Bug 203693 - security/ftimes: Fix build with No-SSLv3
Summary: security/ftimes: Fix build with No-SSLv3
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Bernard Spil
URL: https://reviews.freebsd.org/D4924
Keywords: easy, needs-qa, patch
Depends on:
Blocks:
 
Reported: 2015-10-11 10:15 UTC by cpbsdmail
Modified: 2016-06-12 18:28 UTC (History)
2 users (show)

See Also:
klm: maintainer-feedback+
koobs: merge-quarterly?


Attachments
svn diff for security/ftimes (681 bytes, patch)
2015-10-11 10:15 UTC, cpbsdmail
no flags Details | Diff
Disables flawed SSL protocols; disables the SSL option by default (1.98 KB, patch)
2016-01-13 17:58 UTC, klm
no flags Details | Diff
Disables flawed SSL protocols; disables the SSL option by default (2.16 KB, patch)
2016-01-13 19:48 UTC, klm
no flags Details | Diff
Disables flawed SSL protocols; disables the SSL option by default (2.28 KB, patch)
2016-01-13 22:31 UTC, klm
no flags Details | Diff
Modified diff (2.28 KB, patch)
2016-01-15 09:07 UTC, Bernard Spil
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description cpbsdmail 2015-10-11 10:15:26 UTC
Created attachment 161902 [details]
svn diff for security/ftimes

ftimes will not build if OpenSSL was built without SSLv3 (--no-ssl3).

LibreSSL 2.3.0 has removed SSLv3 support completely.

- Fix build without SSLv3
Comment 1 klm 2015-12-04 03:27:32 UTC
Patch being reviewed/tested. Will post an update once that is done.
Comment 2 Martin Wilke freebsd_committer 2016-01-10 07:03:39 UTC
pass it over to bernhard since he deals with that
Comment 3 Bernard Spil freebsd_committer 2016-01-10 09:23:54 UTC
Hi klm,

Any feedback on hte patch yet?

Thanks, Bernard.
Comment 4 klm 2016-01-12 21:42:46 UTC
I was not able to replicate the issue, so some additional feedback is required. More specifically, I would like to know the exact build environment and steps needed to reproduce the build failure.

My build environment was a fresh install of FreeBSD 10.2. For the openssl port, I ran 'make config' and disabled SSLv2/3 protocol support. Next, I disabled the base version of openssl by adding 'WITH_OPENSSL_PORT=yes' to /etc/make.conf. Finally, I built ftimes. The result was a successful build. The following output shows that ftimes was linked against the openssl port (as opposed to the base version):

# /usr/bin/openssl version
OpenSSL 1.0.1p-freebsd 9 Jul 2015

# /usr/local/bin/openssl version
OpenSSL 1.0.2d 9 Jul 2015

# ftimes -v
ftimes 3.11.0 64-bit klel(1.1.0),pcre(8.37),perl(5.20.2),ssl(1.0.2d),xmagic

# ldd /usr/local/bin/ftimes
/usr/local/bin/ftimes:
        libm.so.5 => /lib/libm.so.5 (0x800866000)
        libklel.so.1 => /usr/local/lib/libklel.so.1 (0x800a8f000)
        libpcre.so.1 => /usr/local/lib/libpcre.so.1 (0x800caa000)
        libthr.so.3 => /lib/libthr.so.3 (0x800f1f000)
        libperl.so.5.20 => /usr/local/lib/perl5/5.20/mach/CORE/libperl.so.5.20 (0x801143000)
        libcrypt.so.5 => /lib/libcrypt.so.5 (0x8014f8000)
        libutil.so.9 => /lib/libutil.so.9 (0x801718000)
        libssl.so.8 => /usr/local/lib/libssl.so.8 (0x80192a000)
        libcrypto.so.8 => /usr/local/lib/libcrypto.so.8 (0x801b94000)
        libc.so.7 => /lib/libc.so.7 (0x801fa0000)
Comment 5 Bernard Spil freebsd_committer 2016-01-13 12:34:24 UTC
Hi klm,

The default OpenSSL package is still built with SSLv3 support. If you disable that in OPTIONS then you would run into this issue

--- ftimes ---
cc -o ftimes analyze.o cmpmode.o compare.o decode.o decoder.o develop.o dig.o digmode.o error.o fsinfo.o ftimes.o getmode.o http.o madmode.o map.o mapmode.o mask.o md5.o message.o options.o properties.o sha1.o sha256.o socket.o ssl.o support.o time.o url.o version.o -O2 -fno-strict-aliasing -pipe -march=native  -fstack-protector -Wall -DUNIX -DHAVE_CONFIG_H -DXMAGIC_PREFIX='"/usr/local"'   -lm   -L/usr/local/lib -lpcre   -L/usr/local/lib -lssl -lcrypto
ssl.o: In function `SslInitializeCTX':
ssl.c:(.text+0x469): undefined reference to `SSLv3_client_method'
cc: error: linker command failed with exit code 1 (use -v to see invocation)
*** [ftimes] Error code 1

LibreSSL has completely removed the SSLv3_ methods in version 2.3 (security/libressl-devel) and therefor fails as well.
Comment 6 Bernard Spil freebsd_committer 2016-01-13 12:58:01 UTC
Oeps... Just checked this with OpenSSL built with the SSL3 option disabled and it builds correctly.

Digging in to see why/what/how.
Comment 7 commit-hook freebsd_committer 2016-01-13 17:29:23 UTC
A commit references this bug:

Author: brnrd
Date: Wed Jan 13 17:29:12 UTC 2016
New revision: 406060
URL: https://svnweb.freebsd.org/changeset/ports/406060

Log:
  security/openssl: Fix No-SSLv3 option

    - This change adds `no-ssl3-method` to config args
    - Bump portrevision

  Testing with security/openssl buillt with SSL3 option disabled [1]
  revealed that the openssl binary and the libraries still support SSLv3
  connections and methods. With the added no-ssl3-method argument passed
  to the config script, the binary no longer supports the -ssl3 option
  and ports requiring SSLv3 methods fail on undefined references to
  methods.

  PR:		203693 [1]
  Reviewed by:	koobs (mentor), feld (mentor, ports-secteam), dinoex (maintainer)
  Approved by:	koobs (mentor), feld (mentor, ports-secteam
  MFH:		2016Q1
  Differential Revision:	D4924

Changes:
  head/security/openssl/Makefile
Comment 8 commit-hook freebsd_committer 2016-01-13 17:33:27 UTC
A commit references this bug:

Author: brnrd
Date: Wed Jan 13 17:32:26 UTC 2016
New revision: 406061
URL: https://svnweb.freebsd.org/changeset/ports/406061

Log:
  MFH: r406060

  security/openssl: Fix No-SSLv3 option

    - This change adds `no-ssl3-method` to config args
    - Bump portrevision

  Testing with security/openssl buillt with SSL3 option disabled [1]
  revealed that the openssl binary and the libraries still support SSLv3
  connections and methods. With the added no-ssl3-method argument passed
  to the config script, the binary no longer supports the -ssl3 option
  and ports requiring SSLv3 methods fail on undefined references to
  methods.

  PR:		203693 [1]
  Reviewed by:	koobs (mentor), feld (mentor, ports-secteam), dinoex (maintainer)
  Approved by:	koobs (mentor), feld (mentor, ports-secteam)
  Approved by:	ports-secteam
  Differential Revision:	D4924

Changes:
_U  branches/2016Q1/
  branches/2016Q1/security/openssl/Makefile
Comment 9 klm 2016-01-13 17:58:50 UTC
Created attachment 165516 [details]
Disables flawed SSL protocols; disables the SSL option by default

SSL in FTimes is deprecated, so the SSL option should be disabled by default. The patch for ssl.c disables SSLv2, SSLv3, TLSv1, and TLSv1_1.
Comment 10 Bernard Spil freebsd_committer 2016-01-13 19:23:02 UTC
Same comment as on #203693

Forgot to mention that this is the proper way of handling SSL methods in OpenSSL and LibreSSL. Beware that the SSLv23 methods will ultimately replaced by the (currently aliased) TLS_ methods.
Comment 11 klm 2016-01-13 19:48:56 UTC
Created attachment 165525 [details]
Disables flawed SSL protocols; disables the SSL option by default
Comment 12 Bernard Spil freebsd_committer 2016-01-13 19:53:36 UTC
Comment on attachment 165525 [details]
Disables flawed SSL protocols; disables the SSL option by default

Don't forget to do the same to the NO_SSL3 and NO_SSL2 options :D
Comment 13 klm 2016-01-13 20:06:02 UTC
In looking at an old version of FreeBSD (8.0) with OpenSSL 0.9.8k, I see that SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3, and SSL_OP_NO_TLSv1 are all defined. So where would these guards be needed? LibreSSL? Mind you have only been testing with OpenSSL.
Comment 14 klm 2016-01-13 20:08:15 UTC
In the previous comment, I meant to say: "Mind you, I have only been testing with OpenSSL."
Comment 15 klm 2016-01-13 22:31:10 UTC
Created attachment 165530 [details]
Disables flawed SSL protocols; disables the SSL option by default
Comment 16 Bernard Spil freebsd_committer 2016-01-15 09:07:55 UTC
Created attachment 165621 [details]
Modified diff

Meant that slightly differently :D

Any OpenSSL version supporting the protocol also has the knobs. If the OpenSSL version doesn't have the protocol, the knobs may fail.
Comment 17 klm 2016-01-15 16:07:36 UTC
I have tested attachment #165530 [details] on a FreeBSD 10.2 system with a recently updated ports tree for the following port versions: openssl-1.0.2_6, libressl-2.2.5, and libressl-devel-2.3.1. In no case did I encounter a build failure.

If you are still seeing build failures, please specify your build environment and the port versions involved so that I may replicate the issue. If there is a particular scenario where the provided patch doesn't work, please provide sufficient detail for me to replicate the problem.
Comment 18 commit-hook freebsd_committer 2016-06-12 18:28:25 UTC
A commit references this bug:

Author: brnrd
Date: Sun Jun 12 18:28:19 UTC 2016
New revision: 416819
URL: https://svnweb.freebsd.org/changeset/ports/416819

Log:
  security/ftimes: Fix build without SSLv3 methods

    - Use SSLv23 methods and SSL_OP_NO_SSL3

  PR:		203693
  Sponsored by:	BSDCan DevSummit

Changes:
  head/security/ftimes/Makefile
  head/security/ftimes/files/patch-src__ssl.c