Jeremie Courreges-Anglas <j...@wxcvbn.org> writes: > Cc'ing the port maintainer. > > Walter Haidinger <walter.haidin...@gmx.at> writes: > >> Hi! >> >> tl;dr: fixed upstream, quick patch for 5.9/6.0 below. >> >> SSL support in lighttpd of OpenBSD 5.9 (1.3.36) and >> OpenBSD 6.0 (1.3.38) is broken. >> >> Note: already fixed by upsteam in 1.4.40: >> https://redmine.lighttpd.net/issues/2729 >> >> Details and (upstream) patch: >> https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/1ca52fdce3b87f7748dd5db6f59d738ed7a9efe1/diff/src/network.c >> >> When running lighttpd of OpenBSD 6.0, the error message is: >> (network.c.773) SSL: error:00000000:lib(0):func(0):reason(0) >> >> The following (crude) patch simply removes the check for SSLv2 >> and SSLv3 (it's vs. OpenBSD 6.0 lighttpd-1.4.38p1.tgz): > > IMO it would be better to use the same diff as upstream. > (flag & SSL_CTX_set_options() != flag)
The diff below does this; tested with a self-signed cert. ok? Index: Makefile =================================================================== RCS file: /cvs/ports/www/lighttpd/Makefile,v retrieving revision 1.136 diff -u -p -r1.136 Makefile --- Makefile 18 Mar 2016 20:49:28 -0000 1.136 +++ Makefile 11 Sep 2016 21:01:26 -0000 @@ -3,7 +3,7 @@ COMMENT= secure, fast, compliant, and very flexible web-server DISTNAME= lighttpd-1.4.38 -REVISION= 1 +REVISION= 2 CATEGORIES= www net MASTER_SITES= http://download.lighttpd.net/lighttpd/releases-1.4.x/ EXTRACT_SUFX= .tar.xz Index: patches/patch-src_network_c =================================================================== RCS file: patches/patch-src_network_c diff -N patches/patch-src_network_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_network_c 11 Sep 2016 21:01:01 -0000 @@ -0,0 +1,25 @@ +$OpenBSD$ + + LibreSSL defines SSL_OP_NO_SSLv(2|3) as 0, amend tests. + https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/1ca52fdce3b87f7748dd5db6f59d738ed7a9efe1/diff/src/network.c + +--- src/network.c.orig Fri Dec 4 22:13:47 2015 ++++ src/network.c Sun Sep 11 23:00:58 2016 +@@ -769,7 +769,7 @@ int network_init(server *srv) { + + if (!s->ssl_use_sslv2) { + /* disable SSLv2 */ +- if (!(SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2))) { ++ if ((SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) != SSL_OP_NO_SSLv2) { + log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", + ERR_error_string(ERR_get_error(), NULL)); + return -1; +@@ -778,7 +778,7 @@ int network_init(server *srv) { + + if (!s->ssl_use_sslv3) { + /* disable SSLv3 */ +- if (!(SSL_OP_NO_SSLv3 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv3))) { ++ if ((SSL_OP_NO_SSLv3 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv3)) != SSL_OP_NO_SSLv3) { + log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", + ERR_error_string(ERR_get_error(), NULL)); + return -1; -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
