Contents
Many patches need cleanup for PR and/or upstreaming
"Up" to main LibreSSL article
Helpful resources
OpenBSD's ports required patching for LibreSSL as well (that's currently the only OS that uses LibreSSL as default SSL library). You can find patches ubOpenBSD CVS
There's a Gentoo LibreSSL GitHub repository where patches for software are collected.
These resources can be a great starting point for a patch. Note that OpenBSD will rigorously remove EGD and Compression support. To get your modification accepted by a ports committer and by the upstream project you'll generally need to make your changes conditional.
LibreSSL 2.5 - 3.4
OpenSSL 1.1.0
As OpenSSL released version 1.1.0 a lot of OPENSSL_VERSION_NUMBER checks have been added in projects. The following list documents the fixes that were required to fix these. This work is similar to the next chapter on OPENSSL_VERSION_NUMBER.
category/port |
Date/Version |
Ports Status |
Upstream status/Comment |
databases/pecl-mongodb |
2017-02-12/1.2.3 |
||
dns/yadifa |
2017-02-25/2.2.3 |
||
ftp/proftpd |
2017-02-12/1.3.5d |
|
|
net-im/ricochet |
2017-02-25/1.1.4 |
||
net-mgmt/zabbix32 |
2017-02-11/3.2.3 |
||
security/hitch |
2017-02-12/1.4.4 |
||
security/certificate-transparency |
2017-02-11/20161015_7 |
|
|
security/krb5-115 |
2017-02-12/1.15 |
||
security/libp11 |
2017-02-11/0.4.4 |
|
|
security/openvpn |
2017-02-16/2.4.0 |
||
security/tor |
2017-02-06/0.2.9.9 |
|
|
sysutils/afflib |
2017-02-12/3.7.10 |
||
www/squid-devel |
2017-02-12/4.0.17 |
Removal of OPENSSL_VERSION_NUMBER patch
HardenedBSD is testing replacing OpenSSL with LibreSSL in base. The replacement does not patch the OPENSSL_VERSION_NUMBER in openssl/opensslv.h so this is a test to see which ports fail with OPENSSL_VERSION_NUMBER= 0x20000000L. This shows build problems that had not surfaced earlier.
These errors will also appear if you use the security/libressl-devel port as of version 2.4.0.
category/port |
Problem |
Ports Status |
Upstream status/Comment |
dns/bind910 |
OPENSSL_VERSION_NUMBER |
fixed upstream |
|
dns/powerdns |
OPENSSL_VERSION_NUMBER |
212016 |
|
dns/powerdns-recursor |
OPENSSL_VERSION_NUMBER |
212016 |
|
ftp/curl |
OPENSSL_VERSION_NUMBER |
Fixed upstream |
|
mail/postfix |
OPENSSL_VERSION_NUMBER |
211502 |
|
mail/postfix |
OPENSSL_VERSION_NUMBER |
211502 |
|
mail/postfix |
OPENSSL_VERSION_NUMBER |
212223 |
In ports for 3.1.2 |
mail/postfix-current |
OPENSSL_VERSION_NUMBER |
|
|
mail/postfix-current |
OPENSSL_VERSION_NUMBER |
212223 |
In ports for 3.2.0.20160828 |
mail/rspamd |
OPENSSL_VERSION_NUMBER |
|
|
net/asterisk13 |
OPENSSL_VERSION_NUMBER |
||
net/haproxy-devel |
OPENSSL_VERSION_NUMBER |
|
|
security/openconnect |
OPENSSL_VERSION_NUMBER |
||
security/openvpn |
OPENSSL_VERSION_NUMBER |
Fixed upstream |
|
security/strongswan |
OPENSSL_VERSION_NUMBER |
||
security/stunnel |
OPENSSL_VERSION_NUMBER |
|
|
security/wpa_supplicant |
OPENSSL_VERSION_NUMBER |
2.6 |
|
security/xca |
OPENSSL_VERSION_NUMBER |
|
List only, patches for already existing problem categories (EGD, DES, SSLv3) can be found in the reqular lists!
category/port |
Problem |
Ports Status |
Upstream status/Comment |
benchmarks/postal |
SSLv3 |
|
|
databases/mongodb32-tools |
SSLv3 |
|
|
databases/mongodb32 |
SSLv3 |
|
|
devel/tcl-trf |
SHA-0 |
|
|
finance/openhbci |
DES_ |
|
|
finance/php-tclink |
overlapping methods |
|
|
mail/emailrelay |
SSLv3 |
|
|
mail/mixmaster |
EGD |
|
|
mail/libesmtp |
DES |
|
|
mail/prayer |
SSLv3 EGD |
|
|
misc/skutils |
SSLv3 |
|
|
multimedia/oscam |
SSLv3 |
|
|
net/Sockets |
SSLv3 |
|
|
net/l4ip |
EGD |
|
|
net/netatalk |
DES_ |
|
|
net/netatalk3 |
DES_ |
|
|
net/openntpd |
LibreSSL Port dep |
|
|
net/qt5-network |
SSL_CTRL_SET_CURVES |
|
|
net/ssltunnel-client |
DES_ |
|
|
net-mgmt/snmp++ |
DES_ |
|
|
net-p2p/shx |
EGD |
|
|
security/certificate-transparency |
CMS |
|
|
security/distcache |
SSLv3 |
|
|
security/openssl |
Framework |
|
|
security/openssl-devel |
Framework |
|
|
security/rcracki_mt |
DES_ |
|
|
www/tomcat-native |
SSLv3 |
|
|
Introduction of libressl-devel
category/port |
Problem |
Ports Status |
Upstream status/Comment |
net/openbsc |
conflict |
dep removed |
|
www/obhttpd |
conflict |
|
|
SSLv3 / SHA-0 removal
This has been given its own sub-page of the OpenSSL section as the fallout is considered to be equal to --no-ssl3 --no-ssl3-method
category/port |
Problem |
Ports Status |
Upstream status/Comment |
databases/galera |
Boost-libs ssl |
|
see devel/boost-libs |
devel/cargo |
"libssl.so.8" not found |
|
|
databases/mysql-connector-c |
SSL detection |
|
|
devel/qca-qt5 |
SSLv3 SHA-0 |
|
|
devel/tcl-trf |
SHA-0 |
2016-09-11 |
|
games/tinymux |
SHA-0 |
2016-09-11 |
In ports Patch Build log Mailed upstream <brazilofmux AT gmail DOT com> |
lang/pypy |
COMP EGD |
Fixed upstream |
|
lang/qore |
SHA-0 |
0.8.12 |
|
net-im/coccinella |
libtls conflict |
|
|
net-im/tkabber |
libtls conflict |
|
|
net-mgmt/netmagis-database |
libtls conflict |
|
|
net-mgmt/netmagis-www |
libtls conflict |
|
|
net-mgmt/nsca-ng |
PSK |
|
Patches Hard requires PSK |
net-mgmt/nsca-ng-client |
PSK |
|
slave port of net-mgmt/nsca-ng |
net-p2p/bitcoin |
|
|
Detected LibreSSL: This is NOT supported |
net-p2p/digitalcoin |
SSLv3 |
|
Won't fix, see net-p2p/bitcoin |
net-p2p/dogecoin |
SSLv3 |
|
Won't fix, see net-p2p/bitcoin |
net-p2p/libtorrent-rasterbar |
boost-libs |
|
Boost libs |
net-p2p/litecoin-daemon |
SSLv3 |
|
Won't fix, see net-p2p/bitcoin |
net-p2p/litecoin-utils |
SSLv3 |
|
Won't fix, see net-p2p/bitcoin |
net-p2p/namecoin |
SSLv3 |
|
Won't fix, see net-p2p/bitcoin |
net-p2p/namecoin-daemon |
SSLv3 |
|
Won't fix, see net-p2p/bitcoin |
net-p2p/twister |
boost-libs |
|
Boost libs |
net-p2p/zetacoin |
SSLv3 |
|
Won't fix, see net-p2p/bitcoin |
net-p2p/zetacoin-nox11 |
SSLv3 |
|
Won't fix, see net-p2p/bitcoin |
net/qt5-network |
SSL_CTRL_SET_CURVES |
|
Gentoo -> HBSD patch |
net/yate |
base libs |
||
net/x11vnc |
SHA-0 |
|
|
science/orthanc |
FIPS |
Added 2017-02-25 |
|
security/john |
SHA-0 |
|
|
security/nessus-libnasl |
SHA-0 |
deleted |
|
security/openscep |
ASN1 methods |
|
|
security/openssl_tpm_engine |
Engine |
Ignore |
|
security/osiris |
SHA-0 |
|
Patch Mailed project (<tsg AT shmoo DOT com>) |
sysutils/osquery |
boost-libs |
|
|
security/sguil |
libtls conflict |
|
PC-BSD 10.1.2 ports build
Legend:
- category/port
Problem : refers to Types of Failures
- Ports Status
- PR123456 : Link to PR with a patch for the port
PR123456 : PR closed, fix in ports tree, link to SVN changeset or Phabricator review in Comments section
- Upstream status/Comment
- Link to upstreamed issue/bug/etc.
- Link to SVN changeset if PR closed
- Link to Phabricator review
Link to Sp1l's GitHub repo
OPEN -> TODO
- Additional info
category/port |
Problem |
Ports Status |
Upstream status/Comment |
tcltls |
conflict |
Problematic file: /usr/local/include/tls.h |
|
net-mgmt/nsca-ng |
PSK |
||
security/krb5-111 |
patch |
|
patch-srcpluginspreauthpkinitpkinit_crypto_openssl.c |
category/port |
Problem |
Ports Status |
Upstream status/Comment |
comms/kermit |
COMP+EGD |
In ports Included in 304 |
|
databases/virtuoso |
DES_ |
In ports Upstreamed via website |
|
deskutils/growl-for-linux |
DES_ |
||
devel/ace |
EGD |
||
devel/dcmtk |
EGD |
||
devel/ice |
EGD |
||
devel/libpdel |
DES_ |
||
devel/qca |
COMP |
||
devel/subversion-static |
arc4rand |
|
OPEN |
dns/knot |
GOST |
||
dns/ldns |
Cryptodev |
||
ftp/curl |
SRP |
||
ftp/pavuk |
DES_ |
In ports Upstream dead |
|
ftp/wget |
EGD |
||
finance/openhbci |
DES_ |
2016-09-11 |
|
graphics/openimageio |
port |
In ports Missing OpenSSL dependency |
|
irc/unreal |
EGD |
||
irc/charybdis |
EGD |
||
irc/ircd-hybrid |
COMP+EGD |
In ports Upstream fixed |
|
irc/ircd-ratbox |
EGD |
Mailed upstream <ircd DASH ratbox AT lists DOT ratbox DOT org> |
|
irc/ircd-ratbox-devel |
EGD |
non-devel is newer |
|
irc/znc |
COMP |
||
lang/pypy-devel |
EGD |
||
lang/pypy3-devel |
EGD |
runaway |
|
lang/python27 |
EGD |
||
lang/python32 |
EGD |
||
lang/python33 |
EGD |
||
lang/python34 |
EGD |
||
mail/courier |
SSLv2 |
||
mail/dovecot |
COMP |
||
mail/dovecot2 |
COMP |
fixed upstream |
|
mail/mixmaster |
EGD |
Broken |
HBSD Patch |
mail/heirloom-mailx |
EGD |
||
mail/libesmtp |
DES |
2016-09-11 |
|
mail/opensmtpd-devel |
SSL_CTX_use_cert_chain |
fixed upstream |
Mailed upstream |
mail/up-imapproxy |
EGD |
||
misc/linm |
DES_ |
||
net/gq |
DES_ |
||
net/l4ip |
EGD |
|
|
net/miniupnpd |
linking |
||
net/mosquitto |
PSK |
||
net/mpd5 |
DES_ |
||
net/netatalk |
DES_ |
|
HBSD Patch |
net/netatalk3 |
DES_ |
3.1.9 |
HBSD Patch |
net/openldap24-server |
DES_ |
||
net/pipsecd |
DES_ |
In ports Upstream dead |
|
net/socat |
EGD+COMP |
In ports Upstream accepted |
|
net/ssltunnel-client |
DES_ |
|
|
net-mgmt/snmp++ |
DES_ |
|
|
net-mgmt/ettercap |
DES_ |
||
net-mgmt/xymon-server |
EGD |
||
net/zabbix3-client |
PSK |
|
|
net-mgmt/send |
x509 struct |
|
|
net-p2p/shx |
EGD |
|
|
net-p2p/transmission-cli |
linking |
||
net-p2p/twister |
include |
||
russian/ircd-hybrid |
EGD |
||
security/chntpw |
DES_ |
||
security/dsniff |
DES_ |
||
security/heimdal |
EGD |
||
security/hydra |
DES_ |
||
security/isakmpd |
DES_ |
In ports Not upstreamed |
|
security/john |
DES_ |
||
security/krb5-111 |
CMS |
||
security/krb5-112 |
CMS |
||
security/nessus-libraries |
SSLv2 |
||
security/nessus-libnasl |
SSLv2 |
nvt |
Fixed by nessus/nessus-libraries |
security/nessus |
SSLv2 |
nvt |
Fixed by nessus/nessus-libraries |
security/opencryptoki |
DES_ |
||
security/openssl_tpm_engine |
include |
Ignore |
|
security/ophcrack |
DES_ |
In ports No upstream |
|
security/p5-Business-PayPal-EWP |
OpenSSL string |
In ports GitHub Notified Upstream issue |
|
security/p5-Crypt-SMIME |
port |
||
security/p5-openxpki |
OpenSSL string |
||
security/py-cryptography |
EGD, COMP, ALPN |
||
security/pidentd |
DES_ |
In portsMailed upstream |
|
security/pond |
ChaCha20 |
Broken |
OPEN |
security/proxytunnel |
MD5_ |
||
security/rcracki_mt |
DES |
|
|
security/sectok |
DES_ |
In portsMailed upstream |
|
security/softhsm2 |
GOST |
||
security/sslscan |
SSLv2 |
||
security/sslwrap |
SSLv2 |
||
security/stunnel |
EGD |
In ports Upstream fixed |
|
security/rcracki_mt |
DES_ |
|
HBSD Patch |
security/tlswrap |
EGD |
||
security/tor-devel |
COMP |
fixed upstream |
Fixed version in ports |
sysutils/bacula5-client-static |
arc4rand |
|
OPEN |
sysutils/bacula-client-static |
arc4rand |
|
OPEN |
sysutils/condor |
DES_ |
In ports Mailed upstream |
|
sysutils/ipmitools |
linking |
||
sysutils/webjob |
arc4rand |
||
www/apache22 |
EGD, SSL_CTX |
||
www/apache24 |
EGD, SSL_CTX |
||
www/elinks |
EGD |
||
www/links |
EGD |
||
www/links1 |
EGD |
||
www/links-hacked |
EGD |
||
www/mod_spdy |
SSL_CTX_use_cert_chain |
wontfix |
use mod_http2-devel |
www/tomcat-native |
SSL_CTX_use_cert_chain |
||
www/w3m |
EGD |
||
www/webstone-ssl |
SSLv2 |
Other fixes/PRs
Fix EC ciphers support in LibreSSL 2.1.0 (fixed by LibreSSL 2.1.1) |
|
Fix SHLIBVER detection in Mk/bsd.openssl.mk |
|
Update LibreSSL to 2.1.3 |
|
Update LibreSSL to 2.1.4 |
|
Bump SHLIBVER in Mk/bsd.openssl.mk |
|
Backport of CVE-2015-0209 & CVE-2015-0288 low rated vulns |
|
LibreSSL to 2.1.6 fixing vulns |
|
Backport OPENSSL_NO_EGD to LibreSSL 2.1.6 |
|
Update LibreSSL to 2.2.0 |
|
Update LibreSSL to 2.2.1 |
|
Update LibreSSL to 2.2.2 |
|
Update to 2.2.3 |
|
Fix devel/tcltls conflict on include/libtls.h |
|
Add next-stable LibreSSL 2.3.1 port (security/libressl-devel) |
|
Fix memory leak and buffer overflow DoS vulnerability / Update to 2.2.4 |
|
Update to 2.2.5 |
TODO
Thanks to the EDGE build of PC-BSD we now have a list of the remaining build fall-out with LibreSSL.
All ports that don't have a PR linked and OPEN in comments in table below require work. Your assistance would be highly appreciated!