Bug 212062 - exp-run with DEFAULT_VERSIONS= ssl=openssl-devel
Summary: exp-run with DEFAULT_VERSIONS= ssl=openssl-devel
Status: Closed Overcome By Events
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Ports Framework (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Port Management Team
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-08-22 18:59 UTC by Bernard Spil
Modified: 2019-05-25 18:52 UTC (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Bernard Spil freebsd_committer freebsd_triage 2016-08-22 18:59:07 UTC 
I'd like to request an exp-run with OpenSSL 1.1.0 (currently BETA4 / pre6) which is in ports as security/openssl-devel.

Notable differences in OpenSSL 1.1.0 are
  - Removal of SSLv2
  - Removal of EGD

Thanks!

Bernard.
Comment 1 Antoine Brodin freebsd_committer freebsd_triage 2016-09-10 17:04:39 UTC 
What is the rationale for putting some options like MD4 off by default?
For instance NTLM hashes on Windows are still based on MD4 so this is a poor choice for compatibility in my opinion.
Comment 2 Bernard Spil freebsd_committer freebsd_triage 2016-09-11 08:23:57 UTC 
(In reply to Antoine Brodin from comment #1)
The default runtime on FreeBSD should not support unsafe features. Too many software packages will use unsafe features when they are available. To allow scanning or cracking ports (bro, john, ...) to function I am working on a separate openssl-unsafe port which includes and libs are not in the default locations.

MD4 is obsolete https://tools.ietf.org/html/rfc6150
Even Microsoft tells developers not to use it any longer. Link to the MSDN article is dead though.
Comment 3 Antoine Brodin freebsd_committer freebsd_triage 2016-09-11 08:45:43 UTC 
So you prefer to break existing software that rely on things like MD4 or RC4?

those algorithms are enabled by default in openssl upstream and in linux distributions
Comment 4 Thierry Thomas freebsd_committer freebsd_triage 2016-09-11 08:55:04 UTC 
About a separate openssl-unsafe port: https://github.com/PeterMosmans/openssl seems a good candidate. This is the one advised by testssl.sh
( https://testssl.sh/ ).
Comment 5 Antoine Brodin freebsd_committer freebsd_triage 2016-09-11 18:59:26 UTC 
I gave DEFAULT_VERSIONS= ssl=openssl-devel a try, but very early ports like python*, ruby*, postgresql*client or libarchive fail to build.
I doesn't seem ready for an exp-run.
Comment 6 Bernard Spil freebsd_committer freebsd_triage 2016-09-11 19:03:46 UTC 
(In reply to Antoine Brodin from comment #5)
Clear!

Let me figure out what requires being enabled!
Comment 7 Bernard Spil freebsd_committer freebsd_triage 2016-09-22 15:04:06 UTC 
Just committed 1.1.0a including enabling MD4 RC2 RC4 to fix the many failures.
Comment 8 Antoine Brodin freebsd_committer freebsd_triage 2016-09-22 15:12:24 UTC 
There were a few errors like : "MD4 is disabled" or "unknown type name 'RC2_INT'" but most errors were more like:

error: incomplete definition of type 'struct x509_store_st'
error: tentative definition has type 'EVP_MD_CTX' (aka 'struct evp_md_ctx_st') that is never completed
error: incomplete definition of type 'struct rsa_st'
error: incomplete definition of type 'struct ssl_ctx_st'
error: incomplete definition of type 'struct bio_st'
error: incomplete definition of type 'struct X509_extension_st'
error: variable has incomplete type 'EVP_MD_CTX' (aka 'struct evp_md_ctx_st')
error: variable has incomplete type 'HMAC_CTX' (aka 'struct hmac_ctx_st')
error: incomplete definition of type 'struct dh_st'
error: incomplete definition of type 'struct dsa_st'