robert@ and ports@,
What do you think about making gnutls the default cryptography library
for net/zabbix? I've attached a diff that changes it, if you think it's
a good idea.
On 2/19/2020 6:06 PM, Stuart Henderson wrote:
On 2020/02/19 16:17, William Leuschner wrote:
Hello porters,
I'm trying to set up Zabbix with pre-shared keys so that:
* connections are encrypted, and
* the agent will reject connections from anyone without the key.
The configuration that should work currently fails with a library error.
According to this note from 2017[1], PSK support was removed from LibreSSL,
and the best choice would be building against gnutls. Has anything changed
since then, or is gnutls still the best option? If gnutls is the best bet,
would a gnutls flavor be welcome?
Thanks,
William Leuschner
[1]: https://marc.info/?l=openbsd-ports&m=148465399628705&w=2
It will be a pain to add a FLAVOR to this port (you will have to handle
the combination with existing flavours and multipackages, it's possible but
definitely non-trivial, and means ongoing work testing more combinations
of build options for every update).
I don't use this and am not the maintainer so there might be good reasons
not to, but as far as the port is concerned it would be much simpler to
switch completely to gnutls rather than make it optional.
Sincerely,
William Leuschner
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/zabbix/Makefile,v
retrieving revision 1.162
diff -u -p -r1.162 Makefile
--- Makefile 3 Feb 2020 19:13:41 -0000 1.162
+++ Makefile 20 Feb 2020 21:04:40 -0000
@@ -36,7 +36,7 @@ FLAVORS = mysql pgsql sqlite3
SUBST_VARS += PREFIX-web ZABBIX_WEB MAJV
-WANTLIB = c iconv kvm m execinfo lber ldap crypto ssl z \
+WANTLIB = c iconv kvm m execinfo lber ldap z \
curl nghttp2 pcre
LIB_DEPENDS = converters/libiconv \
@@ -51,12 +51,13 @@ LIB_DEPENDS-server = ${LIB_DEPENDS} \
textproc/libxml \
net/net-snmp \
textproc/iksemel \
- security/libssh2
+ security/libssh2 \
+ security/gnutls
RUN_DEPENDS-server = net/fping
# we want the _zabbix user&group as well as README-main
RUN_DEPENDS-server += net/zabbix,-main>=${VERSION}
-WANTLIB-server = ${WANTLIB} crypto ssl z netsnmp iksemel pthread \
- xml2 ssh2
+WANTLIB-server = ${WANTLIB} z netsnmp iksemel pthread \
+ xml2 ssh2 gnutls
CONFIGURE_STYLE = gnu
CONFIGURE_ARGS = --enable-server \
@@ -69,7 +70,7 @@ CONFIGURE_ARGS = --enable-server \
--with-ldap \
--with-jabber="${LOCALBASE}" \
--with-ssh2 \
- --with-openssl
+ --with-gnutls
CONFIGURE_ENV = CPPFLAGS="-I${LOCALBASE}/include" \
LDFLAGS="-L${LOCALBASE}/lib -lexecinfo" \
ac_cv_search___res_query=no
@@ -84,8 +85,9 @@ ZABBIX_WEB = ${PREFIX-web}/zabbix
LIB_DEPENDS-proxy = ${LIB_DEPENDS} \
net/net-snmp \
security/libssh2 \
+ security/gnutls \
textproc/libxml
-WANTLIB-proxy = ${WANTLIB} netsnmp ssh2 xml2 pthread
+WANTLIB-proxy = ${WANTLIB} netsnmp ssh2 gnutls xml2 pthread
RUN_DEPENDS-proxy = # empty
FLAVOR ?= no_server
