Created attachment 177209 [details] Patch to fix openssl 1.1. compatibilty Log: commit ad11101cf67116cb94538525ace901addf24e02b Author: Melvyn Sopacua Date: Sun Nov 20 14:17:00 2016 +0100 net/qt4-network: OpenSSL 1.1 compat Phase 3 - Final compatibility fixes for QSslContext [1] - Remove cipher->valid check as per OpenSSL wiki [2] Obtained from: https://github.com/richmoore/qtbase/commit/9ad38be [1] https://wiki.openssl.org/index.php/1.1_API_Changes [2] commit b0dc4f412b36d6cc02c9030e701f40a154ac1dcf Author: Melvyn Sopacua Date: Sun Nov 20 01:58:23 2016 +0100 net/qt4-network: OpenSSL 1.1 compat Phase 2 - Port qsslkey: use D/RSA_bits for now opaque type Based on: https://github.com/richmoore/qtbase/commit/4e90ef8 commit 7de0f059c47ff7649dae1448f73f27ad21516ffe Author: Melvyn Sopacua Date: Sat Nov 19 15:39:51 2016 +0100 net/qt4-network: OpenSSL 1.1 compat Phase 1 Hand-merge upstream 320a9b and keep earlier version compatibility. Obtained from: https://github.com/richmoore/qtbase/commit/320a91b
Created attachment 177210 [details] Patch to fix openssl 1.1. compatibilty Updated patch: Author: Melvyn Sopacua Date: Sun Nov 20 16:10:05 2016 +0100 net/qt4-network: OpenSSL 1.1 compat Phase 4 - Avoid two undefined symbols by using the get0 version directly and properly defining them. Exposed by: devel/qt4-designer
Any yes/no/maybe on this anyone?
No interest from kde@.
During BSDCan 2018 the intention to update OpenSSL in base to 1.1.x branch was documented. Intention is to update 12-STABLE to current 1.1.0 and subsequently update it to 1.1.1 when that is released. Melvyn, thanks for the patch! I'll throw that into my bulk-builder to test.
Created attachment 194302 [details] svn diff for net/qt4-network The patch that was attached (git patch) applied OK but the resulting patches were misformatted. This new patch (generated with makepatch) builds OK for me.
Oh, gosh, patches via Rich Moore. While this has been stewing for *ages*, I think the right thing to do is trust brnrd@ and emaste@ (and exp-run this, I guess).
Recent failure log: http://package18.nyi.freebsd.org/data/headamd64PR231931-default/2018-10-04_07h49m12s/logs/errors/qt4-network-4.8.7_3.log
(In reply to Bernard Spil from comment #5) Since the code changes, there should be a PORTREVISION bump.
A commit references this bug: Author: adridg Date: Sun Oct 7 20:39:13 UTC 2018 New revision: 481493 URL: https://svnweb.freebsd.org/changeset/ports/481493 Log: Fix build of legacy Qt4-network port with OpenSSL 1.1.1 for future changes in base. (Tested in a 12-CURRENT VM with ^/projects/openssl111 worls, and in an 11-STABLE VM with the old situation). Thanks to brnrd@ for chasing this for a long time, and the original submitter. Specific credits for obtained-from are in the PR. PR: 214691 Submitted by: Melvyn Sopacua Reviewed by: brnrd Obtained from: richmoore Changes: head/net/qt4-network/Makefile head/net/qt4-network/files/patch-src_network_ssl_qsslcertificate.cpp head/net/qt4-network/files/patch-src_network_ssl_qsslkey.cpp head/net/qt4-network/files/patch-src_network_ssl_qsslsocket__openssl.cpp head/net/qt4-network/files/patch-src_network_ssl_qsslsocket__openssl__symbols__p.h
(finally) committed, thanks!
I think the patch is incomplete, it misses some DEFINEFUNC / RESOLVEFUNC for new things like X509_get_serialNumber and X509_get_version
A commit references this bug: Author: adridg Date: Sun Oct 7 21:29:02 UTC 2018 New revision: 481494 URL: https://svnweb.freebsd.org/changeset/ports/481494 Log: Revert 481493, net/qt4-network update to OpenSSL 1.1.1 "Something's wrong. Perhaps you forgot to build and run ports that depend on the one you just patched." PR: 214691 Reported by: antoine Changes: head/net/qt4-network/Makefile head/net/qt4-network/files/patch-src_network_ssl_qsslcertificate.cpp head/net/qt4-network/files/patch-src_network_ssl_qsslkey.cpp head/net/qt4-network/files/patch-src_network_ssl_qsslsocket__openssl.cpp head/net/qt4-network/files/patch-src_network_ssl_qsslsocket__openssl__symbols__p.h
Looking at qt5-network, - they used X509_getm_notBefore and X509_getm_notAfter, not X509_get0_notBefore and X509_get0_notAfter - this has to be added to src/network/ssl/qsslsocket_openssl_symbols.cpp , with the right #if directives: DEFINEFUNC(int, EVP_PKEY_base_id, EVP_PKEY *a, a, return NID_undef, return) DEFINEFUNC(int, RSA_bits, RSA *a, a, return 0, return) DEFINEFUNC(int, DSA_bits, DSA *a, a, return 0, return) DEFINEFUNC2(unsigned long, SSL_CTX_set_options, SSL_CTX *ctx, ctx, unsigned long op, op, return 0, return) DEFINEFUNC(ASN1_TIME *, X509_getm_notBefore, X509 *a, a, return 0, return) DEFINEFUNC(ASN1_TIME *, X509_getm_notAfter, X509 *a, a, return 0, return) DEFINEFUNC(long, X509_get_version, X509 *a, a, return -1, return) DEFINEFUNC(EVP_PKEY *, X509_get_pubkey, X509 *a, a, return 0, return) DEFINEFUNC(const EVP_MD *, EVP_sha1, DUMMYARG, DUMMYARG, return 0, return) DEFINEFUNC2(int, SSL_CIPHER_get_bits, const SSL_CIPHER *a, a, int *b, b, return 0, return) DEFINEFUNC(X509_STORE *, SSL_CTX_get_cert_store, const SSL_CTX *a, a, return 0, return) DEFINEFUNC4(int, X509_digest, const X509 *x509, x509, const EVP_MD *type, type, unsigned char *md, md, unsigned int *len, len, return -1, return) DEFINEFUNC(ASN1_INTEGER *, X509_get_serialNumber, X509 *a, a, return 0, return) RESOLVEFUNC(EVP_PKEY_base_id) RESOLVEFUNC(RSA_bits) RESOLVEFUNC(SSL_CTX_set_options) RESOLVEFUNC(X509_getm_notBefore) RESOLVEFUNC(X509_getm_notAfter) RESOLVEFUNC(X509_get_version) RESOLVEFUNC(X509_get_pubkey) RESOLVEFUNC(DSA_bits) RESOLVEFUNC(EVP_sha1) RESOLVEFUNC(SSL_CIPHER_get_bits) RESOLVEFUNC(SSL_CTX_get_cert_store) RESOLVEFUNC(X509_digest) RESOLVEFUNC(X509_get_serialNumber)
Let's continue the conversation in the review (easier to update) on Phab. Summary is, though, that there's a lot more work to be done on this patch to fix net/qt4-network for OpenSSL 1.1.1 than predicted: - SSL_library_init is renamed, not handled - Call to q_SSL_CTX_get_cert_store is used by the patch, not available on 11.1
*** Bug 233076 has been marked as a duplicate of this bug. ***
Created attachment 199093 [details] Debian patches for OpenSSL 1.1 Debian has more thorough patchset. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828522 https://salsa.debian.org/qt-kde-team/qt/qt4-x11/blob/master/debian/patches/openssl_1.1.patch
I've the same issue with qt4-network and OpenSSL 1.1.1a on 12-STABLE r340772. The patch fixed the issue. Please commit it.
- With patch applied, still builds on 11.2 with openssl 1.0.2. - Doesn't build against openssl 1.1.1 port (presumably it should)
A commit references this bug: Author: adridg Date: Mon Nov 26 08:16:46 UTC 2018 New revision: 485927 URL: https://svnweb.freebsd.org/changeset/ports/485927 Log: Another stab at fixing net/qt4-network with modern OpenSSL. - tested on 11.2 with openssl 1.0.2 (old situation) - tested on 11.2 with openssl 1.1.1 (modern) - PR comments claim to have tested on 12- Test consists of running quiterss and adding a https feed. PR: 214691 Submitted by: jkim Reported by: Melvyn Sopacua Obtained from: Debian Differential Revision: https://reviews.freebsd.org/D17470 Changes: head/net/qt4-network/Makefile head/net/qt4-network/files/patch-src_network_ssl_qsslcertificate.cpp head/net/qt4-network/files/patch-src_network_ssl_qsslkey.cpp head/net/qt4-network/files/patch-src_network_ssl_qsslsocket__openssl.cpp head/net/qt4-network/files/patch-src_network_ssl_qsslsocket__openssl__p.h head/net/qt4-network/files/patch-src_network_ssl_qsslsocket__openssl__symbols.cpp head/net/qt4-network/files/patch-src_network_ssl_qsslsocket__openssl__symbols__p.h
Created attachment 199589 [details] Fix build with OpenSSL 1.1 This version fixed a link-time issue with OpenSSL 1.0.x.
Patch breaks build with libressl.
Sorry, is ok. Seems my first try, applied not cleanly.
jkim@, thank you for repeatedly chasing this. I have finally set up poudriere sets to test this adequately across the five (six if you count "unset") different builds for 11.2 (I'm not touching 12- at present, but trusting reports in this PR ). Runtime tests in an 11.2-R VM, based on starting up quiterss (Qt4 option) and then updating the feed and clicking a few (https) links: - ssl=openssl OK - ssl=openssl111 OK - ssl=libressl builds, but doesn't seem to work (links are not followed, neither http nor https) - ssl=libressldevel builds, but doesn't seem to work (links are not followed) - ssl=base OK - (unset, same as ssl=openssl) I'm going to spend a little time on libressl to see if something is obviously wrong, but mostly that's way outside the support envelope.
A commit references this bug: Author: adridg Date: Sat Dec 8 20:43:55 UTC 2018 New revision: 486987 URL: https://svnweb.freebsd.org/changeset/ports/486987 Log: Once more into the breach for net/qt4-network. This time it was build and run-tested in six configuration variants of 11.2 (all the valid settings for ssl= in DEFAULT_VERSIONS). Not tested by me in 12 though, others say it does work. With libressl it still doesn't *function*, but it builds. As far as I'm concerned for EOL software, that's so far outside the support envelope as to be ignored. PR: 214691 Submitted by: jkim Obtained from: Debian Changes: head/net/qt4-network/Makefile head/net/qt4-network/files/patch-src_network_ssl_qsslcertificate.cpp head/net/qt4-network/files/patch-src_network_ssl_qsslkey.cpp head/net/qt4-network/files/patch-src_network_ssl_qsslsocket__openssl.cpp head/net/qt4-network/files/patch-src_network_ssl_qsslsocket__openssl__p.h head/net/qt4-network/files/patch-src_network_ssl_qsslsocket__openssl__symbols.cpp head/net/qt4-network/files/patch-src_network_ssl_qsslsocket__openssl__symbols__p.h