Created attachment 225584 [details] poudriere build log for net/openldap-client-2.4.59 net/openldap24-client 2.4.59 fails to build with the following errors from ld: ld: error: ./.libs/libldap.so: undefined reference to SSL_CTX_set_ciphersuites ld: error: ./.libs/libldap.so: undefined reference to SSL_set_ciphersuites Probably caused by DEFAULT_VERSIONS+= ssl=libressl Build log attached
Same here, libressl also.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=960d4878c57fe52012d565f5c88b9451c7d14723 commit 960d4878c57fe52012d565f5c88b9451c7d14723 Author: Xin LI <delphij@FreeBSD.org> AuthorDate: 2021-06-06 22:17:11 +0000 Commit: Xin LI <delphij@FreeBSD.org> CommitDate: 2021-06-06 22:17:11 +0000 net/openldap24-server: Mark IGNORE when libressl is chosen for now. The current release of libressl does not yet provide OpenSSL style TLSv1.3 API which is required by OpenLDAP cd3567d75 (ITS#9521). PR: 256433 net/openldap24-server/Makefile | 4 ++++ 1 file changed, 4 insertions(+)
Caused by https://git.openldap.org/openldap/openldap/-/commit/a48267c234031742fb99367f9245770b9f3288ea Just change the preprocessor guards to also have !defined(LIBRESSL_VERSION_NUMBER) because OPENSSL_VERSION_NUMBER will always be greater than 1.1.1 in LibreSSL case. The build then succeeds, and we won't need to IGNORE.
See also: undecided if upstream will officially support LibreSSL, which factors into whether we should carry our own patches. (upstream ITS reported by brnrd@)
(In reply to Charlie Li from comment #3) No, please don't do that. Instead, I think a more elegant solution would be to test OPENSSL_NO_TLS1_3, e.g.: #if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(OPENSSL_NO_TLS1_3) because it appears that the libressl developers might implement the OpenSSL style TLSv1.3 APIs in the future. I've filed a separate bug at upstream as well.
(In reply to Xin LI from comment #5) True, they have implemented some, but not all, of the TLSv1.3 API, and every release with some TLSv1.3 has a note to that effect. For this issue specifically, SSL_CTX_set_ciphersuites(3) and SSL_set_ciphersuites(3) do not currently exist at all in LibreSSL. As for the upstream comment > Note that the changes for ITS#9521 are specifically #ifdef'd for > OpenSSL version 1.1.1 or greater. If LibreSSL isn't working here > it's because it's lying about its OpenSSL version. Tell them to > fix their stuff. Not happening, because OPENSSL_VERSION_NUMBER being the same as LIBRESSL_VERSION_NUMBER is correct, there is no lie.
Created attachment 225616 [details] v1 OPENSSL_NO_TLS1_3 builds successfully.
Comment on attachment 225616 [details] v1 LGTM.
(In reply to Charlie Li from comment #6) > Not happening, because OPENSSL_VERSION_NUMBER being the same as > LIBRESSL_VERSION_NUMBER is correct, there is no lie. Claiming itself to be OpenSSL 2.0 is indeed a lie, or at least a choice with poor taste. It's generally accepted that software that tries to provide compatibility to a competitor to claim to be that competitor of a version in the past. For example, almost all browsers claim themselves be Mozilla/5.0; clang claims to be GNU C 4.2, etc, FreeBSD C runtime library claims to be from FreeBSD 7.0, etc. In all these cases, compatibility is taken seriously and even if it's not necessarily possible to provide 100% compatibility, code written for the competing software is highly likely to work with the new software without any modifications. By claiming to be OpenSSL 2.0, libressl might have created an incentive for software writers to add more special case #if's and be compatible with libressl, and yet, not having to do these #if's for legacy software is actually one thing that they were doing the first round of code cleanup of OpenSSL codebase. They should instead either define OPENSSL_VERSION_NUMBER be the last OpenSSL version that they can actually support, or stop claiming they were OpenSSL.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=77073df27bfadfbc3ca2e5d9cee7f3ca293fca37 commit 77073df27bfadfbc3ca2e5d9cee7f3ca293fca37 Author: Charlie Li <vishwin@FreeBSD.org> AuthorDate: 2021-06-07 00:32:16 +0000 Commit: Xin LI <delphij@FreeBSD.org> CommitDate: 2021-06-07 06:26:04 +0000 net/openldap24-server: fix build with LibreSSL Modify the OpenSSL 1.1.1 preprocessor guards to also account for LibreSSL missing certain functions, particularly SSL_CTX_set_ciphersuites(3) and SSL_set_ciphersuites(3). While here, un-IGNORE for ${SSL_DEFAULT:Mlibressl*}. PORTREVISION intentionally not bumped as this is a build fix. PR: 256433 net/openldap24-server/Makefile | 4 ---- .../files/patch-libraries_libldap_tls__o.c (new) | 20 ++++++++++++++++++++ 2 files changed, 20 insertions(+), 4 deletions(-)
They're technically not missing, LibreSSL just didn't add specific ones for TLS1.3, so they have the same names as the <TLS1.3 functions (unless I've misunderstood something): https://man.openbsd.org/SSL_CTX_set_cipher_list.3
I'm encountering the same issue with libressl and openldap24-sasl-client.