods) | |
~~~~~~~~~~~ ^ | |
src/common/tortls.c:1351:18: error: no member named 'comp_methods' in 'struct ssl_ctx_st' | |
result->ctx->comp_methods = ((void *)0); | |
~~~~~~~~~~~ ^ | |
2 errors generated. | |
gmake[1]: *** [src/common/tortls.o] Error 1 | |
some programs do not work correctly with libressl | |
affected: | |
squid-3.4.8_1 http://www.squid-cache.org/Doc/code/gadgets_8cc_source.html#l00281 | |
when using ssl_bump, squid attempts to add keyencipherment to the key usage when | |
receiving a ecdsa certificate from the remote site. the generated rsa | |
certificate squid serves to the client has a blank key usage which is rejected. | |
it is believed this is due to converting from der to internal format, setting bit, | |
then exporting the bits without converting back to der format. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment