Created attachment 154953 [details] svn diff for security/stunnel security/stunnel unconditionally relies on RAND_egd which makes building fail with LibreSSL which has removed EGD. FreeBSD does not require EGD at all, /dev/random has been available since FreeBSD 4.2 This patch checks for the existence of RAND_egd in libcrypto and disables the code using egd.
Created attachment 154954 [details] Poudriere build log for security/stunnel
Feedback from upstream Hi Bernard, Perhaps I'm misunderstanding what the issue is. You probably already guessed that the issue political and not technical. LibreSSL decided to drop features that are essential to me (CAPI, FIPS) for no real technical reason. To be clear: I don't consider a feature being an "insecure" one a technical reason for removal as long as this "insecure" feature is not automatically selected by default. For example, compression only introduces vulnerability if the attacker can perform plaintext injection. Disabling compression by default is a good idea. Stunnel does it since version 4.51 (09 Jan 2012). Removing compression is a bad idea, as it is useful in many practical applications. Another example: MD5 is vulnerable to collision attacks, thus it is a good idea to prevent accepting digital signatures based on MD5. On the other hand weak collision resistance does not imply any problems with preimage or second-preimage properties. Removing HMAC-MD5 is a bad idea. For the aforementioned reasons, I'm going to refrain from any actions that could potentially benefit LibreSSL. Best regards, Mike
I'm going to defer to upstream at this point in time. If you'd like to reach back out to them with your proposed patch and they accept it, then I will include it in the port.
Rejecting and closing until upstream accepts these changes (or some variation).
*** Bug 202920 has been marked as a duplicate of this bug. ***
Created attachment 160778 [details] svn diff for security/stunnel - Update patch to use OPENSSL_NO_EGD - Remove the configure modifications - Honour distribution restriction
Response from upstream on the src/ssl.c patch Hi Bernard, This is a very nice and clean patch indeed. I would use it if I ever decided to support LibreSSL. Best regards, Mike On 31.05.2015 18:55, Bernard Spil wrote: Hi Mike, Meanwhile, LibreSSL updated the includes and now has a define OPENSSL_NO_EGD. I've refactored the patch to use this instead making it a very minimal change. As this is now in line with the naming-scheme of disabled features in OpenSSL (e.g. OPENSSL_NO_COMP) I'm hoping you'll find it non-intrusive enough to include in stunnel, added patch is all that's left. Thanks, Bernard Spil.
This has now been included in the upcoming 5.24 https://www.stunnel.org/sdf_ChangeLog.html * New features * Added OPENSSL_NO_EGD support
Excellent, this will be merged into the port when the new code is released. (stunnel doesn't have a public SCM)
Nice!
A commit references this bug: Author: brnrd Date: Thu Oct 8 19:38:53 UTC 2015 New revision: 398889 URL: https://svnweb.freebsd.org/changeset/ports/398889 Log: security/stunnel: Update to 5.24 - Supports building without EGD - Order options alphabetical Reviewed by: koobs (mentor), zi (maintainer) Approved by: zi (maintainer) PR: 198997 Differential Revision: https://reviews.freebsd.org/D2694 Changes: head/security/stunnel/Makefile head/security/stunnel/distinfo
(In reply to commit-hook from comment #11) based on the commit, can the status of the bug be correctly reflected?