FreeBSD has not needed the Perl Entropy Gathering Daemon WikiPedia article since FreeBSD 4.2 and no Operating System that is supported by a vendor needs it any longer. EGD was only necessary for some commercial UNIX systems, versions that needed it all reached end of life.


EGD needed until

OS released




Feb 2003

Dec 2013



Jul 1997

Jul 2006



Oct 2002

Apr 2009



Sep 2002

Dec 2012


11i v2

Sep 2003

Dec 2015

TODO: Properly format this info As I recall, SunOS dlopen() is broken and is unsuitable for use in UnrealIRCd as well due to failing to properly handle dependency resolution. So that removes SunOS from the list. So, basically: IRIX, AIX, Tru64 - doesn't build with either available GCC or standard compiler, NO dlopen() Solaris 2.x/SunOS - nothing resembling even gcc 2.95 is available, dlopen() is broken and unsuitable for use in the ircd HP-UX - no shl_load() support in unrealircd, no build system support for HP's compiler

Observed as

Usually noticed as

undefined reference to 'RAND_egd'

in the compile output


Remove the offending part

As of LibreSSL 2.2.0 LibreSSL added a define to make patching easier # define OPENSSL_NO_EGD

"Guard" the code calling RAND_egd


Deprecated des_ methods

OpenSSL has deprecated a large number of des_ methods and types on 24 October 2001(commit) and released this 30 December 2002 with OpenSSL 0.9.7.

LibreSSL removed des_old completely, and the next release of OpenSSL (1.0.3) has also removed these compatibility macros.

Observed as

use of undeclared identifier 'des_cblock'; did you mean 'DES_cblock'?


  1. Rename the des_ method or type to DES_ (don't forget to change C_Block -> DES_cblock)

  2. Adapt the variables passed to the method (DES_ structs need to be passed as pointers, prefix the variable with &)

The old compatibility macros can be found here


des_key_schedule ks1;
des_cblock iv1;

des_ncbc_encrypt(src, dst, len, ks1, iv1, DES_DECRYPT);


DES_key_schedule ks1;
DES_cblock iv1;

DES_ncbc_encrypt(src, dst, len, &ks1, &iv1, DES_DECRYPT);

Uses removed Compression

LibreSSL disabled compression by default because of the number of attacks that use compression (CRIME, BREACH, BEAST). LibreSSL does not include openssl/comp.h from openssl/ssl.h (and ssl3.h) leading to build failures
TLS v1.3 no longer supports compression (so just compress before encryption)

Observed as

unknown type name 'COMP_METHOD' or SSL_get_current_compression


Missing comp.h

First of all try and add

#include <openssl/comp.h>

to the code or header. There's no risk of re-defining methods/types #ifndef HEADER_COMP_H


If the OpenSSL library has been compiled without support for compression it defines OPENSSL_NO_COMP yet LibreSSL defines in opensslfeatures.h SSL_NO_COMP

Remove/disable offending code

Remove offending code, preferably by using macros so this will still work with OpenSSL libs that do support compression

Example 1: Take care of defines

If the software has been created with care this will likely make the port just work when added in the right location

#include <openssl/opensslfeatures.h>
#include <openssl/comp.h>
#ifdef SSL_NO_COMP

Example 2: Disable code

If the software unconditionally relies on the existence of SSL compression you will need to add blocks of

   /* Offending code */

SSLv2/SSLv3 method failures

Check the SSLv2 disabled exp-run results in the Bugs database. Contains interesting examples of fixes as well!

Observed as

Usually noticed as

ssl.c:73:30: warning: implicit declaration of function 'SSLv3_server_method' is invalid in C99 [-Wimplicit-function-declaration]
        ctx = SSL_CTX_new (server ? SSLv3_server_method() : SSLv3_client_method ());

in the build output. There's more than just these 2 SSLv3 methods.


Sometimes you will find an example for OPENSSL_NO_SSL2 in the code, do something similar for SSLv3. This tends to use #ifdef guards around the SSLv2 or SSLv3 code.

Example SSLv3_server_method code

ctx = SSL_CTX_new (server ? SSLv3_server_method() : SSLv3_client_method ());


ctx = SSL_CTX_new (server ? SSLv3_server_method() : SSLv3_client_method ());
ctx = SSL_CTX_new (server ? SSLv23_server_method() : SSLv23_client_method ());
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv2);

This retains compatibility with !OpenSSL 0.9.8, 1.0.0 and 1.0.1

You can use SSLv23 methods, these have been retained in LibreSSL but negotiate TLSv1, TLSv1.1 or TLSv1.2. What it will negotiate is controlled using the SSL_CTX_set_options. You will actually improve ports that you modify!

GOST engine

LibreSSL removed the GOST engine completely due to potentially problematic license. Later a partial reimplementation was added that does not

Observed as

Usually noticed as

undefined reference to 'ENGINE_load_gost()'

in the compile output


Remove the offending part

Since OpenSSL comes with an OPENSSL_NO_GOST knob, ports seem to check for the availability of GOST. LibreSSL can also be compiled with NO_GOST so you need a different way of disabling GOST.

LIBRESS_VERSION_NUMBER should be available included from <openssl/opensslv.h>



Some ports require SHA-0 (EVP_sha)

Observed as

work/qca-2.1.0/plugins/qca-ossl/qca-ossl.cpp:7139:35: error: use of undeclared identifier 'EVP_sha'; did you mean 'EVP_sha1'?
    return new opensslHashContext( EVP_sha(), this, type);
/usr/local/include/openssl/evp.h:658:15: note: 'EVP_sha1' declared here
const EVP_MD *EVP_sha1(void);


"Guard" the offending code with an #ifndef block

    return new opensslHashContext( EVP_sha(), this, type);


Some ports don't properly link against ports' libcrypto

Observed as

# readelf -d work/stage/usr/local/bin/ipmitool
 0x0000000000000001 (NEEDED)             Shared library: []


Add the following to the port's Makefile


Conditionally when OpenSSL support is conditional

Check that it works with readelf again

# readelf -d work/stage/usr/local/bin/ipmitool
 0x0000000000000001 (NEEDED)             Shared library: []

LibreSSL/PatchingPorts (last edited 2015-10-25 12:20:50 by BernardSpil)