I imported this port when I actively used it, but circumstances have
changed and I have no longer any use for this TLS proxy, so I won't put
any more effort into sending fixes upstream as well as maintaining our
port.
1.6.0 was recently released, contains a few of my fixes merged upstream,
but also brings new fixes and even features that seem to cause trouble
on OpenBSD, namely support for client certificate validation.
Below is a diff for starters to update hitch to 1.6.0 which already
takes care of the fact that upstream now ships manuals in their dist
tarballs such that we don't have to build them with rst2man (which
upstream now again just looks for as "rst2man"; I used to fix this such
that "rst2man-3" was preferred and picked up...).
"make build" fails for 1.6.0 with
cc -g -O2 -fno-strict-aliasing -O2 -pipe -L/usr/local/lib -o
hitch hitch-configuration.o hitch-hitch.o hitch-hssl_locks.o hitch-logging.o
hitch-ocsp.o hitch-ringbuffer.o -lssl -lcrypto -lcrypto -lev libcfg.a
libforeign.a
ld: error: undefined symbol: SSL_CTX_set1_verify_cert_store
>>> referenced by hitch.c:949
(/usr/ports/pobj/hitch-1.6.0/hitch-1.6.0/src/hitch.c:949)
>>> hitch-hitch.o:(make_ctx_fr)
cc: error: linker command failed with exit code 1 (use -v to see
invocation)
There might be more in the new release, both build and runtime, but as
mentioned above, I'll leave it here.
Given that it's a TLS proxy and its history of bugs/fixes, I very much
prefer to provide a well maintained port or none at all to either
sticking to 1.5.2 or rolling best-effort future updates.
So unless someone steps up to maintain this: is anyone actually using
it/would anyone object to removing the port in case it stays unmaintained?
Index: Makefile
===================================================================
RCS file: /cvs/ports/security/hitch/Makefile,v
retrieving revision 1.8
diff -u -p -r1.8 Makefile
--- Makefile 26 Jun 2020 17:41:14 -0000 1.8
+++ Makefile 26 Jun 2020 17:54:28 -0000
@@ -2,9 +2,8 @@
COMMENT = libev-based high performance TLS proxy
-V = 1.5.2
+V = 1.6.0
DISTNAME = hitch-${V}
-REVISION = 0
CATEGORIES = security
@@ -17,25 +16,19 @@ MASTER_SITES = https://hitch-tls.org/so
WANTLIB = c crypto ev ssl
-MODULES = lang/python
-MODPY_VERSION = ${MODPY_DEFAULT_VERSION_3}
-MODPY_RUNDEP = No
-
-BUILD_DEPENDS = textproc/py-docutils${MODPY_FLAVOR}
LIB_DEPENDS = devel/libev>=4
TEST_DEPENDS = ${PKGPATH}=${V} \
net/curl
SEPARATE_BUILD = Yes
CONFIGURE_STYLE = gnu
-CONFIGURE_ARGS = --with-rst2man=rst2man${MODPY_BIN_SUFFIX}
CONFIGURE_ENV = CPPFLAGS='${CPPFLAGS} -I${LOCALBASE}/include' \
LDFLAGS='${LDFLAGS} -L${LOCALBASE}/lib'
TEST_IS_INTERACTIVE = connects to hitch-tls.org:80 and 127.0.0.1:443
post-patch:
- ${SUBST_CMD} ${WRKSRC}/{hitch.conf.man.rst,src/configuration.c}
+ ${SUBST_CMD} ${WRKSRC}/{hitch.conf.5,src/configuration.c}
post-configure:
ln -sf ${WRKSRC}/src/cfg_{lex,parser}.[ch] ${WRKBUILD}/src/
Index: distinfo
===================================================================
RCS file: /cvs/ports/security/hitch/distinfo,v
retrieving revision 1.3
diff -u -p -r1.3 distinfo
--- distinfo 28 Nov 2019 20:00:44 -0000 1.3
+++ distinfo 26 Jun 2020 17:54:28 -0000
@@ -1,2 +1,2 @@
-SHA256 (hitch-1.5.2.tar.gz) = saT9ZFhM1P+Ba4UT7lUi2zSkQxdHBXQhtuhw9yLG39o=
-SIZE (hitch-1.5.2.tar.gz) = 309626
+SHA256 (hitch-1.6.0.tar.gz) = TkfrSrt904CchCg1iK30Hd8Me8BlywDQkoJ0iJwHxwY=
+SIZE (hitch-1.6.0.tar.gz) = 321384
Index: patches/patch-hitch_conf_5
===================================================================
RCS file: patches/patch-hitch_conf_5
diff -N patches/patch-hitch_conf_5
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-hitch_conf_5 26 Jun 2020 17:54:28 -0000
@@ -0,0 +1,27 @@
+$OpenBSD$
+
+Set correct ocsp_dir and default user.
+
+Index: hitch.conf.5
+--- hitch.conf.5.orig
++++ hitch.conf.5
+@@ -214,7 +214,7 @@ Default is 0.
+ .SS ocsp\-dir = <string>
+ .sp
+ Directory where Hitch will store and read OCSP responses for
+-stapling. Default is "/var/lib/hitch/".
++stapling. Default is "${LOCALSTATEDIR}/hitch/".
+ .sp
+ Directory must be readable and writable for the configured Hitch user, or
+ automatic retrieval and updating of OCSP responses will not take place.
+@@ -499,8 +499,8 @@ daemon = on
+
+ # We strongly recommend you create a separate non\-privileged hitch
+ # user and group
+-user = "hitch"
+-group = "hitch"
++user = "_hitch"
++group = "_hitch"
+
+ # Enable to let clients negotiate HTTP/2 with ALPN. (default off)
+ # alpn\-protos = "h2, http/1.1"
Index: patches/patch-hitch_conf_man_rst
===================================================================
RCS file: patches/patch-hitch_conf_man_rst
diff -N patches/patch-hitch_conf_man_rst
--- patches/patch-hitch_conf_man_rst 22 Apr 2020 11:18:32 -0000 1.4
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,27 +0,0 @@
-$OpenBSD: patch-hitch_conf_man_rst,v 1.4 2020/04/22 11:18:32 kn Exp $
-
-Set ocsp_dir and default user.
-
-Index: hitch.conf.man.rst
---- hitch.conf.man.rst.orig
-+++ hitch.conf.man.rst
-@@ -148,7 +148,7 @@ ocsp-dir = <string>
- -------------------
-
- Directory where Hitch will store and read OCSP responses for
--stapling. Default is "/var/lib/hitch/".
-+stapling. Default is "${LOCALSTATEDIR}/hitch/".
-
- Directory must be readable and writable for the configured Hitch user, or
- automatic retrieval and updating of OCSP responses will not take place.
-@@ -416,8 +416,8 @@ The following file shows the syntax needed to get star
-
- # We strongly recommend you create a separate non-privileged hitch
- # user and group
-- user = "hitch"
-- group = "hitch"
-+ user = "_hitch"
-+ group = "_hitch"
-
- # Enable to let clients negotiate HTTP/2 with ALPN. (default off)
- # alpn-protos = "h2, http/1.1"
Index: patches/patch-src_configuration_c
===================================================================
RCS file: /cvs/ports/security/hitch/patches/patch-src_configuration_c,v
retrieving revision 1.4
diff -u -p -r1.4 patch-src_configuration_c
--- patches/patch-src_configuration_c 22 Apr 2020 11:18:32 -0000 1.4
+++ patches/patch-src_configuration_c 26 Jun 2020 17:54:28 -0000
@@ -5,7 +5,7 @@ Set ocsp_dir.
Index: src/configuration.c
--- src/configuration.c.orig
+++ src/configuration.c
-@@ -209,7 +209,7 @@ config_new(void)
+@@ -211,7 +211,7 @@ config_new(void)
r->CERT_FILES = NULL;
r->LISTEN_ARGS = NULL;
r->PEM_DIR = NULL;
