Created attachment 154953 [details]
svn diff for security/stunnel
security/stunnel unconditionally relies on RAND_egd which makes building fail with LibreSSL which has removed EGD. FreeBSD does not require EGD at all, /dev/random has been available since FreeBSD 4.2
This patch checks for the existence of RAND_egd in libcrypto and disables the code using egd.
Created attachment 154954 [details]
Poudriere build log for security/stunnel
Feedback from upstream
Perhaps I'm misunderstanding what the issue is.
You probably already guessed that the issue political and not technical.
LibreSSL decided to drop features that are essential to me (CAPI,
FIPS) for no real technical reason. To be clear: I don't consider a
feature being an "insecure" one a technical reason for removal as long
as this "insecure" feature is not automatically selected by default.
For example, compression only introduces vulnerability if the attacker
can perform plaintext injection. Disabling compression by default is
a good idea. Stunnel does it since version 4.51 (09 Jan 2012).
Removing compression is a bad idea, as it is useful in many practical
Another example: MD5 is vulnerable to collision attacks, thus it is a
good idea to prevent accepting digital signatures based on MD5.
On the other hand weak collision resistance does not imply any
problems with preimage or second-preimage properties. Removing
HMAC-MD5 is a bad idea.
For the aforementioned reasons, I'm going to refrain from any actions
that could potentially benefit LibreSSL.
I'm going to defer to upstream at this point in time. If you'd like to reach back out to them with your proposed patch and they accept it, then I will include it in the port.
Rejecting and closing until upstream accepts these changes (or some variation).
*** Bug 202920 has been marked as a duplicate of this bug. ***
Created attachment 160778 [details]
svn diff for security/stunnel
- Update patch to use OPENSSL_NO_EGD
- Remove the configure modifications
- Honour distribution restriction
Response from upstream on the src/ssl.c patch
This is a very nice and clean patch indeed.
I would use it if I ever decided to support LibreSSL.
On 31.05.2015 18:55, Bernard Spil wrote:
Meanwhile, LibreSSL updated the includes and now has a define
I've refactored the patch to use this instead making it a very
minimal change. As this is now in line with the naming-scheme of
disabled features in OpenSSL (e.g. OPENSSL_NO_COMP) I'm hoping
you'll find it non-intrusive enough to include in stunnel, added
patch is all that's left.
This has now been included in the upcoming 5.24
* New features
* Added OPENSSL_NO_EGD support
Excellent, this will be merged into the port when the new code is released. (stunnel doesn't have a public SCM)
A commit references this bug:
Date: Thu Oct 8 19:38:53 UTC 2015
New revision: 398889
security/stunnel: Update to 5.24
- Supports building without EGD
- Order options alphabetical
Reviewed by: koobs (mentor), zi (maintainer)
Approved by: zi (maintainer)
Differential Revision: https://reviews.freebsd.org/D2694
(In reply to commit-hook from comment #11)
based on the commit, can the status of the bug be correctly reflected?