This github bug report with the same message https://github.com/trueos/trueos-core/issues/341 claims that this TrueOS patch fixes the problem:
This patch is not in FreeBSD's ports.
I also got "cannot resolve SSL_CTX_set1_groups" on one other new port.
(In reply to Yuri Victorovich from comment #0)
There is a similar but different patch in FreeBSD ports. Which SSL port do you have installed, openssl, openssl-devel, libressl, or libressl-devel? All were build verified but Qt does it's own dynamic loading of OpenSSL-type libraries so there is a possibility of a runtime problem, especially if Qt was compiled with a different SSL port than what is currently installed. Are you using official packages or building from ports?
I have openssl-1.0.2k_1,1 installed.
(In reply to Matthew Rezny from comment #1)
Everything was installed from packages.
It actually tries to use the base OpenSSL /usr/lib/libssl.so library, and fails.
FreeBSD xxx 11.0-STABLE FreeBSD 11.0-STABLE #0 r308114M: Mon Oct 31 09:52:01 PDT 2016 xxx:/usr/obj/usr/src/sys/GENERIC amd64
(In reply to Yuri Victorovich from comment #4)
It appears there is no SSL_CTX_set1_groups or SSL_CTX_set1_curves exported from /usr/lib/libssl.so even though it is OpenSSL 1.0.2 in base so one of those should be present.
Unfortunately, the SSL library situation is a bit complicated. Ports can be compiled to use OpenSSL from base or from a port via the default versions mechanism. If nothing is specified, then the default depends on the system state at build time; ssl from ports will be used if an ssl port is installed, otherwise base is used. Ergo, official FreeBSD packages will be compiled to use OpenSSL from base because those builds are with defaults and there will not be any openssl port found in the poudriere build jail so the default is ssl=base. I believe TrueOS is using one of the LibreSSL ports for their package builds.
Merely having the security/openssl port installed will not cause it to be used by ports that were already built with base OpenSSL. Try building the qt5-network port so it will be using OpenSSL from ports (it should be picked up automatically but to be sure you should set DEFAULT_VERSIONS+= ssl=openssl in make.conf) and see if that resolves the issue.
I also got this error.
I tried to install security/openssl (via pkg), add DEFAULT_VERSIONS+= ssl=openssl in make.conf and build network/qt5-network without success.
Is there any work on this or any prospective solution?
It seems that the requirement for SSL_CTX_set1_groups comes from FreeBSD patches of net/qt5-network. patch-src_network_ssl_qsslcontext__openssl.cpp has an explanation for it:
* Instead of using the SSL_CTRL_SET_CURVES macros which only exists in OpenSSL,
* call the SSL_CTX_set1_groups function, which exists in LibreSSL as well as in
* OpenSSL and is what would be called through the macro.
But I am not sure if that explanation is correct.
I cannot find SSL_CTX_set1_groups anywhere in the FreeBSD source code,
I only see SSL_CTX_set1_param.
# nm -D /usr/local/lib/libssl.so.9| fgrep SSL_CTX_set1
0000000000049470 T SSL_CTX_set1_param
# pkg which /usr/local/lib/libssl.so.9
/usr/local/lib/libssl.so.9 was installed by package openssl-1.0.2n,1
So, that symbol does not appear to be in the port / package OpenSSL either.
It looks like the patches make qt5-network work with libressl but break openssl?
Another data point: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html
The curve functions were first added to OpenSSL 1.0.2. The equivalent group functions were first added to OpenSSL 1.1.1.
Note the version for *group* functions.
I don't think we have OpenSSL 1.1.x yet.
I have the same problem with telegram-desktop
It crashes with qt.network.ssl: QSslSocket: cannot resolve SSL_CTX_set1_groups
Latest STABLE, ports compiled against base.
Created attachment 191358 [details]
use the openssl code when building against openssl
Let's try this: as the "fix" for using libreoffice resulted in function calls which are simply not there even in our ports tree openssl, we coud just ifdef the code so we call SSL_CTX_set1_groups() when building with libressl, but just have the old code when building with openssl.
Before you ask: yes, it's ugly as heck, and the comment needs a little polish.
But: it allows qmapshack to connect to https online maps, which I consider a success.
Putting this up here for comments. I'm totally willing to commit this, unless someone protests :)
A commit references this bug:
Date: Sun Apr 1 22:38:07 UTC 2018
New revision: 466188
restore ssl functionality with openssl
The "libressl compatibility" unfortunately added a dependency on the
SSL_CTX_set1_groups() function, which is neither available in base (for
released versions of FreeBSD) nor ports openssl (it's only in openssl-devel
and libressl). This broke SSL (most importantly HTTPS) functionalty
in many Qt5-ports.
This adds some #ifdefs around the SSL_CTX_set1_groups() calling sites
and restores the old code in cases where libressl has not been detected.
Reported by: yuri
Approved by: maintainer-timeout
committed ports r466188 - "works for me" and no one protested...