On Sat, Oct 14, 2023 at 09:56:04AM +0200, Omar Polo wrote: > and while here what about switching to using openssl 3.1? it's where > we had issues (see the privsep crypto thingy in smtpd-portable.)
The reason we have it is for rpki-client portable testing. I think it is fine to switch to 3.1 (3.1 will be better than the others also because of BTI/IBT), but please give claudio a chance to comment. causal.agency is currently dead, so I can't check the source and I'd like to see what they did. > does the switch to openssl 3.1 requires a shlib bump? I think a major bump is needed/appropriate. My understanding is that programs using it will need to link against eopenssl31's libcrypto and libssl as well, and that's not going to be backward compat at all even if only libtls symbols are used. > > Index: Makefile > =================================================================== > RCS file: /home/cvs/ports/security/openssl/libretls/Makefile,v > retrieving revision 1.10 > diff -u -p -r1.10 Makefile > --- Makefile 27 Sep 2023 16:34:34 -0000 1.10 > +++ Makefile 12 Oct 2023 07:30:11 -0000 > @@ -1,6 +1,6 @@ > COMMENT = libtls library used with OpenSSL 1.1 for testing > > -V = 3.7.0 > +V = 3.8.1 > DISTNAME = libretls-$V > PKGNAME = libretls-$V > > @@ -13,27 +13,27 @@ HOMEPAGE = https://git.causal.agency/lib > # ISC > PERMIT_PACKAGE = Yes > > -WANTLIB = c lib/eopenssl11/crypto lib/eopenssl11/ssl > +WANTLIB = lib/eopenssl31/crypto lib/eopenssl31/ssl > > SITES = https://causal.agency/libretls/ > > # OpenSSL used because this port is specifically intended for testing > # portable versions of OpenBSD daemons against OpenSSL+libretls > -LIB_DEPENDS = security/openssl/1.1 > +LIB_DEPENDS = security/openssl/3.1 > > USE_LIBTOOL = gnu > CONFIGURE_STYLE = gnu old > -CONFIGURE_ARGS = --libdir=${LOCALBASE}/lib/eopenssl11 \ > - --includedir=${LOCALBASE}/include/eopenssl11 \ > - --mandir=${LOCALBASE}/lib/eopenssl11/man > -CONFIGURE_ENV = CFLAGS="${CFLAGS} > -I${LOCALBASE}/include/eopenssl11" \ > - LDFLAGS="-L${LOCALBASE}/lib/eopenssl11 > -Wl,-rpath,${LOCALBASE}/lib/eopenssl11" > +CONFIGURE_ARGS = --libdir=${LOCALBASE}/lib/eopenssl31 \ > + --includedir=${LOCALBASE}/include/eopenssl31 \ > + --mandir=${LOCALBASE}/lib/eopenssl31/man > +CONFIGURE_ENV = CFLAGS="${CFLAGS} > -I${LOCALBASE}/include/eopenssl31" \ > + LDFLAGS="-L${LOCALBASE}/lib/eopenssl31 > -Wl,-rpath,${LOCALBASE}/lib/eopenssl31" > SEPARATE_BUILD = Yes > > # move pkgconfig files here, the build infrastructure is not layed out for > that > post-install: > - mv ${PREFIX}/lib/eopenssl11/pkgconfig/libtls.pc \ > + mv ${PREFIX}/lib/eopenssl31/pkgconfig/libtls.pc \ > ${PREFIX}/lib/pkgconfig/libetls.pc > - rmdir ${PREFIX}/lib/eopenssl11/pkgconfig > + rmdir ${PREFIX}/lib/eopenssl31/pkgconfig > > .include <bsd.port.mk> > Index: distinfo > =================================================================== > RCS file: /home/cvs/ports/security/openssl/libretls/distinfo,v > retrieving revision 1.6 > diff -u -p -r1.6 distinfo > --- distinfo 24 Dec 2022 11:34:59 -0000 1.6 > +++ distinfo 12 Oct 2023 07:04:19 -0000 > @@ -1,2 +1,2 @@ > -SHA256 (libretls-3.7.0.tar.gz) = mqXTqRM5MsNiB1JZsLF7sMiXQfobJTUTbfLe16DBM5I= > -SIZE (libretls-3.7.0.tar.gz) = 427980 > +SHA256 (libretls-3.8.1.tar.gz) = O8n8DmGCfuL2COXkSZOo/abWELgKHgGpx1YQzCkpl7U= > +SIZE (libretls-3.8.1.tar.gz) = 432142 > Index: pkg/PLIST > =================================================================== > RCS file: /home/cvs/ports/security/openssl/libretls/pkg/PLIST,v > retrieving revision 1.2 > diff -u -p -r1.2 PLIST > --- pkg/PLIST 11 Mar 2022 19:53:37 -0000 1.2 > +++ pkg/PLIST 12 Oct 2023 07:05:50 -0000 > @@ -1,93 +1,93 @@ > -include/eopenssl11/tls.h > -@static-lib lib/eopenssl11/libtls.a > -lib/eopenssl11/libtls.la > -@lib lib/eopenssl11/libtls.so.${LIBtls_VERSION} > -@man lib/eopenssl11/man/man3/tls_accept_cbs.3 > -@man lib/eopenssl11/man/man3/tls_accept_fds.3 > -@man lib/eopenssl11/man/man3/tls_accept_socket.3 > -@man lib/eopenssl11/man/man3/tls_client.3 > -@man lib/eopenssl11/man/man3/tls_close.3 > -@man lib/eopenssl11/man/man3/tls_config_add_keypair_file.3 > -@man lib/eopenssl11/man/man3/tls_config_add_keypair_mem.3 > -@man lib/eopenssl11/man/man3/tls_config_add_keypair_ocsp_file.3 > -@man lib/eopenssl11/man/man3/tls_config_add_keypair_ocsp_mem.3 > -@man lib/eopenssl11/man/man3/tls_config_add_ticket_key.3 > -@man lib/eopenssl11/man/man3/tls_config_clear_keys.3 > -@man lib/eopenssl11/man/man3/tls_config_error.3 > -@man lib/eopenssl11/man/man3/tls_config_free.3 > -@man lib/eopenssl11/man/man3/tls_config_insecure_noverifycert.3 > -@man lib/eopenssl11/man/man3/tls_config_insecure_noverifyname.3 > -@man lib/eopenssl11/man/man3/tls_config_insecure_noverifytime.3 > -@man lib/eopenssl11/man/man3/tls_config_new.3 > -@man lib/eopenssl11/man/man3/tls_config_ocsp_require_stapling.3 > -@man lib/eopenssl11/man/man3/tls_config_parse_protocols.3 > -@man lib/eopenssl11/man/man3/tls_config_prefer_ciphers_client.3 > -@man lib/eopenssl11/man/man3/tls_config_prefer_ciphers_server.3 > -@man lib/eopenssl11/man/man3/tls_config_set_alpn.3 > -@man lib/eopenssl11/man/man3/tls_config_set_ca_file.3 > -@man lib/eopenssl11/man/man3/tls_config_set_ca_mem.3 > -@man lib/eopenssl11/man/man3/tls_config_set_ca_path.3 > -@man lib/eopenssl11/man/man3/tls_config_set_cert_file.3 > -@man lib/eopenssl11/man/man3/tls_config_set_cert_mem.3 > -@man lib/eopenssl11/man/man3/tls_config_set_ciphers.3 > -@man lib/eopenssl11/man/man3/tls_config_set_crl_file.3 > -@man lib/eopenssl11/man/man3/tls_config_set_crl_mem.3 > -@man lib/eopenssl11/man/man3/tls_config_set_dheparams.3 > -@man lib/eopenssl11/man/man3/tls_config_set_ecdhecurves.3 > -@man lib/eopenssl11/man/man3/tls_config_set_key_file.3 > -@man lib/eopenssl11/man/man3/tls_config_set_key_mem.3 > -@man lib/eopenssl11/man/man3/tls_config_set_keypair_file.3 > -@man lib/eopenssl11/man/man3/tls_config_set_keypair_mem.3 > -@man lib/eopenssl11/man/man3/tls_config_set_keypair_ocsp_file.3 > -@man lib/eopenssl11/man/man3/tls_config_set_keypair_ocsp_mem.3 > -@man lib/eopenssl11/man/man3/tls_config_set_ocsp_staple_file.3 > -@man lib/eopenssl11/man/man3/tls_config_set_ocsp_staple_mem.3 > -@man lib/eopenssl11/man/man3/tls_config_set_protocols.3 > -@man lib/eopenssl11/man/man3/tls_config_set_session_fd.3 > -@man lib/eopenssl11/man/man3/tls_config_set_session_id.3 > -@man lib/eopenssl11/man/man3/tls_config_set_session_lifetime.3 > -@man lib/eopenssl11/man/man3/tls_config_set_verify_depth.3 > -@man lib/eopenssl11/man/man3/tls_config_verify.3 > -@man lib/eopenssl11/man/man3/tls_config_verify_client.3 > -@man lib/eopenssl11/man/man3/tls_config_verify_client_optional.3 > -@man lib/eopenssl11/man/man3/tls_configure.3 > -@man lib/eopenssl11/man/man3/tls_conn_alpn_selected.3 > -@man lib/eopenssl11/man/man3/tls_conn_cipher.3 > -@man lib/eopenssl11/man/man3/tls_conn_cipher_strength.3 > -@man lib/eopenssl11/man/man3/tls_conn_servername.3 > -@man lib/eopenssl11/man/man3/tls_conn_session_resumed.3 > -@man lib/eopenssl11/man/man3/tls_conn_version.3 > -@man lib/eopenssl11/man/man3/tls_connect.3 > -@man lib/eopenssl11/man/man3/tls_connect_cbs.3 > -@man lib/eopenssl11/man/man3/tls_connect_fds.3 > -@man lib/eopenssl11/man/man3/tls_connect_servername.3 > -@man lib/eopenssl11/man/man3/tls_connect_socket.3 > -@man lib/eopenssl11/man/man3/tls_default_ca_cert_file.3 > -@man lib/eopenssl11/man/man3/tls_error.3 > -@man lib/eopenssl11/man/man3/tls_free.3 > -@man lib/eopenssl11/man/man3/tls_handshake.3 > -@man lib/eopenssl11/man/man3/tls_init.3 > -@man lib/eopenssl11/man/man3/tls_load_file.3 > -@man lib/eopenssl11/man/man3/tls_ocsp_process_response.3 > -@man lib/eopenssl11/man/man3/tls_peer_cert_chain_pem.3 > -@man lib/eopenssl11/man/man3/tls_peer_cert_contains_name.3 > -@man lib/eopenssl11/man/man3/tls_peer_cert_hash.3 > -@man lib/eopenssl11/man/man3/tls_peer_cert_issuer.3 > -@man lib/eopenssl11/man/man3/tls_peer_cert_notafter.3 > -@man lib/eopenssl11/man/man3/tls_peer_cert_notbefore.3 > -@man lib/eopenssl11/man/man3/tls_peer_cert_provided.3 > -@man lib/eopenssl11/man/man3/tls_peer_cert_subject.3 > -@man lib/eopenssl11/man/man3/tls_peer_ocsp_cert_status.3 > -@man lib/eopenssl11/man/man3/tls_peer_ocsp_crl_reason.3 > -@man lib/eopenssl11/man/man3/tls_peer_ocsp_next_update.3 > -@man lib/eopenssl11/man/man3/tls_peer_ocsp_response_status.3 > -@man lib/eopenssl11/man/man3/tls_peer_ocsp_result.3 > -@man lib/eopenssl11/man/man3/tls_peer_ocsp_revocation_time.3 > -@man lib/eopenssl11/man/man3/tls_peer_ocsp_this_update.3 > -@man lib/eopenssl11/man/man3/tls_peer_ocsp_url.3 > -@man lib/eopenssl11/man/man3/tls_read.3 > -@man lib/eopenssl11/man/man3/tls_reset.3 > -@man lib/eopenssl11/man/man3/tls_server.3 > -@man lib/eopenssl11/man/man3/tls_unload_file.3 > -@man lib/eopenssl11/man/man3/tls_write.3 > +include/eopenssl31/tls.h > +@static-lib lib/eopenssl31/libtls.a > +lib/eopenssl31/libtls.la > +@lib lib/eopenssl31/libtls.so.${LIBtls_VERSION} > +@man lib/eopenssl31/man/man3/tls_accept_cbs.3 > +@man lib/eopenssl31/man/man3/tls_accept_fds.3 > +@man lib/eopenssl31/man/man3/tls_accept_socket.3 > +@man lib/eopenssl31/man/man3/tls_client.3 > +@man lib/eopenssl31/man/man3/tls_close.3 > +@man lib/eopenssl31/man/man3/tls_config_add_keypair_file.3 > +@man lib/eopenssl31/man/man3/tls_config_add_keypair_mem.3 > +@man lib/eopenssl31/man/man3/tls_config_add_keypair_ocsp_file.3 > +@man lib/eopenssl31/man/man3/tls_config_add_keypair_ocsp_mem.3 > +@man lib/eopenssl31/man/man3/tls_config_add_ticket_key.3 > +@man lib/eopenssl31/man/man3/tls_config_clear_keys.3 > +@man lib/eopenssl31/man/man3/tls_config_error.3 > +@man lib/eopenssl31/man/man3/tls_config_free.3 > +@man lib/eopenssl31/man/man3/tls_config_insecure_noverifycert.3 > +@man lib/eopenssl31/man/man3/tls_config_insecure_noverifyname.3 > +@man lib/eopenssl31/man/man3/tls_config_insecure_noverifytime.3 > +@man lib/eopenssl31/man/man3/tls_config_new.3 > +@man lib/eopenssl31/man/man3/tls_config_ocsp_require_stapling.3 > +@man lib/eopenssl31/man/man3/tls_config_parse_protocols.3 > +@man lib/eopenssl31/man/man3/tls_config_prefer_ciphers_client.3 > +@man lib/eopenssl31/man/man3/tls_config_prefer_ciphers_server.3 > +@man lib/eopenssl31/man/man3/tls_config_set_alpn.3 > +@man lib/eopenssl31/man/man3/tls_config_set_ca_file.3 > +@man lib/eopenssl31/man/man3/tls_config_set_ca_mem.3 > +@man lib/eopenssl31/man/man3/tls_config_set_ca_path.3 > +@man lib/eopenssl31/man/man3/tls_config_set_cert_file.3 > +@man lib/eopenssl31/man/man3/tls_config_set_cert_mem.3 > +@man lib/eopenssl31/man/man3/tls_config_set_ciphers.3 > +@man lib/eopenssl31/man/man3/tls_config_set_crl_file.3 > +@man lib/eopenssl31/man/man3/tls_config_set_crl_mem.3 > +@man lib/eopenssl31/man/man3/tls_config_set_dheparams.3 > +@man lib/eopenssl31/man/man3/tls_config_set_ecdhecurves.3 > +@man lib/eopenssl31/man/man3/tls_config_set_key_file.3 > +@man lib/eopenssl31/man/man3/tls_config_set_key_mem.3 > +@man lib/eopenssl31/man/man3/tls_config_set_keypair_file.3 > +@man lib/eopenssl31/man/man3/tls_config_set_keypair_mem.3 > +@man lib/eopenssl31/man/man3/tls_config_set_keypair_ocsp_file.3 > +@man lib/eopenssl31/man/man3/tls_config_set_keypair_ocsp_mem.3 > +@man lib/eopenssl31/man/man3/tls_config_set_ocsp_staple_file.3 > +@man lib/eopenssl31/man/man3/tls_config_set_ocsp_staple_mem.3 > +@man lib/eopenssl31/man/man3/tls_config_set_protocols.3 > +@man lib/eopenssl31/man/man3/tls_config_set_session_fd.3 > +@man lib/eopenssl31/man/man3/tls_config_set_session_id.3 > +@man lib/eopenssl31/man/man3/tls_config_set_session_lifetime.3 > +@man lib/eopenssl31/man/man3/tls_config_set_verify_depth.3 > +@man lib/eopenssl31/man/man3/tls_config_verify.3 > +@man lib/eopenssl31/man/man3/tls_config_verify_client.3 > +@man lib/eopenssl31/man/man3/tls_config_verify_client_optional.3 > +@man lib/eopenssl31/man/man3/tls_configure.3 > +@man lib/eopenssl31/man/man3/tls_conn_alpn_selected.3 > +@man lib/eopenssl31/man/man3/tls_conn_cipher.3 > +@man lib/eopenssl31/man/man3/tls_conn_cipher_strength.3 > +@man lib/eopenssl31/man/man3/tls_conn_servername.3 > +@man lib/eopenssl31/man/man3/tls_conn_session_resumed.3 > +@man lib/eopenssl31/man/man3/tls_conn_version.3 > +@man lib/eopenssl31/man/man3/tls_connect.3 > +@man lib/eopenssl31/man/man3/tls_connect_cbs.3 > +@man lib/eopenssl31/man/man3/tls_connect_fds.3 > +@man lib/eopenssl31/man/man3/tls_connect_servername.3 > +@man lib/eopenssl31/man/man3/tls_connect_socket.3 > +@man lib/eopenssl31/man/man3/tls_default_ca_cert_file.3 > +@man lib/eopenssl31/man/man3/tls_error.3 > +@man lib/eopenssl31/man/man3/tls_free.3 > +@man lib/eopenssl31/man/man3/tls_handshake.3 > +@man lib/eopenssl31/man/man3/tls_init.3 > +@man lib/eopenssl31/man/man3/tls_load_file.3 > +@man lib/eopenssl31/man/man3/tls_ocsp_process_response.3 > +@man lib/eopenssl31/man/man3/tls_peer_cert_chain_pem.3 > +@man lib/eopenssl31/man/man3/tls_peer_cert_contains_name.3 > +@man lib/eopenssl31/man/man3/tls_peer_cert_hash.3 > +@man lib/eopenssl31/man/man3/tls_peer_cert_issuer.3 > +@man lib/eopenssl31/man/man3/tls_peer_cert_notafter.3 > +@man lib/eopenssl31/man/man3/tls_peer_cert_notbefore.3 > +@man lib/eopenssl31/man/man3/tls_peer_cert_provided.3 > +@man lib/eopenssl31/man/man3/tls_peer_cert_subject.3 > +@man lib/eopenssl31/man/man3/tls_peer_ocsp_cert_status.3 > +@man lib/eopenssl31/man/man3/tls_peer_ocsp_crl_reason.3 > +@man lib/eopenssl31/man/man3/tls_peer_ocsp_next_update.3 > +@man lib/eopenssl31/man/man3/tls_peer_ocsp_response_status.3 > +@man lib/eopenssl31/man/man3/tls_peer_ocsp_result.3 > +@man lib/eopenssl31/man/man3/tls_peer_ocsp_revocation_time.3 > +@man lib/eopenssl31/man/man3/tls_peer_ocsp_this_update.3 > +@man lib/eopenssl31/man/man3/tls_peer_ocsp_url.3 > +@man lib/eopenssl31/man/man3/tls_read.3 > +@man lib/eopenssl31/man/man3/tls_reset.3 > +@man lib/eopenssl31/man/man3/tls_server.3 > +@man lib/eopenssl31/man/man3/tls_unload_file.3 > +@man lib/eopenssl31/man/man3/tls_write.3 > lib/pkgconfig/libetls.pc >
