Bug 218421 - net/qt5-network: securesocketclient example is broken: qt.network.ssl: QSslSocket: cannot resolve SSL_CTX_set1_groups
Summary: net/qt5-network: securesocketclient example is broken: qt.network.ssl: QSslSo...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Christoph Moench-Tegeder
Depends on:
Reported: 2017-04-06 06:33 UTC by Yuri Victorovich
Modified: 2018-04-02 05:20 UTC (History)
8 users (show)

See Also:
bugzilla: maintainer-feedback? (kde)

use the openssl code when building against openssl (8.99 KB, patch)
2018-03-09 22:09 UTC, Christoph Moench-Tegeder
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Yuri Victorovich freebsd_committer 2017-04-06 06:33:02 UTC
This github bug report with the same message https://github.com/trueos/trueos-core/issues/341 claims that this TrueOS patch fixes the problem:


This patch is not in FreeBSD's ports.

I also got "cannot resolve SSL_CTX_set1_groups" on one other new port.
Comment 1 Matthew Rezny freebsd_committer 2017-04-06 09:52:20 UTC
(In reply to Yuri Victorovich from comment #0)

There is a similar but different patch in FreeBSD ports. Which SSL port do you have installed, openssl, openssl-devel, libressl, or libressl-devel? All were build verified but Qt does it's own dynamic loading of OpenSSL-type libraries so there is a possibility of a runtime problem, especially if Qt was compiled with a different SSL port than what is currently installed. Are you using official packages or building from ports?
Comment 2 Yuri Victorovich freebsd_committer 2017-04-06 14:17:34 UTC
I have openssl-1.0.2k_1,1 installed.
Comment 3 Yuri Victorovich freebsd_committer 2017-04-06 14:19:00 UTC
(In reply to Matthew Rezny from comment #1)

Everything was installed from packages.
Comment 4 Yuri Victorovich freebsd_committer 2017-04-06 14:43:30 UTC
It actually tries to use the base OpenSSL /usr/lib/libssl.so library, and fails.

FreeBSD xxx 11.0-STABLE FreeBSD 11.0-STABLE #0 r308114M: Mon Oct 31 09:52:01 PDT 2016     xxx:/usr/obj/usr/src/sys/GENERIC  amd64
Comment 5 Matthew Rezny freebsd_committer 2017-04-12 05:57:33 UTC
(In reply to Yuri Victorovich from comment #4)

It appears there is no SSL_CTX_set1_groups or SSL_CTX_set1_curves exported from /usr/lib/libssl.so even though it is OpenSSL 1.0.2 in base so one of those should be present.

Unfortunately, the SSL library situation is a bit complicated. Ports can be compiled to use OpenSSL from base or from a port via the default versions mechanism. If nothing is specified, then the default depends on the system state at build time; ssl from ports will be used if an ssl port is installed, otherwise base is used. Ergo, official FreeBSD packages will be compiled to use OpenSSL from base because those builds are with defaults and there will not be any openssl port found in the poudriere build jail so the default is ssl=base. I believe TrueOS is using one of the LibreSSL ports for their package builds.

Merely having the security/openssl port installed will not cause it to be used by ports that were already built with base OpenSSL. Try building the qt5-network port so it will be using OpenSSL from ports (it should be picked up automatically but to be sure you should set DEFAULT_VERSIONS+= ssl=openssl in make.conf) and see if that resolves the issue.
Comment 6 Loïc Bartoletti freebsd_committer 2018-01-17 06:42:31 UTC
I also got this error.

I tried to install security/openssl (via pkg), add DEFAULT_VERSIONS+= ssl=openssl in make.conf and build network/qt5-network without success.
Comment 7 Andriy Gapon freebsd_committer 2018-01-18 08:47:39 UTC
Is there any work on this or any prospective solution?
Comment 8 Andriy Gapon freebsd_committer 2018-01-18 09:12:56 UTC
It seems that the requirement for SSL_CTX_set1_groups comes from FreeBSD patches of net/qt5-network.  patch-src_network_ssl_qsslcontext__openssl.cpp has an explanation for it:

* Instead of using the SSL_CTRL_SET_CURVES macros which only exists in OpenSSL,
* call the SSL_CTX_set1_groups function, which exists in LibreSSL as well as in
* OpenSSL and is what would be called through the macro.

But I am not sure if that explanation is correct.
I cannot find SSL_CTX_set1_groups anywhere in the FreeBSD source code,
I only see SSL_CTX_set1_param.
# nm -D /usr/local/lib/libssl.so.9| fgrep SSL_CTX_set1
0000000000049470 T SSL_CTX_set1_param
# pkg which /usr/local/lib/libssl.so.9
/usr/local/lib/libssl.so.9 was installed by package openssl-1.0.2n,1

So, that symbol does not appear to be in the port / package OpenSSL either.

It looks like the patches make qt5-network work with libressl but break openssl?
Comment 9 Andriy Gapon freebsd_committer 2018-01-18 09:18:41 UTC
Another data point: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html

The curve functions were first added to OpenSSL 1.0.2. The equivalent group functions were first added to OpenSSL 1.1.1.

Note the version for *group* functions.
I don't think we have OpenSSL 1.1.x yet.
Comment 10 Ivan 2018-03-03 08:17:43 UTC
I have the same problem with telegram-desktop
It crashes with qt.network.ssl: QSslSocket: cannot resolve SSL_CTX_set1_groups
Latest STABLE, ports compiled against base.
Comment 11 Christoph Moench-Tegeder freebsd_committer 2018-03-09 22:09:48 UTC
Created attachment 191358 [details]
use the openssl code when building against openssl

Let's try this: as the "fix" for using libreoffice resulted in function calls which are simply not there even in our ports tree openssl, we coud just ifdef the code so we call SSL_CTX_set1_groups() when building with libressl, but just have the old code when building with openssl.
Before you ask: yes, it's ugly as heck, and the comment needs a little polish.
But: it allows qmapshack to connect to https online maps, which I consider a success.
Putting this up here for comments. I'm totally willing to commit this, unless someone protests :)
Comment 12 commit-hook freebsd_committer 2018-04-01 22:39:05 UTC
A commit references this bug:

Author: cmt
Date: Sun Apr  1 22:38:07 UTC 2018
New revision: 466188
URL: https://svnweb.freebsd.org/changeset/ports/466188

  restore ssl functionality with openssl

  The "libressl compatibility" unfortunately added a dependency on the
  SSL_CTX_set1_groups() function, which is neither available in base (for
  released versions of FreeBSD) nor ports openssl (it's only in openssl-devel
  and libressl). This broke SSL (most importantly HTTPS) functionalty
  in many Qt5-ports.

  This adds some #ifdefs around the SSL_CTX_set1_groups() calling sites
  and restores the old code in cases where libressl has not been detected.

  PR:		218421
  Reported by:	yuri
  Approved by:	maintainer-timeout

Comment 13 Christoph Moench-Tegeder freebsd_committer 2018-04-01 22:39:59 UTC
committed ports r466188 - "works for me" and no one protested...
Comment 14 Tobias C. Berner freebsd_committer 2018-04-02 05:20:47 UTC