Bug 231980 - dns/bind912 does not build with OpenSSL 1.1.1
Summary: dns/bind912 does not build with OpenSSL 1.1.1
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Mathieu Arnold
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-05 13:49 UTC by Matthias Fechner
Modified: 2018-11-02 15:58 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (mat)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Fechner freebsd_committer 2018-10-05 13:49:46 UTC
Make sure you have the following set:
DEFAULT_VERSIONS=ssl=openssl111

It fails to build with error (for more details see here: http://pkg.fechner.net/data/112amd64-default/2018-10-05_15h32m09s/logs/errors/bind912-9.12.2P2.log):
checking for OpenSSL ECDSA support... yes
checking for OpenSSL GOST support... no
configure: error: gost not supported
===>  Script "configure" failed unexpectedly.
Please report the problem to mat@FreeBSD.org [maintainer] and attach the
"/wrkdirs/usr/ports/dns/bind912/work/bind-9.12.2-P2/config.log" including the
output of the failure of your make command. Also, it might be a good idea to
provide an overview of all packages installed on your system (e.g. a
/usr/local/sbin/pkg-static info -g -Ea).
*** Error code 1

GOST support is enabled for security/openssl111:
# This file is auto-generated by 'make config'.
# Options for openssl111-1.1.1_1
_OPTIONS_READ=openssl111-1.1.1_1
_FILE_COMPLETE_OPTIONS_LIST=ASYNC CT MAN3 RFC3779 SHARED ZLIB ARIA DES GOST IDEA SM2 SM3 SM4 RC2 RC4 RC5 MD2 MD4 MDC2 RMD160 ASM SSE2 THREADS EC NEXTPROTONEG SCTP SSL3 TLS1 TLS1_1 TLS1_2
OPTIONS_FILE_SET+=ASYNC
OPTIONS_FILE_SET+=CT
OPTIONS_FILE_SET+=MAN3
OPTIONS_FILE_UNSET+=RFC3779
OPTIONS_FILE_SET+=SHARED
OPTIONS_FILE_UNSET+=ZLIB
OPTIONS_FILE_UNSET+=ARIA
OPTIONS_FILE_SET+=DES
OPTIONS_FILE_SET+=GOST
OPTIONS_FILE_SET+=IDEA
OPTIONS_FILE_UNSET+=SM2
OPTIONS_FILE_UNSET+=SM3
OPTIONS_FILE_UNSET+=SM4
OPTIONS_FILE_SET+=RC2
OPTIONS_FILE_SET+=RC4
OPTIONS_FILE_UNSET+=RC5
OPTIONS_FILE_UNSET+=MD2
OPTIONS_FILE_SET+=MD4
OPTIONS_FILE_UNSET+=MDC2
OPTIONS_FILE_SET+=RMD160
OPTIONS_FILE_SET+=ASM
OPTIONS_FILE_SET+=SSE2
OPTIONS_FILE_SET+=THREADS
OPTIONS_FILE_SET+=EC
OPTIONS_FILE_SET+=NEXTPROTONEG
OPTIONS_FILE_SET+=SCTP
OPTIONS_FILE_UNSET+=SSL3
OPTIONS_FILE_SET+=TLS1
OPTIONS_FILE_SET+=TLS1_1
OPTIONS_FILE_SET+=TLS1_2

I'm not sure if the problem is related to OpenSSL or bind.
Exactly same problem with dns/bind911.
The port dns/bind913 builds fine.
Comment 1 candrews 2018-10-26 17:08:17 UTC
FWIW, gost is not supported in OpenSSL 1.1, from https://www.openssl.org/news/cl110.txt
---
  *) The GOST engine was out of date and therefore it has been removed. An up
     to date GOST engine is now being maintained in an external repository.
     See: https://wiki.openssl.org/index.php/Binaries. Libssl still retains
     support for GOST ciphersuites (these are only activated if a GOST engine
     is present).
     [Matt Caswell]
---
Comment 2 Matthias Fechner freebsd_committer 2018-10-26 18:27:19 UTC
(In reply to candrews from comment #1)
Thanks a lot for this tip, removing GOST fixes the problem.
I hope that does not break DNSSEC.

Should be maybe disable this option for openssl111?
Comment 3 Mathieu Arnold freebsd_committer 2018-11-02 10:07:20 UTC
GOST was never widely used in DNSSEC, I think it is mostly there because it was an algorithm developped by Russia.
GOST support has been removed after 9.12 anyway.  I think I will remove it from previous versions too.
Comment 4 commit-hook freebsd_committer 2018-11-02 10:13:46 UTC
A commit references this bug:

Author: mat
Date: Fri Nov  2 10:13:15 UTC 2018
New revision: 483798
URL: https://svnweb.freebsd.org/changeset/ports/483798

Log:
  Remove GOST support from BIND9 9.11 and 9.12.

  It was never (widely|really) used, and support for it has been dropped
  in OpenSSL starting at 1.1, and BIND9 starting at 9.13.

  PR:		231980
  Reported by:	mfechner

Changes:
  head/dns/bind911/Makefile
  head/dns/bind912/Makefile
Comment 5 Matthias Fechner freebsd_committer 2018-11-02 15:58:58 UTC
Thanks a lot!