Bug 256433

Summary: net/openldap24-client 2.4.59 fails to build
Product: Ports & Packages Reporter: lysfjord.daniel
Component: Individual Port(s)Assignee: Xin LI <delphij>
Status: Closed FIXED    
Severity: Affects Only Me CC: cam, jakub_lach, vishwin
Priority: --- Flags: bugzilla: maintainer-feedback? (delphij)
Version: Latest   
Hardware: Any   
OS: Any   
See Also: https://bugs.openldap.org/show_bug.cgi?id=7978
https://bugs.openldap.org/show_bug.cgi?id=9572
Attachments:
Description Flags
poudriere build log for net/openldap-client-2.4.59
none
v1 delphij: maintainer-approval+

Description lysfjord.daniel 2021-06-06 00:32:13 UTC
Created attachment 225584 [details]
poudriere build log for net/openldap-client-2.4.59

net/openldap24-client 2.4.59 fails to build with the following errors from ld:
ld: error: ./.libs/libldap.so: undefined reference to SSL_CTX_set_ciphersuites
ld: error: ./.libs/libldap.so: undefined reference to SSL_set_ciphersuites

Probably caused by DEFAULT_VERSIONS+= ssl=libressl

Build log attached
Comment 1 jakub_lach 2021-06-06 18:39:10 UTC
Same here, libressl also.
Comment 2 commit-hook freebsd_committer freebsd_triage 2021-06-06 22:20:13 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=960d4878c57fe52012d565f5c88b9451c7d14723

commit 960d4878c57fe52012d565f5c88b9451c7d14723
Author:     Xin LI <delphij@FreeBSD.org>
AuthorDate: 2021-06-06 22:17:11 +0000
Commit:     Xin LI <delphij@FreeBSD.org>
CommitDate: 2021-06-06 22:17:11 +0000

    net/openldap24-server: Mark IGNORE when libressl is chosen for now.

    The current release of libressl does not yet provide OpenSSL style
    TLSv1.3 API which is required by OpenLDAP cd3567d75 (ITS#9521).

    PR:             256433

 net/openldap24-server/Makefile | 4 ++++
 1 file changed, 4 insertions(+)
Comment 3 Charlie Li freebsd_committer freebsd_triage 2021-06-06 22:24:44 UTC
Caused by https://git.openldap.org/openldap/openldap/-/commit/a48267c234031742fb99367f9245770b9f3288ea

Just change the preprocessor guards to also have !defined(LIBRESSL_VERSION_NUMBER) because OPENSSL_VERSION_NUMBER will always be greater than 1.1.1 in LibreSSL case. The build then succeeds, and we won't need to IGNORE.
Comment 4 Charlie Li freebsd_committer freebsd_triage 2021-06-06 22:27:55 UTC
See also: undecided if upstream will officially support LibreSSL, which factors into whether we should carry our own patches. (upstream ITS reported by brnrd@)
Comment 5 Xin LI freebsd_committer freebsd_triage 2021-06-06 23:01:34 UTC
(In reply to Charlie Li from comment #3)
No, please don't do that.

Instead, I think a more elegant solution would be to test OPENSSL_NO_TLS1_3, e.g.:

#if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(OPENSSL_NO_TLS1_3)

because it appears that the libressl developers might implement the OpenSSL style TLSv1.3 APIs in the future.

I've filed a separate bug at upstream as well.
Comment 6 Charlie Li freebsd_committer freebsd_triage 2021-06-07 00:05:07 UTC
(In reply to Xin LI from comment #5)
True, they have implemented some, but not all, of the TLSv1.3 API, and every release with some TLSv1.3 has a note to that effect. For this issue specifically, SSL_CTX_set_ciphersuites(3) and SSL_set_ciphersuites(3) do not currently exist at all in LibreSSL.

As for the upstream comment
> Note that the changes for ITS#9521 are specifically #ifdef'd for
> OpenSSL version 1.1.1 or greater. If LibreSSL isn't working here
> it's because it's lying about its OpenSSL version. Tell them to
> fix their stuff.
Not happening, because OPENSSL_VERSION_NUMBER being the same as LIBRESSL_VERSION_NUMBER is correct, there is no lie.
Comment 7 Charlie Li freebsd_committer freebsd_triage 2021-06-07 00:38:05 UTC
Created attachment 225616 [details]
v1

OPENSSL_NO_TLS1_3 builds successfully.
Comment 8 Xin LI freebsd_committer freebsd_triage 2021-06-07 04:24:00 UTC
Comment on attachment 225616 [details]
v1

LGTM.
Comment 9 Xin LI freebsd_committer freebsd_triage 2021-06-07 05:10:50 UTC
(In reply to Charlie Li from comment #6)
> Not happening, because OPENSSL_VERSION_NUMBER being the same as
> LIBRESSL_VERSION_NUMBER is correct, there is no lie.

Claiming itself to be OpenSSL 2.0 is indeed a lie, or at least a choice with poor taste.

It's generally accepted that software that tries to provide compatibility to a competitor to claim to be that competitor of a version in the past.  For example, almost all browsers claim themselves be Mozilla/5.0; clang claims to be GNU C 4.2, etc, FreeBSD C runtime library claims to be from FreeBSD 7.0, etc.  In all these cases, compatibility is taken seriously and even if it's not necessarily possible to provide 100% compatibility, code written for the competing software is highly likely to work with the new software without any modifications.

By claiming to be OpenSSL 2.0, libressl might have created an incentive for software writers to add more special case #if's and be compatible with libressl, and yet, not having to do these #if's for legacy software is actually one thing that they were doing the first round of code cleanup of OpenSSL codebase.  They should instead either define OPENSSL_VERSION_NUMBER be the last OpenSSL version that they can actually support, or stop claiming they were OpenSSL.
Comment 10 commit-hook freebsd_committer freebsd_triage 2021-06-07 06:27:32 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=77073df27bfadfbc3ca2e5d9cee7f3ca293fca37

commit 77073df27bfadfbc3ca2e5d9cee7f3ca293fca37
Author:     Charlie Li <vishwin@FreeBSD.org>
AuthorDate: 2021-06-07 00:32:16 +0000
Commit:     Xin LI <delphij@FreeBSD.org>
CommitDate: 2021-06-07 06:26:04 +0000

    net/openldap24-server: fix build with LibreSSL

    Modify the OpenSSL 1.1.1 preprocessor guards to also account for
    LibreSSL missing certain functions, particularly
    SSL_CTX_set_ciphersuites(3) and SSL_set_ciphersuites(3). While here,
    un-IGNORE for ${SSL_DEFAULT:Mlibressl*}.

    PORTREVISION intentionally not bumped as this is a build fix.

    PR: 256433

 net/openldap24-server/Makefile                       |  4 ----
 .../files/patch-libraries_libldap_tls__o.c (new)     | 20 ++++++++++++++++++++
 2 files changed, 20 insertions(+), 4 deletions(-)
Comment 11 lysfjord.daniel 2021-06-07 16:12:48 UTC
They're technically not missing, LibreSSL just didn't add specific ones for TLS1.3, so they have the same names as the <TLS1.3 functions (unless I've misunderstood something):
https://man.openbsd.org/SSL_CTX_set_cipher_list.3
Comment 12 Cameron 2021-06-07 21:52:32 UTC
I'm encountering the same issue with libressl and openldap24-sasl-client.