Created attachment 169967 [details] Fix SSLv[23] checks Recent versions of libressl dropped support for SSLv2 and 3 and defined SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3 as zero. The current checks in lighttpd will always fail under these conditions since they assume the values are nonzero. This results in lighttpd failing to start when built against libressl. The attached patch should fix this. I also submitted it upstream.
Maintainer informed via mail
I've tested this patch on 10.3-RELEASE with and without LibreSSL. It compiles fine using both configs.
(In reply to Piotr Kubaj from comment #2) And since LibreSSL 2.3.4 is supposed to be merged to quarterly, this is also a candidate for MHF.
Created attachment 170189 [details] svn diff for www/lighttpd Created a diff that does not affect users of base or ports' OpenSSL. Please test and report back in this bug. Maintainer: Please review patch and let me know if you're OK to commit this.
(In reply to Bernard Spil from comment #4) Forgot to mention that this has been reported upstream as well http://redmine.lighttpd.net/issues/2729
(In reply to Piotr Kubaj from comment #3) 2016Q2 will get 2.2.7 not 2.3.4. Patch is currently in review with ports-secteam. Just checked the tarball and that does not define the deprecated feature flags to 0x0.
Upstream seems to have committed Christian's fix: https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/1ca52fdce3b87f7748dd5db6f59d738ed7a9efe1/diff Since it compiles fine with LibreSSL and base OpenSSL (FreeBSD 10.3-RELEASE), I'd rather use this approach.
Created attachment 170202 [details] svn diff for www/lighttpd Hi Piotr, Sorry for that. Was chatting with someone on irc and thought he was the reporter... You're absolutely right, let's import that upstream change by Christian! Please let me know if the svn diff I attached is OK and I can commit it. > www/lighttpd: Fix run-time issue with LibreSSL 2.3 > > - Add upstream fix for SSL_OP_NO_SSLv2/v3 [1] > > [1] https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/1ca52fdce3b87f7748dd5db6f59d738ed7a9efe1/diff > > PR: 209266 > Submitted by: Christian Heckendorf <heckendorfc@gmail.com> > Reviewed by: Piotr Kubaj <pkubaj@anongoth.pl> (maintaner)
(In reply to Bernard Spil from comment #8) Yes, it's perfectly fine to commit it. I've tested Lighttp with this patch run-time and it works.
A commit references this bug: Author: brnrd Date: Wed May 11 14:33:34 UTC 2016 New revision: 414996 URL: https://svnweb.freebsd.org/changeset/ports/414996 Log: www/lighttpd: Fix run-time issue with LibreSSL 2.3 - Add upstream fix for SSL_OP_NO_SSLv2/v3 [1] [1] https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/1ca52fdce3b87f7748dd5db6f59d738ed7a9efe1/diff PR: 209266 Submitted by: Christian Heckendorf <heckendorfc@gmail.com> Approved by: Piotr Kubaj <pkubaj@anongoth.pl> (maintaner) Changes: head/www/lighttpd/files/patch-src_network.c