Sp1l/LibreSSL-frogs

## LibreSSL-frogs
http://pastebin.com/raw.php?i=3J2M0qTU

switching freebsd ports from openssl to libressl


* identify which programs and libraries are using openssl

* for base programs (like openssh) you will need to switch to the ports equivalent

sh -c 'find /usr/local -type f -exec ldd {} + 2> /dev/null | \
       egrep ":|libcrypto.so" | \
       grep -B1 "`ls /lib/libcrypto.so.*`" | \
       grep -v -- --'

* deinstall programs and libraries that own the files printed

in /etc/make.conf

WITH_OPENSSL_PORT=yes
OPENSSL_PORT=security/libressl
OPENSSL_SHLIBVER=30

* install the programs and libraries you previously deinstalled, they will now use libressl

* run the find command above again to check for any programs left behind

some programs use openssl but are missing USE_OPENSSL=yes from their port
Makefiles. this is a bug and should be reported.

* issues!

works:
inn-2.5.4_2
nginx-1.6.2,2
opensmtpd-5.4.2_4,1
openssh-portable-6.6.p1_3,1
postgresql93-client-9.3.5
postgresql93-server-9.3.5
ssmtp-2.64_1
tor-devel-0.2.5.8.r
unbound-1.4.22_4

some ports do not compile with libressl.

libressl has removed support for EGD
https://en.wikipedia.org/wiki//dev/random#EGD_as_an_alternative

EGD was only necessary for some commercial UNIX systems, versions that needed
it all reached end of life.

        EGD needed until  OS release  End-of-support
IRIX	6.5.19            Feb 2003    Dec 2013
Solaris 2.6               Jul 1997    Jul 2006
AIX     5.2               Oct 2002    Apr 2009
Tru64   5.1B              Sep 2002    Dec 2012
HP-UX   11i v2            Sep 2003    Dec 2015

affected:

python27-2.7.8_5	http://bugs.python.org/issue21356
		/work/a/ports/lang/python27/work/Python-2.7.8/Modules/_ssl.c:1613:13: warning: implicit declaration of function 'RAND_egd' is invalid in C99 [-Wimplicit-function-declaration]
		    bytes = RAND_egd((((PyStringObject *)(arg))->ob_sval));
		            ^
		1 warning generated.
		*** WARNING: renaming "_ssl" since importing it failed: build/lib.freebsd-9.3-STABLE-amd64-2.7/_ssl.so: Undefined symbol "RAND_egd"

wget-1.15_2
		openssl.c:91:5: warning: implicit declaration of function 'RAND_egd' is invalid in C99 [-Wimplicit-function-declaration]
		    RAND_egd (opt.egd_file);
		    ^
		1 warning generated.
		cc  -O2 -pipe -fno-strict-aliasing  -L/usr/local/lib -L/usr/local/lib -Wl,-rpath,/usr/local/lib -L/usr/local/lib -o wget cmpt.o connect.o convert.o cookies.o ftp.o css_.o css-url.o ftp-basic.o ftp-ls.o hash.o host.o html-parse.o html-url.o http.o init.o log.o main.o netrc.o progress.o ptimer.o recur.o res.o retr.o spider.o url.o warc.o utils.o exits.o build_info.o iri.o version.o ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a /usr/local/lib/libiconv.so -Wl,-rpath -Wl,/usr/local/lib /usr/local/lib/libintl.so -Wl,-rpath -Wl,/usr/local/lib /usr/local/lib/libssl.so /usr/local/lib/libcrypto.so -Wl,-rpath -Wl,/usr/local/lib -lz  -lidn
		openssl.o: In function `ssl_init':
		/ccache/tmp/openssl.tmp.j9-dirty-amd64.31383.i:(.text+0x7d): undefined reference to `RAND_egd'
		cc: error: linker command failed with exit code 1 (use -v to see invocation)

libressl has removed support for compression
https://en.wikipedia.org/wiki/Transport_Layer_Security#CRIME_and_BREACH_attacks
the next version of TLS (1.3) removes compression from the protocol.

affected:

socat-1.7.2.4
		In file included from xiohelp.c:8:
		In file included from ./xioopen.h:15:
		./sslcls.h:53:7: error: unknown type name 'COMP_METHOD'
		const COMP_METHOD *sycSSL_get_current_compression(SSL *ssl);
		      ^
		./sslcls.h:54:7: error: unknown type name 'COMP_METHOD'
		const COMP_METHOD *sycSSL_get_current_expansion(SSL *ssl);
		      ^
		./sslcls.h:55:40: error: unknown type name 'COMP_METHOD'
		const char *sycSSL_COMP_get_name(const COMP_METHOD *comp);
		                                       ^
		3 errors generated.
		*** [xiohelp.o] Error code 1

tor-0.2.4.24
		tor added support for libressl almost immediately but only in development branch. use
		security/tor-devel instead until security/tor is 0.2.5

		src/common/tortls.c:1350:20: error: no member named 'comp_methods' in 'struct ssl_ctx_st'
		  if (result->ctx->comp_methods)
		      ~~~~~~~~~~~  ^
		src/common/tortls.c:1351:18: error: no member named 'comp_methods' in 'struct ssl_ctx_st'
		    result->ctx->comp_methods = ((void *)0);
		    ~~~~~~~~~~~  ^
		2 errors generated.
		gmake[1]: *** [src/common/tortls.o] Error 1


some programs do not work correctly with libressl

affected:

squid-3.4.8_1	http://www.squid-cache.org/Doc/code/gadgets_8cc_source.html#l00281

		when using ssl_bump, squid attempts to add keyencipherment to the key usage when
		receiving a ecdsa certificate from the remote site. the generated rsa
		certificate squid serves to the client has a blank key usage which is rejected.
		it is believed this is due to converting from der to internal format, setting bit,
		then exporting the bits without converting back to der format.
	http://pastebin.com/raw.php?i=3J2M0qTU

	switching freebsd ports from openssl to libressl


	* identify which programs and libraries are using openssl

	* for base programs (like openssh) you will need to switch to the ports equivalent

	sh -c 'find /usr/local -type f -exec ldd {} + 2> /dev/null \| \
	egrep ":\|libcrypto.so" \| \
	grep -B1 "`ls /lib/libcrypto.so.*`" \| \
	grep -v -- --'

	* deinstall programs and libraries that own the files printed

	in /etc/make.conf

	WITH_OPENSSL_PORT=yes
	OPENSSL_PORT=security/libressl
	OPENSSL_SHLIBVER=30

	* install the programs and libraries you previously deinstalled, they will now use libressl

	* run the find command above again to check for any programs left behind

	some programs use openssl but are missing USE_OPENSSL=yes from their port
	Makefiles. this is a bug and should be reported.

	* issues!

	works:
	inn-2.5.4_2
	nginx-1.6.2,2
	opensmtpd-5.4.2_4,1
	openssh-portable-6.6.p1_3,1
	postgresql93-client-9.3.5
	postgresql93-server-9.3.5
	ssmtp-2.64_1
	tor-devel-0.2.5.8.r
	unbound-1.4.22_4

	some ports do not compile with libressl.

	libressl has removed support for EGD
	https://en.wikipedia.org/wiki//dev/random#EGD_as_an_alternative

	EGD was only necessary for some commercial UNIX systems, versions that needed
	it all reached end of life.

	EGD needed until OS release End-of-support
	IRIX 6.5.19 Feb 2003 Dec 2013
	Solaris 2.6 Jul 1997 Jul 2006
	AIX 5.2 Oct 2002 Apr 2009
	Tru64 5.1B Sep 2002 Dec 2012
	HP-UX 11i v2 Sep 2003 Dec 2015

	affected:

	python27-2.7.8_5 http://bugs.python.org/issue21356
	/work/a/ports/lang/python27/work/Python-2.7.8/Modules/_ssl.c:1613:13: warning: implicit declaration of function 'RAND_egd' is invalid in C99 [-Wimplicit-function-declaration]
	bytes = RAND_egd((((PyStringObject *)(arg))->ob_sval));
	^
	1 warning generated.
	*** WARNING: renaming "_ssl" since importing it failed: build/lib.freebsd-9.3-STABLE-amd64-2.7/_ssl.so: Undefined symbol "RAND_egd"

	wget-1.15_2
	openssl.c:91:5: warning: implicit declaration of function 'RAND_egd' is invalid in C99 [-Wimplicit-function-declaration]
	RAND_egd (opt.egd_file);
	^
	1 warning generated.
	cc -O2 -pipe -fno-strict-aliasing -L/usr/local/lib -L/usr/local/lib -Wl,-rpath,/usr/local/lib -L/usr/local/lib -o wget cmpt.o connect.o convert.o cookies.o ftp.o css_.o css-url.o ftp-basic.o ftp-ls.o hash.o host.o html-parse.o html-url.o http.o init.o log.o main.o netrc.o progress.o ptimer.o recur.o res.o retr.o spider.o url.o warc.o utils.o exits.o build_info.o iri.o version.o ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a /usr/local/lib/libiconv.so -Wl,-rpath -Wl,/usr/local/lib /usr/local/lib/libintl.so -Wl,-rpath -Wl,/usr/local/lib /usr/local/lib/libssl.so /usr/local/lib/libcrypto.so -Wl,-rpath -Wl,/usr/local/lib -lz -lidn
	openssl.o: In function `ssl_init':
	/ccache/tmp/openssl.tmp.j9-dirty-amd64.31383.i:(.text+0x7d): undefined reference to `RAND_egd'
	cc: error: linker command failed with exit code 1 (use -v to see invocation)

	libressl has removed support for compression
	https://en.wikipedia.org/wiki/Transport_Layer_Security#CRIME_and_BREACH_attacks
	the next version of TLS (1.3) removes compression from the protocol.

	affected:

	socat-1.7.2.4
	In file included from xiohelp.c:8:
	In file included from ./xioopen.h:15:
	./sslcls.h:53:7: error: unknown type name 'COMP_METHOD'
	const COMP_METHOD sycSSL_get_current_compression(SSL ssl);
	^
	./sslcls.h:54:7: error: unknown type name 'COMP_METHOD'
	const COMP_METHOD sycSSL_get_current_expansion(SSL ssl);
	^
	./sslcls.h:55:40: error: unknown type name 'COMP_METHOD'
	const char sycSSL_COMP_get_name(const COMP_METHOD comp);
	^
	3 errors generated.
	*** [xiohelp.o] Error code 1

	tor-0.2.4.24
	tor added support for libressl almost immediately but only in development branch. use
	security/tor-devel instead until security/tor is 0.2.5

	src/common/tortls.c:1350:20: error: no member named 'comp_methods' in 'struct ssl_ctx_st'
	if (result->ctx->comp_methods)
	~~~~~~~~~~~ ^
	src/common/tortls.c:1351:18: error: no member named 'comp_methods' in 'struct ssl_ctx_st'
	result->ctx->comp_methods = ((void *)0);
	~~~~~~~~~~~ ^
	2 errors generated.
	gmake[1]: *** [src/common/tortls.o] Error 1


	some programs do not work correctly with libressl

	affected:

	squid-3.4.8_1 http://www.squid-cache.org/Doc/code/gadgets_8cc_source.html#l00281

	when using ssl_bump, squid attempts to add keyencipherment to the key usage when
	receiving a ecdsa certificate from the remote site. the generated rsa
	certificate squid serves to the client has a blank key usage which is rejected.
	it is believed this is due to converting from der to internal format, setting bit,
	then exporting the bits without converting back to der format.