|Summary:||net/qt4-network: OpenSSL 1.1 compatibility|
|Product:||Ports & Packages||Reporter:||Melvyn Sopacua <m.r.sopacua>|
|Component:||Individual Port(s)||Assignee:||freebsd-kde (Team) <kde>|
|Severity:||Affects Some People||CC:||adridg, brnrd, cy, dch, emaste, fixer, grahamperrin, iron.udjin, jkim, pi, swills, w.schwarzenfeld|
|Bug Depends on:|
|Bug Blocks:||228865, 231931|
Description Melvyn Sopacua 2016-11-20 13:44:09 UTC
Created attachment 177209 [details] Patch to fix openssl 1.1. compatibilty Log: commit ad11101cf67116cb94538525ace901addf24e02b Author: Melvyn Sopacua Date: Sun Nov 20 14:17:00 2016 +0100 net/qt4-network: OpenSSL 1.1 compat Phase 3 - Final compatibility fixes for QSslContext  - Remove cipher->valid check as per OpenSSL wiki  Obtained from: https://github.com/richmoore/qtbase/commit/9ad38be  https://wiki.openssl.org/index.php/1.1_API_Changes  commit b0dc4f412b36d6cc02c9030e701f40a154ac1dcf Author: Melvyn Sopacua Date: Sun Nov 20 01:58:23 2016 +0100 net/qt4-network: OpenSSL 1.1 compat Phase 2 - Port qsslkey: use D/RSA_bits for now opaque type Based on: https://github.com/richmoore/qtbase/commit/4e90ef8 commit 7de0f059c47ff7649dae1448f73f27ad21516ffe Author: Melvyn Sopacua Date: Sat Nov 19 15:39:51 2016 +0100 net/qt4-network: OpenSSL 1.1 compat Phase 1 Hand-merge upstream 320a9b and keep earlier version compatibility. Obtained from: https://github.com/richmoore/qtbase/commit/320a91b
Comment 1 Melvyn Sopacua 2016-11-20 15:14:28 UTC
Created attachment 177210 [details] Patch to fix openssl 1.1. compatibilty Updated patch: Author: Melvyn Sopacua Date: Sun Nov 20 16:10:05 2016 +0100 net/qt4-network: OpenSSL 1.1 compat Phase 4 - Avoid two undefined symbols by using the get0 version directly and properly defining them. Exposed by: devel/qt4-designer
Comment 2 Melvyn Sopacua 2016-12-07 15:12:44 UTC
Any yes/no/maybe on this anyone?
Comment 3 Melvyn Sopacua 2016-12-26 00:15:52 UTC
No interest from kde@.
Comment 4 Bernard Spil 2018-06-11 19:03:56 UTC
During BSDCan 2018 the intention to update OpenSSL in base to 1.1.x branch was documented. Intention is to update 12-STABLE to current 1.1.0 and subsequently update it to 1.1.1 when that is released. Melvyn, thanks for the patch! I'll throw that into my bulk-builder to test.
Comment 5 Bernard Spil 2018-06-16 10:05:20 UTC
Created attachment 194302 [details] svn diff for net/qt4-network The patch that was attached (git patch) applied OK but the resulting patches were misformatted. This new patch (generated with makepatch) builds OK for me.
Comment 6 Adriaan de Groot 2018-10-04 11:32:23 UTC
Oh, gosh, patches via Rich Moore. While this has been stewing for *ages*, I think the right thing to do is trust brnrd@ and emaste@ (and exp-run this, I guess).
Comment 7 Antoine Brodin 2018-10-04 13:20:40 UTC
Comment 8 Antoine Brodin 2018-10-05 21:50:19 UTC
(In reply to Bernard Spil from comment #5) Since the code changes, there should be a PORTREVISION bump.
Comment 9 commit-hook 2018-10-07 20:39:53 UTC
A commit references this bug: Author: adridg Date: Sun Oct 7 20:39:13 UTC 2018 New revision: 481493 URL: https://svnweb.freebsd.org/changeset/ports/481493 Log: Fix build of legacy Qt4-network port with OpenSSL 1.1.1 for future changes in base. (Tested in a 12-CURRENT VM with ^/projects/openssl111 worls, and in an 11-STABLE VM with the old situation). Thanks to brnrd@ for chasing this for a long time, and the original submitter. Specific credits for obtained-from are in the PR. PR: 214691 Submitted by: Melvyn Sopacua Reviewed by: brnrd Obtained from: richmoore Changes: head/net/qt4-network/Makefile head/net/qt4-network/files/patch-src_network_ssl_qsslcertificate.cpp head/net/qt4-network/files/patch-src_network_ssl_qsslkey.cpp head/net/qt4-network/files/patch-src_network_ssl_qsslsocket__openssl.cpp head/net/qt4-network/files/patch-src_network_ssl_qsslsocket__openssl__symbols__p.h
Comment 10 Adriaan de Groot 2018-10-07 20:44:05 UTC
(finally) committed, thanks!
Comment 11 Antoine Brodin 2018-10-07 21:05:23 UTC
I think the patch is incomplete, it misses some DEFINEFUNC / RESOLVEFUNC for new things like X509_get_serialNumber and X509_get_version
Comment 12 commit-hook 2018-10-07 21:29:31 UTC
A commit references this bug: Author: adridg Date: Sun Oct 7 21:29:02 UTC 2018 New revision: 481494 URL: https://svnweb.freebsd.org/changeset/ports/481494 Log: Revert 481493, net/qt4-network update to OpenSSL 1.1.1 "Something's wrong. Perhaps you forgot to build and run ports that depend on the one you just patched." PR: 214691 Reported by: antoine Changes: head/net/qt4-network/Makefile head/net/qt4-network/files/patch-src_network_ssl_qsslcertificate.cpp head/net/qt4-network/files/patch-src_network_ssl_qsslkey.cpp head/net/qt4-network/files/patch-src_network_ssl_qsslsocket__openssl.cpp head/net/qt4-network/files/patch-src_network_ssl_qsslsocket__openssl__symbols__p.h
Comment 13 Antoine Brodin 2018-10-07 22:10:45 UTC
Looking at qt5-network, - they used X509_getm_notBefore and X509_getm_notAfter, not X509_get0_notBefore and X509_get0_notAfter - this has to be added to src/network/ssl/qsslsocket_openssl_symbols.cpp , with the right #if directives: DEFINEFUNC(int, EVP_PKEY_base_id, EVP_PKEY *a, a, return NID_undef, return) DEFINEFUNC(int, RSA_bits, RSA *a, a, return 0, return) DEFINEFUNC(int, DSA_bits, DSA *a, a, return 0, return) DEFINEFUNC2(unsigned long, SSL_CTX_set_options, SSL_CTX *ctx, ctx, unsigned long op, op, return 0, return) DEFINEFUNC(ASN1_TIME *, X509_getm_notBefore, X509 *a, a, return 0, return) DEFINEFUNC(ASN1_TIME *, X509_getm_notAfter, X509 *a, a, return 0, return) DEFINEFUNC(long, X509_get_version, X509 *a, a, return -1, return) DEFINEFUNC(EVP_PKEY *, X509_get_pubkey, X509 *a, a, return 0, return) DEFINEFUNC(const EVP_MD *, EVP_sha1, DUMMYARG, DUMMYARG, return 0, return) DEFINEFUNC2(int, SSL_CIPHER_get_bits, const SSL_CIPHER *a, a, int *b, b, return 0, return) DEFINEFUNC(X509_STORE *, SSL_CTX_get_cert_store, const SSL_CTX *a, a, return 0, return) DEFINEFUNC4(int, X509_digest, const X509 *x509, x509, const EVP_MD *type, type, unsigned char *md, md, unsigned int *len, len, return -1, return) DEFINEFUNC(ASN1_INTEGER *, X509_get_serialNumber, X509 *a, a, return 0, return) RESOLVEFUNC(EVP_PKEY_base_id) RESOLVEFUNC(RSA_bits) RESOLVEFUNC(SSL_CTX_set_options) RESOLVEFUNC(X509_getm_notBefore) RESOLVEFUNC(X509_getm_notAfter) RESOLVEFUNC(X509_get_version) RESOLVEFUNC(X509_get_pubkey) RESOLVEFUNC(DSA_bits) RESOLVEFUNC(EVP_sha1) RESOLVEFUNC(SSL_CIPHER_get_bits) RESOLVEFUNC(SSL_CTX_get_cert_store) RESOLVEFUNC(X509_digest) RESOLVEFUNC(X509_get_serialNumber)
Comment 14 Adriaan de Groot 2018-10-11 12:21:16 UTC
Let's continue the conversation in the review (easier to update) on Phab. Summary is, though, that there's a lot more work to be done on this patch to fix net/qt4-network for OpenSSL 1.1.1 than predicted: - SSL_library_init is renamed, not handled - Call to q_SSL_CTX_get_cert_store is used by the patch, not available on 11.1
Comment 15 Walter Schwarzenfeld 2018-11-08 22:01:10 UTC
*** Bug 233076 has been marked as a duplicate of this bug. ***
Comment 16 Jung-uk Kim 2018-11-09 16:57:14 UTC
Created attachment 199093 [details] Debian patches for OpenSSL 1.1 Debian has more thorough patchset. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828522 https://salsa.debian.org/qt-kde-team/qt/qt4-x11/blob/master/debian/patches/openssl_1.1.patch
Comment 17 iron.udjin 2018-11-22 19:19:10 UTC
I've the same issue with qt4-network and OpenSSL 1.1.1a on 12-STABLE r340772. The patch fixed the issue. Please commit it.
Comment 18 Adriaan de Groot 2018-11-22 23:10:41 UTC
- With patch applied, still builds on 11.2 with openssl 1.0.2. - Doesn't build against openssl 1.1.1 port (presumably it should)
Comment 19 commit-hook 2018-11-26 08:17:25 UTC
A commit references this bug: Author: adridg Date: Mon Nov 26 08:16:46 UTC 2018 New revision: 485927 URL: https://svnweb.freebsd.org/changeset/ports/485927 Log: Another stab at fixing net/qt4-network with modern OpenSSL. - tested on 11.2 with openssl 1.0.2 (old situation) - tested on 11.2 with openssl 1.1.1 (modern) - PR comments claim to have tested on 12- Test consists of running quiterss and adding a https feed. PR: 214691 Submitted by: jkim Reported by: Melvyn Sopacua Obtained from: Debian Differential Revision: https://reviews.freebsd.org/D17470 Changes: head/net/qt4-network/Makefile head/net/qt4-network/files/patch-src_network_ssl_qsslcertificate.cpp head/net/qt4-network/files/patch-src_network_ssl_qsslkey.cpp head/net/qt4-network/files/patch-src_network_ssl_qsslsocket__openssl.cpp head/net/qt4-network/files/patch-src_network_ssl_qsslsocket__openssl__p.h head/net/qt4-network/files/patch-src_network_ssl_qsslsocket__openssl__symbols.cpp head/net/qt4-network/files/patch-src_network_ssl_qsslsocket__openssl__symbols__p.h
Comment 20 Jung-uk Kim 2018-11-27 01:46:13 UTC
Created attachment 199589 [details] Fix build with OpenSSL 1.1 This version fixed a link-time issue with OpenSSL 1.0.x.
Comment 21 Walter Schwarzenfeld 2018-11-27 02:24:00 UTC
Patch breaks build with libressl.
Comment 22 Walter Schwarzenfeld 2018-11-27 02:45:45 UTC
Sorry, is ok. Seems my first try, applied not cleanly.
Comment 23 Adriaan de Groot 2018-11-29 09:00:10 UTC
jkim@, thank you for repeatedly chasing this. I have finally set up poudriere sets to test this adequately across the five (six if you count "unset") different builds for 11.2 (I'm not touching 12- at present, but trusting reports in this PR ). Runtime tests in an 11.2-R VM, based on starting up quiterss (Qt4 option) and then updating the feed and clicking a few (https) links: - ssl=openssl OK - ssl=openssl111 OK - ssl=libressl builds, but doesn't seem to work (links are not followed, neither http nor https) - ssl=libressldevel builds, but doesn't seem to work (links are not followed) - ssl=base OK - (unset, same as ssl=openssl) I'm going to spend a little time on libressl to see if something is obviously wrong, but mostly that's way outside the support envelope.
Comment 24 commit-hook 2018-12-08 20:44:54 UTC
A commit references this bug: Author: adridg Date: Sat Dec 8 20:43:55 UTC 2018 New revision: 486987 URL: https://svnweb.freebsd.org/changeset/ports/486987 Log: Once more into the breach for net/qt4-network. This time it was build and run-tested in six configuration variants of 11.2 (all the valid settings for ssl= in DEFAULT_VERSIONS). Not tested by me in 12 though, others say it does work. With libressl it still doesn't *function*, but it builds. As far as I'm concerned for EOL software, that's so far outside the support envelope as to be ignored. PR: 214691 Submitted by: jkim Obtained from: Debian Changes: head/net/qt4-network/Makefile head/net/qt4-network/files/patch-src_network_ssl_qsslcertificate.cpp head/net/qt4-network/files/patch-src_network_ssl_qsslkey.cpp head/net/qt4-network/files/patch-src_network_ssl_qsslsocket__openssl.cpp head/net/qt4-network/files/patch-src_network_ssl_qsslsocket__openssl__p.h head/net/qt4-network/files/patch-src_network_ssl_qsslsocket__openssl__symbols.cpp head/net/qt4-network/files/patch-src_network_ssl_qsslsocket__openssl__symbols__p.h