Created attachment 161902 [details] svn diff for security/ftimes ftimes will not build if OpenSSL was built without SSLv3 (--no-ssl3). LibreSSL 2.3.0 has removed SSLv3 support completely. - Fix build without SSLv3
Patch being reviewed/tested. Will post an update once that is done.
pass it over to bernhard since he deals with that
Hi klm, Any feedback on hte patch yet? Thanks, Bernard.
I was not able to replicate the issue, so some additional feedback is required. More specifically, I would like to know the exact build environment and steps needed to reproduce the build failure. My build environment was a fresh install of FreeBSD 10.2. For the openssl port, I ran 'make config' and disabled SSLv2/3 protocol support. Next, I disabled the base version of openssl by adding 'WITH_OPENSSL_PORT=yes' to /etc/make.conf. Finally, I built ftimes. The result was a successful build. The following output shows that ftimes was linked against the openssl port (as opposed to the base version): # /usr/bin/openssl version OpenSSL 1.0.1p-freebsd 9 Jul 2015 # /usr/local/bin/openssl version OpenSSL 1.0.2d 9 Jul 2015 # ftimes -v ftimes 3.11.0 64-bit klel(1.1.0),pcre(8.37),perl(5.20.2),ssl(1.0.2d),xmagic # ldd /usr/local/bin/ftimes /usr/local/bin/ftimes: libm.so.5 => /lib/libm.so.5 (0x800866000) libklel.so.1 => /usr/local/lib/libklel.so.1 (0x800a8f000) libpcre.so.1 => /usr/local/lib/libpcre.so.1 (0x800caa000) libthr.so.3 => /lib/libthr.so.3 (0x800f1f000) libperl.so.5.20 => /usr/local/lib/perl5/5.20/mach/CORE/libperl.so.5.20 (0x801143000) libcrypt.so.5 => /lib/libcrypt.so.5 (0x8014f8000) libutil.so.9 => /lib/libutil.so.9 (0x801718000) libssl.so.8 => /usr/local/lib/libssl.so.8 (0x80192a000) libcrypto.so.8 => /usr/local/lib/libcrypto.so.8 (0x801b94000) libc.so.7 => /lib/libc.so.7 (0x801fa0000)
Hi klm, The default OpenSSL package is still built with SSLv3 support. If you disable that in OPTIONS then you would run into this issue --- ftimes --- cc -o ftimes analyze.o cmpmode.o compare.o decode.o decoder.o develop.o dig.o digmode.o error.o fsinfo.o ftimes.o getmode.o http.o madmode.o map.o mapmode.o mask.o md5.o message.o options.o properties.o sha1.o sha256.o socket.o ssl.o support.o time.o url.o version.o -O2 -fno-strict-aliasing -pipe -march=native -fstack-protector -Wall -DUNIX -DHAVE_CONFIG_H -DXMAGIC_PREFIX='"/usr/local"' -lm -L/usr/local/lib -lpcre -L/usr/local/lib -lssl -lcrypto ssl.o: In function `SslInitializeCTX': ssl.c:(.text+0x469): undefined reference to `SSLv3_client_method' cc: error: linker command failed with exit code 1 (use -v to see invocation) *** [ftimes] Error code 1 LibreSSL has completely removed the SSLv3_ methods in version 2.3 (security/libressl-devel) and therefor fails as well.
Oeps... Just checked this with OpenSSL built with the SSL3 option disabled and it builds correctly. Digging in to see why/what/how.
A commit references this bug: Author: brnrd Date: Wed Jan 13 17:29:12 UTC 2016 New revision: 406060 URL: https://svnweb.freebsd.org/changeset/ports/406060 Log: security/openssl: Fix No-SSLv3 option - This change adds `no-ssl3-method` to config args - Bump portrevision Testing with security/openssl buillt with SSL3 option disabled [1] revealed that the openssl binary and the libraries still support SSLv3 connections and methods. With the added no-ssl3-method argument passed to the config script, the binary no longer supports the -ssl3 option and ports requiring SSLv3 methods fail on undefined references to methods. PR: 203693 [1] Reviewed by: koobs (mentor), feld (mentor, ports-secteam), dinoex (maintainer) Approved by: koobs (mentor), feld (mentor, ports-secteam MFH: 2016Q1 Differential Revision: D4924 Changes: head/security/openssl/Makefile
A commit references this bug: Author: brnrd Date: Wed Jan 13 17:32:26 UTC 2016 New revision: 406061 URL: https://svnweb.freebsd.org/changeset/ports/406061 Log: MFH: r406060 security/openssl: Fix No-SSLv3 option - This change adds `no-ssl3-method` to config args - Bump portrevision Testing with security/openssl buillt with SSL3 option disabled [1] revealed that the openssl binary and the libraries still support SSLv3 connections and methods. With the added no-ssl3-method argument passed to the config script, the binary no longer supports the -ssl3 option and ports requiring SSLv3 methods fail on undefined references to methods. PR: 203693 [1] Reviewed by: koobs (mentor), feld (mentor, ports-secteam), dinoex (maintainer) Approved by: koobs (mentor), feld (mentor, ports-secteam) Approved by: ports-secteam Differential Revision: D4924 Changes: _U branches/2016Q1/ branches/2016Q1/security/openssl/Makefile
Created attachment 165516 [details] Disables flawed SSL protocols; disables the SSL option by default SSL in FTimes is deprecated, so the SSL option should be disabled by default. The patch for ssl.c disables SSLv2, SSLv3, TLSv1, and TLSv1_1.
Same comment as on #203693 Forgot to mention that this is the proper way of handling SSL methods in OpenSSL and LibreSSL. Beware that the SSLv23 methods will ultimately replaced by the (currently aliased) TLS_ methods.
Created attachment 165525 [details] Disables flawed SSL protocols; disables the SSL option by default
Comment on attachment 165525 [details] Disables flawed SSL protocols; disables the SSL option by default Don't forget to do the same to the NO_SSL3 and NO_SSL2 options :D
In looking at an old version of FreeBSD (8.0) with OpenSSL 0.9.8k, I see that SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3, and SSL_OP_NO_TLSv1 are all defined. So where would these guards be needed? LibreSSL? Mind you have only been testing with OpenSSL.
In the previous comment, I meant to say: "Mind you, I have only been testing with OpenSSL."
Created attachment 165530 [details] Disables flawed SSL protocols; disables the SSL option by default
Created attachment 165621 [details] Modified diff Meant that slightly differently :D Any OpenSSL version supporting the protocol also has the knobs. If the OpenSSL version doesn't have the protocol, the knobs may fail.
I have tested attachment #165530 [details] on a FreeBSD 10.2 system with a recently updated ports tree for the following port versions: openssl-1.0.2_6, libressl-2.2.5, and libressl-devel-2.3.1. In no case did I encounter a build failure. If you are still seeing build failures, please specify your build environment and the port versions involved so that I may replicate the issue. If there is a particular scenario where the provided patch doesn't work, please provide sufficient detail for me to replicate the problem.
A commit references this bug: Author: brnrd Date: Sun Jun 12 18:28:19 UTC 2016 New revision: 416819 URL: https://svnweb.freebsd.org/changeset/ports/416819 Log: security/ftimes: Fix build without SSLv3 methods - Use SSLv23 methods and SSL_OP_NO_SSL3 PR: 203693 Sponsored by: BSDCan DevSummit Changes: head/security/ftimes/Makefile head/security/ftimes/files/patch-src__ssl.c