Many patches need cleanup for PR and/or upstreaming

"Up" to main LibreSSL article

Helpful resources

OpenBSD's ports required patching for LibreSSL as well (that's currently the only OS that uses LibreSSL as default SSL library). You can find patches ubOpenBSD CVS

There's a Gentoo LibreSSL GitHub repository where patches for software are collected.

These resources can be a great starting point for a patch. Note that OpenBSD will rigorously remove EGD and Compression support. To get your modification accepted by a ports committer and by the upstream project you'll generally need to make your changes conditional.

LibreSSL 2.7

Migrated to LibreSSL/2.7

LibreSSL 2.6

Migrated to LibreSSL/2.6

LibreSSL 2.5

Migrated to LibreSSL/2.5

OpenSSL 1.1.0

As OpenSSL released version 1.1.0 a lot of OPENSSL_VERSION_NUMBER checks have been added in projects. The following list documents the fixes that were required to fix these. This work is similar to the next chapter on OPENSSL_VERSION_NUMBER.

category/port

Date/Version

Ports Status

Upstream status/Comment

databases/pecl-mongodb

2017-02-12/1.2.3

PR217028

In ports

dns/yadifa

2017-02-25/2.2.3

PR217349

Upstream issue

ftp/proftpd

2017-02-12/1.3.5d

PR217023

net-im/ricochet

2017-02-25/1.1.4

PR217350

Upstream issue

net-mgmt/zabbix32

2017-02-11/3.2.3

PR217035

Upstream issue

security/hitch

2017-02-12/1.4.4

PR217029

In ports Upstream

security/certificate-transparency

2017-02-11/20161015_7

PR217013

security/krb5-115

2017-02-12/1.15

PR217027

Upstream issue

security/libp11

2017-02-11/0.4.4

PR217006

security/openvpn

2017-02-16/2.4.0

PR217140

Upstream

security/tor

2017-02-06/0.2.9.9

PR216845

sysutils/afflib

2017-02-12/3.7.10

PR217045

In ports Upstream

www/squid-devel

2017-02-12/4.0.17

PR217045

In ports

Removal of OPENSSL_VERSION_NUMBER patch

HardenedBSD is testing replacing OpenSSL with LibreSSL in base. The replacement does not patch the OPENSSL_VERSION_NUMBER in openssl/opensslv.h so this is a test to see which ports fail with OPENSSL_VERSION_NUMBER= 0x20000000L. This shows build problems that had not surfaced earlier.

These errors will also appear if you use the security/libressl-devel port as of version 2.4.0.

category/port

Problem

Ports Status

Upstream status/Comment

dns/bind910

OPENSSL_VERSION_NUMBER

fixed upstream

Patch

dns/powerdns

OPENSSL_VERSION_NUMBER

212016

In ports Patch

dns/powerdns-recursor

OPENSSL_VERSION_NUMBER

212016

In ports Patch

ftp/curl

OPENSSL_VERSION_NUMBER

Fixed upstream

Patch

mail/postfix

OPENSSL_VERSION_NUMBER

211502

In ports Patch

mail/postfix

OPENSSL_VERSION_NUMBER

211502

In ports Patch

mail/postfix

OPENSSL_VERSION_NUMBER

212223

In ports for 3.1.2

mail/postfix-current

OPENSSL_VERSION_NUMBER

In ports Patch

mail/postfix-current

OPENSSL_VERSION_NUMBER

212223

In ports for 3.2.0.20160828

mail/rspamd

OPENSSL_VERSION_NUMBER

Upstream

net/asterisk13

OPENSSL_VERSION_NUMBER

PR211707

In ports OpenBSD patch

net/haproxy-devel

OPENSSL_VERSION_NUMBER

Patch

security/openconnect

OPENSSL_VERSION_NUMBER

PR212254

In ports Patch

security/openvpn

OPENSSL_VERSION_NUMBER

Fixed upstream

Patch

security/strongswan

OPENSSL_VERSION_NUMBER

212149

Patch

security/stunnel

OPENSSL_VERSION_NUMBER

Patch

security/wpa_supplicant

OPENSSL_VERSION_NUMBER

2.6

In ports Patch Fixed upstream

security/xca

OPENSSL_VERSION_NUMBER

In ports Patch

List only, patches for already existing problem categories (EGD, DES, SSLv3) can be found in the reqular lists!

category/port

Problem

Ports Status

Upstream status/Comment

benchmarks/postal

SSLv3

databases/mongodb32-tools

SSLv3

databases/mongodb32

SSLv3

devel/tcl-trf

SHA-0

finance/openhbci

DES_

finance/php-tclink

overlapping methods

In ports Patch

mail/emailrelay

SSLv3

mail/mixmaster

EGD

mail/libesmtp

DES

mail/prayer

SSLv3 EGD

misc/skutils

SSLv3

multimedia/oscam

SSLv3

net/Sockets

SSLv3

net/l4ip

EGD

net/netatalk

DES_

net/netatalk3

DES_

net/openntpd

LibreSSL Port dep

Patch

net/qt5-network

SSL_CTRL_SET_CURVES

net/ssltunnel-client

DES_

net-mgmt/snmp++

DES_

net-p2p/shx

EGD

security/certificate-transparency

CMS

security/distcache

SSLv3

security/openssl

Framework

Patch

security/openssl-devel

Framework

Patch

security/rcracki_mt

DES_

www/tomcat-native

SSLv3

Introduction of libressl-devel

category/port

Problem

Ports Status

Upstream status/Comment

net/openbsc

conflict

dep removed

In ports

www/obhttpd

conflict

SSLv3 / SHA-0 removal

This has been given its own sub-page of the OpenSSL section as the fallout is considered to be equal to --no-ssl3 --no-ssl3-method

category/port

Problem

Ports Status

Upstream status/Comment

databases/galera

Boost-libs ssl

see devel/boost-libs

devel/cargo

"libssl.so.8" not found

databases/mysql-connector-c

SSL detection

In ports Patch

devel/qca-qt5

SSLv3 SHA-0

In ports Patch

devel/tcl-trf

SHA-0

2016-09-11

In ports Patch

games/tinymux

SHA-0

2016-09-11

In ports Patch Build log Mailed upstream

lang/pypy

COMP EGD

204743

Fixed upstream

lang/qore

SHA-0

0.8.12

Patch Build log Upstream patched

net-im/coccinella

libtls conflict

In ports Patch review

net-im/tkabber

libtls conflict

In ports Patch review

net-mgmt/netmagis-database

libtls conflict

In ports Patch review

net-mgmt/netmagis-www

libtls conflict

In ports Patch review

net-mgmt/nsca-ng

PSK

Patches Hard requires PSK

net-mgmt/nsca-ng-client

PSK

slave port of net-mgmt/nsca-ng

net-p2p/bitcoin

Detected LibreSSL: This is NOT supported

net-p2p/digitalcoin

SSLv3

Won't fix, see net-p2p/bitcoin

net-p2p/dogecoin

SSLv3

Won't fix, see net-p2p/bitcoin

net-p2p/libtorrent-rasterbar

boost-libs

Boost libs

net-p2p/litecoin-daemon

SSLv3

Won't fix, see net-p2p/bitcoin

net-p2p/litecoin-utils

SSLv3

Won't fix, see net-p2p/bitcoin

net-p2p/namecoin

SSLv3

Won't fix, see net-p2p/bitcoin

net-p2p/namecoin-daemon

SSLv3

Won't fix, see net-p2p/bitcoin

net-p2p/twister

boost-libs

Boost libs

net-p2p/zetacoin

SSLv3

Won't fix, see net-p2p/bitcoin

net-p2p/zetacoin-nox11

SSLv3

Won't fix, see net-p2p/bitcoin

net/qt5-network

SSL_CTRL_SET_CURVES

Gentoo -> HBSD patch

net/yate

base libs

D4706

In ports PR205170

net/x11vnc

SHA-0

In ports Patch Upstream mailed

science/orthanc

FIPS

PR217352

Added 2017-02-25

security/john

SHA-0

Build log

security/nessus-libnasl

SHA-0

deleted

In ports Patches

security/openscep

ASN1 methods

security/openssl_tpm_engine

Engine

Ignore

In ports Patch

security/osiris

SHA-0

Patch Mailed project

sysutils/osquery

boost-libs

security/sguil

libtls conflict

In ports Patch review

PC-BSD 10.1.2 ports build

Legend:

  1. category/port
  2. Problem : refers to Types of Failures

  3. Ports Status
    • PR123456 : Link to PR with a patch for the port
    • PR123456 : PR closed, fix in ports tree, link to SVN changeset or Phabricator review in Comments section

  4. Upstream status/Comment
    • Link to upstreamed issue/bug/etc.
    • Link to SVN changeset if PR closed
    • Link to Phabricator review
    • Link to Sp1l's GitHub repo

    • OPEN -> TODO

    • Additional info

category/port

Problem

Ports Status

Upstream status/Comment

tcltls

conflict

PR202676

Problematic file: /usr/local/include/tls.h

net-mgmt/nsca-ng

PSK

Build log

security/krb5-111

patch

patch-srcpluginspreauthpkinitpkinit_crypto_openssl.c

category/port

Problem

Ports Status

Upstream status/Comment

comms/kermit

COMP+EGD

PR198980

In ports Included in 304

databases/virtuoso

DES_

PR198368

In ports Upstreamed via website

deskutils/growl-for-linux

DES_

PR198243

In ports upstreamed imported

devel/ace

EGD

PR198776

In ports

devel/dcmtk

EGD

PR198780

In ports

devel/ice

EGD

PR198781

In portsGitHub

devel/libpdel

DES_

PR196748

In ports

devel/qca

COMP

PR199134

In ports In ports

devel/subversion-static

arc4rand

OPEN

dns/knot

GOST

PR198981

In ports Fixed in 1.6.3

dns/ldns

Cryptodev

PR191853

In ports

ftp/curl

SRP

PR198397

In ports

ftp/pavuk

DES_

PR198333

In ports Upstream dead

ftp/wget

EGD

PR191988

In ports Upstream fixed in 1.6.3

finance/openhbci

DES_

2016-09-11

In ports Patch

graphics/openimageio

port

PR191988

In ports Missing OpenSSL dependency

irc/unreal

EGD

PR198491

In ports GitHub Merged

irc/charybdis

EGD

PR198504

In ports Upstream fixed

irc/ircd-hybrid

COMP+EGD

PR198505

In ports Upstream fixed

irc/ircd-ratbox

EGD

PR198506

Mailed upstream

irc/ircd-ratbox-devel

EGD

PR198507

non-devel is newer

irc/znc

COMP

PR198387

In ports Imported upstream

lang/pypy-devel

EGD

deleted

GitHub

lang/pypy3-devel

EGD

runaway

GitHub

lang/python27

EGD

PR192511

In portsfixed upstream

lang/python32

EGD

PR195513

In ports fixed upstream

lang/python33

EGD

PR195511

In ports fixed upstream

lang/python34

EGD

PR195508

In ports upstream

mail/courier

SSLv2

PR198399

In ports

mail/dovecot

COMP

PR198386

In ports

mail/dovecot2

COMP

fixed upstream

mail/mixmaster

EGD

Broken

HBSD Patch

mail/heirloom-mailx

EGD

PR205540

In ports Build log

mail/libesmtp

DES

2016-09-11

In ports Patch

mail/opensmtpd-devel

SSL_CTX_use_cert_chain

fixed upstream

Mailed upstream

mail/up-imapproxy

EGD

PR200237

In ports Upstreamed

misc/linm

DES_

PR198984

In ports

net/gq

DES_

PR198340

In ports Upstreamed

net/l4ip

EGD

In ports Patch

net/miniupnpd

linking

PR199390

In ports

net/mosquitto

PSK

PR198988

In ports Upstream bug

net/mpd5

DES_

PR196800

In ports

net/netatalk

DES_

HBSD Patch

net/netatalk3

DES_

3.1.9

HBSD Patch

net/openldap24-server

DES_

PR194841

In ports

net/pipsecd

DES_

PR198345

In ports Upstream dead

net/socat

EGD+COMP

PR197192

In ports Upstream accepted

net/ssltunnel-client

DES_

In ports Patch

net-mgmt/snmp++

DES_

In ports HBSD Patch

net-mgmt/ettercap

DES_

PR198184

In ports

net-mgmt/xymon-server

EGD

PR198522

In ports Upstream fixed

net/zabbix3-client

PSK

net-mgmt/send

x509 struct

In ports Patch

net-p2p/shx

EGD

In ports Patch

net-p2p/transmission-cli

linking

PR186978

In ports

net-p2p/twister

include

PR199006

In ports Upstream imported

russian/ircd-hybrid

EGD

PR198771

In ports

security/chntpw

DES_

PR198346

In ports

security/dsniff

DES_

D7054

In ports Patch

security/heimdal

EGD

PR198527

In ports Upstream pull request

security/hydra

DES_

PR198533

In ports

security/isakmpd

DES_

PR198535

In ports Not upstreamed

security/john

DES_

PR198348

In ports Upstream

security/krb5-111

CMS

PR198749

In ports

security/krb5-112

CMS

PR198750

In ports

security/nessus-libraries

SSLv2

PR198992

In ports|GitHub

security/nessus-libnasl

SSLv2

nvt

Fixed by nessus/nessus-libraries

security/nessus

SSLv2

nvt

Fixed by nessus/nessus-libraries

security/opencryptoki

DES_

PR198351

In ports Upstream patch

security/openssl_tpm_engine

include

Ignore

Patch

security/ophcrack

DES_

PR198352

In ports No upstream

security/p5-Business-PayPal-EWP

OpenSSL string

PR199176

In ports GitHub Notified Upstream issue

security/p5-Crypt-SMIME

port

PR198111

In ports

security/p5-openxpki

OpenSSL string

PR199179

In ports Upstream imported

security/py-cryptography

EGD, COMP, ALPN

PR197049

In ports Fixed upstream

security/pidentd

DES_

PR198364

In portsMailed upstream

security/pond

ChaCha20

Broken

OPEN

security/proxytunnel

MD5_

PR198754

In ports

security/rcracki_mt

DES

In ports

security/sectok

DES_

PR198366

In portsMailed upstream

security/softhsm2

GOST

PR199008

In ports GitHub

security/sslscan

SSLv2

PR198401

In ports

security/sslwrap

SSLv2

PR198400

In ports

security/stunnel

EGD

PR198997

In ports Upstream fixed

security/rcracki_mt

DES_

HBSD Patch

security/tlswrap

EGD

PR198767

In ports GitHub

security/tor-devel

COMP

fixed upstream

Fixed version in ports

sysutils/bacula5-client-static

arc4rand

OPEN

sysutils/bacula-client-static

arc4rand

OPEN

sysutils/condor

DES_

PR198370

In ports Mailed upstream

sysutils/ipmitools

linking

PR199389

In ports

sysutils/webjob

arc4rand

PR203701

In ports

www/apache22

EGD, SSL_CTX

PR196256

In ports

www/apache24

EGD, SSL_CTX

PR196139

In ports

www/elinks

EGD

PR198764

In ports GitHub

www/links

EGD

PR198765

In ports GitHub

www/links1

EGD

PR210727

In ports

www/links-hacked

EGD

PR198766

In ports GitHub

www/mod_spdy

SSL_CTX_use_cert_chain

wontfix

use mod_http2-devel

www/tomcat-native

SSL_CTX_use_cert_chain

PR215196

GitHub

www/w3m

EGD

PR191956

In ports

www/webstone-ssl

SSLv2

PR199019

In ports GithHub

Other fixes/PRs

PR194400

Fix EC ciphers support in LibreSSL 2.1.0 (fixed by LibreSSL 2.1.1)

PR196445

Fix SHLIBVER detection in Mk/bsd.openssl.mk

PR197005

Update LibreSSL to 2.1.3

PR198269

Update LibreSSL to 2.1.4

PR198270

Bump SHLIBVER in Mk/bsd.openssl.mk

PR198651

LibreSSL to 2.1.5

PR198681

Backport of CVE-2015-0209 & CVE-2015-0288 low rated vulns

PR198651

LibreSSL to 2.1.6 fixing vulns

D2654

Backport OPENSSL_NO_EGD to LibreSSL 2.1.6

D2770

Update LibreSSL to 2.2.0

D2963

Update LibreSSL to 2.2.1

D2963

Update LibreSSL to 2.2.2

D3537

Update to 2.2.3

PR200894

Fix AESNI support

D3695

Fix devel/tcltls conflict on include/libtls.h

D3585

Add next-stable LibreSSL 2.3.1 port (security/libressl-devel)

D3916

Fix memory leak and buffer overflow DoS vulnerability / Update to 2.2.4

D4393

Update to 2.2.5

TODO

Thanks to the EDGE build of PC-BSD we now have a list of the remaining build fall-out with LibreSSL.

All ports that don't have a PR linked and OPEN in comments in table below require work. Your assistance would be highly appreciated!

LibreSSL/Ports (last edited 2018-03-23 08:30:28 by BernardSpil)