Contents
OpenSSL 1.1.x / 12.x
During BSDCan 2018 the intention to update OpenSSL in base to 1.1.x branch was documented.
Intention is to update 12-STABLE to current 1.1.0 and subsequently update it to 1.1.1 when that is released. The intent to update OpenSSL to 1.1 in 12 has now officially been documented in Bug #228912
Team (Provisional):
Who |
FreeBSD account |
gordon@ |
|
jkim@ |
|
brnrd@ |
OpenSSL options
Default options of port and features enabled in base (LibreSSL as reference)
Feature |
1.0.2 / 11 |
1.1.x / 12 |
|||||
Base |
Ports |
Base |
Ports |
1.1.0h |
LibreSSL |
Comment |
|
NPN |
|
X |
|
X |
X |
X |
|
SCTP |
|
X |
|
X |
O |
- |
|
SSLv2 |
|
X |
|
O |
O |
- |
|
SSLv3 |
|
X |
|
O |
O |
- |
|
TLSv1 |
|
X |
|
X |
X |
X |
|
TLSv1.1 |
|
X |
|
X |
X |
X |
|
TLSv1.2 |
|
X |
|
X |
X |
X |
|
TLSv1.3 |
- |
- |
|
X |
- |
- |
|
CAMELLIA |
|
|
|
|
X |
X |
|
CAST5 |
|
|
|
|
|
- |
|
ChaCha20 |
|
|
|
X |
X |
X |
|
DES |
X |
X |
X |
X |
X |
X |
Required for TLSv1 compat? |
GOST |
|
|
|
|
- |
X |
|
IDEA |
|
|
|
O |
X |
- |
|
J-Pake |
|
|
|
O |
- |
- |
|
RC2 |
X |
|
|
X |
X |
- |
|
RC4 |
X |
|
|
X |
X |
X |
Required for TLSv1 compat? |
RC5 |
O |
O |
|
O |
O |
- |
|
MD2 |
O |
X |
|
O |
O |
- |
|
MD4 |
|
|
|
X |
X |
|
|
MD5 |
X |
|
|
X |
X |
X |
|
MDC2 |
O |
|
|
O |
X |
- |
|
RMD160 |
|
|
|
X |
X |
|
|
SEED |
X |
|
|
- |
X |
|
|
ASM |
|
X |
|
X |
X |
|
|
SSE2 |
|
X |
|
|
|
|
|
Threads |
X |
|
|
|
|
|
|
EGD |
|
|
|
O |
O |
- |
|
EC |
|
X |
|
X |
X |
|
|
zlib |
O |
|
|
|
O |
- |
|
X |
enabled |
O |
disabled |
- |
feature not available |
|
not yet determined |
Relevant PRs and Reviews
PR |
Summary |
security/openssl-devel: Multiple ports fail with OpenSSL 1.1 |
|
OpenSSL 1.1 in the base system |
|
FreeBSD 12.0 Release action items |
Issues in base with OpenSSL 1.1.1
libfetch
===> lib/libfetch (all)
cc -target x86_64-unknown-freebsd12.0 --sysroot=/usr/obj/usr/src/amd64.amd64/tmp -B/usr/obj/usr/src/amd64.amd64/tmp/usr/bin -fpic -DPIC -O2 -pipe -I. -DINET6 -DWITH_SSL -DFTP_COMBINE_CWDS -g -MD -MF.depend.common.pico -MTcommon.pico -std=iso9899:1999 -fstack-protector-strong -Wsystem-headers -Werror -Wall -Wno-format-y2k -W -Wno-unused-parameter -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Wreturn-type -Wcast-qual -Wwrite-strings -Wswitch -Wshadow -Wunused-parameter -Wcast-align -Wchar-subscripts -Winline -Wnested-externs -Wredundant-decls -Wold-style-definition -Wno-pointer-sign -Wmissing-variable-declarations -Wthread-safety -Wno-empty-body -Wno-string-plus-int -Wno-unused-const-variable -Qunused-arguments -c /usr/src/lib/libfetch/common.c -o common.pico
/usr/src/lib/libfetch/common.c:677:22: error: 'ASN1_STRING_data' is deprecated [-Werror,-Wdeprecated-declarations]
ns = (const char *)ASN1_STRING_data(name->d.ia5);
^
/usr/obj/usr/src/amd64.amd64/tmp/usr/include/openssl/asn1.h:554:1: note: 'ASN1_STRING_data' has been explicitly marked deprecated here
DEPRECATEDIN_1_1_0(unsigned char *ASN1_STRING_data(ASN1_STRING *x))
^
/usr/obj/usr/src/amd64.amd64/tmp/usr/include/openssl/opensslconf.h:121:34: note: expanded from macro 'DEPRECATEDIN_1_1_0'
# define DEPRECATEDIN_1_1_0(f) DECLARE_DEPRECATED(f)
^
/usr/obj/usr/src/amd64.amd64/tmp/usr/include/openssl/opensslconf.h:90:53: note: expanded from macro 'DECLARE_DEPRECATED'
# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated));
^
1 error generated.Patch based on information on the OpenSSL wiki
Index: lib/libfetch/common.c
===================================================================
--- lib/libfetch/common.c (revision 335478)
+++ lib/libfetch/common.c (working copy)
@@ -648,6 +648,7 @@
return (ret);
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
/*
* Verify server certificate by subjectAltName.
*/
@@ -755,6 +756,7 @@
GENERAL_NAMES_free(altnames);
return (ret);
}
+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
/*
* Configure transport security layer based on environment.
@@ -965,7 +967,12 @@
if (getenv("SSL_NO_VERIFY_HOSTNAME") == NULL) {
if (verbose)
fetch_info("Verify hostname");
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
if (!fetch_ssl_verify_hname(conn->ssl_cert, URL->host)) {
+#else
+ SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+ if (!SSL_set1_host(ssl, URL->host)) {
+#endif
fprintf(stderr,
"SSL certificate subject doesn't match host %s\n",
URL->host);
OpenSSH
When building the port with OpenSSL 1.1.1, it fails in configure stage
checking OpenSSL header version... 10101007 (OpenSSL 1.1.1-pre7 (beta) 29 May 2018) checking OpenSSL library version... configure: error: OpenSSL >= 1.1.0 is not yet supported (have "10101007 (OpenSSL 1.1.1-pre7 (beta) 29 May 2018)") ===> Script "configure" failed unexpectedly.
There's work on supporting OpenSSL 1.1.0 with a patch in OpenSSH's github
libradius
===> lib/libradius (obj,all,install)
cc -target x86_64-unknown-freebsd12.0 --sysroot=/usr/obj/usr/src/amd64.amd64/tmp -B/usr/obj/usr/src/amd64.amd64/tmp/usr/bin -fpic -DPIC -O
2 -pipe -Wall -DWITH_SSL -g -MD -MF.depend.radlib.pico -MTradlib.pico -std=gnu99 -fstack-protector-strong -Wsystem-headers -Werror -Wall
-Wno-format-y2k -W -Wno-unused-parameter -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Wno-uninitialized -Wno-pointer-sign -Wn
o-empty-body -Wno-string-plus-int -Wno-unused-const-variable -Wno-tautological-compare -Wno-unused-value -Wno-parentheses-equality -Wno-unu
sed-function -Wno-enum-conversion -Wno-unused-local-typedef -Wno-address-of-packed-member -Qunused-arguments -c /usr/src/lib/libradius/ra
dlib.c -o radlib.pico
/usr/src/lib/libradius/radlib.c:159:11: error: variable has incomplete type 'HMAC_CTX' (aka 'struct hmac_ctx_st')
HMAC_CTX ctx;
^
/usr/obj/usr/src/amd64.amd64/tmp/usr/include/openssl/ossl_typ.h:102:16: note: forward declaration of 'struct hmac_ctx_st'
typedef struct hmac_ctx_st HMAC_CTX;
^
...
heimdal
===> kerberos5/lib/libhx509 (obj,all,install)
cc -target x86_64-unknown-freebsd12.0 --sysroot=/usr/obj/usr/src/amd64.amd64/tmp -B/usr/obj/usr/src/amd64.amd64/tmp/usr/bin -fpic -DPIC -O
2 -pipe -I/usr/src/crypto/heimdal/lib/hx509 -I/usr/src/crypto/heimdal/lib/hx509/ref -I/usr/src/crypto/heimdal/lib/asn1 -I/usr/src/crypto/he
imdal/lib/wind -I/usr/src/crypto/heimdal/lib/roken -I. -DHAVE_CONFIG_H -I/usr/src/kerberos5/include -g -MD -MF.depend.crypto.pico -MTcry
pto.pico -std=gnu99 -fstack-protector-strong -Qunused-arguments -c /usr/src/crypto/heimdal/lib/hx509/crypto.c -o crypto.pico
/usr/src/crypto/heimdal/lib/hx509/crypto.c:229:5: error: incomplete definition of type 'struct bignum_st'
BN_set_negative(bn, i->negative);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/src/kerberos5/include/crypto-headers.h:22:40: note: expanded from macro 'BN_set_negative'
#define BN_set_negative(bn, flag) ((bn)->neg=(flag)?1:0)
~~~~^
/usr/obj/usr/src/amd64.amd64/tmp/usr/include/openssl/ossl_typ.h:80:16: note: forward declaration of 'struct bignum_st'
typedef struct bignum_st BIGNUM;
^
...The 7.5 port builds with OpenSSL 1.1.1. Base currently has 1.5.2.
ldns
After refresh of config.h for OpenSSL 1.1.1, fails with
===> lib/libldns (obj,all,install)
cc -target x86_64-unknown-freebsd12.0 --sysroot=/usr/obj/usr/src/amd64.amd64/tmp -B/usr/obj/usr/src/amd64.amd64/tmp/usr/bin -fpic -DPIC -O
2 -pipe -I/usr/src/contrib/ldns -g -MD -MF.depend.dnssec.pico -MTdnssec.pico -std=gnu99 -fstack-protector-strong -Wsystem-headers -Werro
r -Wall -Wno-format-y2k -W -Wno-unused-parameter -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Wno-uninitialized -Wno-pointer-s
ign -Wno-empty-body -Wno-string-plus-int -Wno-unused-const-variable -Wno-tautological-compare -Wno-unused-value -Wno-parentheses-equality -
Wno-unused-function -Wno-enum-conversion -Wno-unused-local-typedef -Wno-address-of-packed-member -Qunused-arguments -c /usr/src/contrib/l
dns/dnssec.c -o dnssec.pico
/usr/src/contrib/ldns/dnssec.c:1761:12: error: incomplete definition of type 'struct DSA_SIG_st'
R = dsasig->r;
~~~~~~^
/usr/obj/usr/src/amd64.amd64/tmp/usr/include/openssl/dsa.h:65:16: note: forward declaration of 'struct DSA_SIG_st'
typedef struct DSA_SIG_st DSA_SIG;
^
...The ldns port builds OK with OpenSSL 1.1.1.
libssh
===> secure/lib/libssh (obj,all,install)
rm -f .depend
echo libprivatessh.so.5.full: /usr/obj/usr/src/amd64.amd64/tmp/usr/lib/libcrypto.a /usr/obj/usr/src/amd64.amd64/tmp/usr/lib/libcrypt.a /us$
/obj/usr/src/amd64.amd64/tmp/usr/lib/libz.a >> .depend
cc -target x86_64-unknown-freebsd12.0 --sysroot=/usr/obj/usr/src/amd64.amd64/tmp -B/usr/obj/usr/src/amd64.amd64/tmp/usr/bin -fpic -DPIC -$
2 -pipe -I/usr/src/crypto/openssh -include ssh_namespace.h -g -MD -MF.depend.sshkey.pico -MTsshkey.pico -std=gnu99 -fstack-protector-st$
ong -Wno-pointer-sign -Wno-empty-body -Wno-string-plus-int -Wno-unused-const-variable -Wno-tautological-compare -Wno-unused-value -Wno-par$
ntheses-equality -Wno-unused-function -Wno-enum-conversion -Wno-unused-local-typedef -Wno-address-of-packed-member -Wno-switch -Wno-switch$
enum -Wno-knr-promoted-parameter -Wno-parentheses -Qunused-arguments -c /usr/src/crypto/openssh/sshkey.c -o sshkey.pico
/usr/src/crypto/openssh/sshkey.c:74:2: warning: OPENSSL_VERSION_NUMBER ${OPENSSL_VERSION_NUMBER} [-W#warnings]
#warning OPENSSL_VERSION_NUMBER ${OPENSSL_VERSION_NUMBER}
^
/usr/src/crypto/openssh/sshkey.c:279:28: error: incomplete definition of type 'struct rsa_st'
return BN_num_bits(k->rsa->n);
~~~~~~^
/usr/obj/usr/src/amd64.amd64/tmp/usr/include/openssl/ossl_typ.h:110:16: note: forward declaration of 'struct rsa_st'
typedef struct rsa_st RSA;
^Currently the port fails to build with OpenSSL 1.1.1 too.
libbsnmp
cc -target x86_64-unknown-freebsd12.0 --sysroot=/usr/obj/usr/src/amd64.amd64/tmp -B/usr/obj/usr/src/amd64.amd64/tmp/usr/bin -fpic -DPIC -O2 -pipe -I/usr/src/contrib/bsnmp/lib -DHAVE_ERR_H -DHAVE_GETADDRINFO -DHAVE_STRLCPY -DHAVE_STDINT_H -DHAVE_INTTYPES_H -DQUADFMT='"llu"' -
DQUADXFMT='"llx"' -DHAVE_LIBCRYPTO -g -MD -MF.depend.snmpcrypto.pico -MTsnmpcrypto.pico -std=gnu99 -fstack-protector-strong -Wsystem-heade
rs -Werror -Wall -Wno-format-y2k -W -Wno-unused-parameter -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Wreturn-type -Wcast-qua
l -Wwrite-strings -Wswitch -Wshadow -Wunused-parameter -Wcast-align -Wchar-subscripts -Winline -Wnested-externs -Wredundant-decls -Wold-style-definition -Wno-pointer-sign -Wmissing-variable-declarations -Wthread-safety -Wno-empty-body -Wno-string-plus-int -Wno-unused-const-vari
able -Qunused-arguments -c /usr/src/contrib/bsnmp/lib/snmpcrypto.c -o snmpcrypto.pico
/usr/src/contrib/bsnmp/lib/snmpcrypto.c:97:13: error: variable has incomplete type 'EVP_MD_CTX' (aka 'struct evp_md_ctx_st')
EVP_MD_CTX ctx;
^
/usr/obj/usr/src/amd64.amd64/tmp/usr/include/openssl/ossl_typ.h:92:16: note: forward declaration of 'struct evp_md_ctx_st'
typedef struct evp_md_ctx_st EVP_MD_CTX;
^
/usr/src/contrib/bsnmp/lib/snmpcrypto.c:127:3: error: implicit declaration of function 'EVP_MD_CTX_cleanup' is invalid in C99 [-Werror,-Wim
plicit-function-declaration]
EVP_MD_CTX_cleanup(&ctx);
^
/usr/src/contrib/bsnmp/lib/snmpcrypto.c:127:3: error: this function declaration is not a prototype [-Werror,-Wstrict-prototypes]
...
libtelnet
I have already an open PR for this one I believe.
--- all_subdir_lib/libtelnet ---
--- enc_des.o ---
/usr/src/contrib/telnet/libtelnet/enc_des.c:69:2: error: unknown type name 'des_key_schedule'; did you mean 'DES_key_schedule'?
Schedule krbdes_sched;
^~~~~~~~
DES_key_scheduleUsing the patch from the PR, libtelnet builds OK.
libexec/dma
cc -target x86_64-unknown-freebsd12.0 --sysroot=/usr/obj/usr/src/amd64.amd64/tmp -B/usr/obj/usr/src/amd64.amd64/tmp/usr/bin -O2 -pipe -I
/usr/src/contrib/dma -DHAVE_REALLOCF -DHAVE_STRLCPY -DHAVE_GETPROGNAME -DCONF_PATH='"/etc/dma"' -DLIBEXEC_PATH='"/usr/libexec"' -DDMA_VE
RSION='"v0.11+"' -DDMA_ROOT_USER='"mailnull"' -DDMA_GROUP='"mail"' -g -MD -MF.depend.crypto.o -MTcrypto.o -std=gnu99 -fstack-protector-s
trong -Wsystem-headers -Werror -Wall -Wno-format-y2k -W -Wno-unused-parameter -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Wre
turn-type -Wcast-qual -Wwrite-strings -Wswitch -Wshadow -Wunused-parameter -Wcast-align -Wchar-subscripts -Winline -Wnested-externs -Wredun
dant-decls -Wold-style-definition -Wno-pointer-sign -Wformat=2 -Wno-format-extra-args -Werror -Wmissing-variable-declarations -Wthread-safe
ty -Wno-empty-body -Wno-string-plus-int -Wno-unused-const-variable -Qunused-arguments -c /usr/src/contrib/dma/crypto.c -o crypto.o
/usr/src/contrib/dma/crypto.c:96:9: error: 'TLSv1_client_method' is deprecated [-Werror,-Wdeprecated-declarations]
meth = TLSv1_client_method();
^
/usr/obj/usr/src/amd64.amd64/tmp/usr/include/openssl/ssl.h:1844:1: note: 'TLSv1_client_method' has been explicitly marked deprecated here
DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_client_method(void))
^
/usr/obj/usr/src/amd64.amd64/tmp/usr/include/openssl/opensslconf.h:121:34: note: expanded from macro 'DEPRECATEDIN_1_1_0'
# define DEPRECATEDIN_1_1_0(f) DECLARE_DEPRECATED(f)
^
/usr/obj/usr/src/amd64.amd64/tmp/usr/include/openssl/opensslconf.h:90:53: note: expanded from macro 'DECLARE_DEPRECATED'
# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated));
^
...
Process
See Update 1.1.0 sub-page
See Update 1.1.1 sub-page
Private Libraries
There have been ideas to make OpenSSL's libraries private in FreeBSD base. During BSDCan 2018 DevSummit the consensus was that we should not make these libraries private. Current state is that this is an abandoned project. For historical purposes the content of this chapter has been preserved in a sub-page.