Full_Name: Connor Taffe Version: master OS: Ubuntu devel URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (50.25.160.41) Compiling against LibreSSL v2.4.1 failed linking with SSL_CTX_up_ref and X509_NAME_get0_der undefined. I added checking if LIBRESSL_VERSION_NUMBER to the same conditional compilation ifs that are defined for old versions of OpenSSL. https://github.com/cptaffe/openldap
cpaynetaffe@gmail.com wrote: > Full_Name: Connor Taffe > Version: master > OS: Ubuntu devel > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (50.25.160.41) > > > Compiling against LibreSSL v2.4.1 failed linking with SSL_CTX_up_ref and > X509_NAME_get0_der undefined. I added checking if LIBRESSL_VERSION_NUMBER to the > same conditional compilation ifs that are defined for old versions of OpenSSL. > > https://github.com/cptaffe/openldap Please read the Developer Guidelines. I'm not going to pull an arbitrary repo to find someone's patch. http://www.openldap.org/devel/contributing.html -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Fixed, attached is a patch. On Sun, Jun 19, 2016 at 8:02 PM Howard Chu <hyc@symas.com> wrote: > cpaynetaffe@gmail.com wrote: > > Full_Name: Connor Taffe > > Version: master > > OS: Ubuntu devel > > URL: ftp://ftp.openldap.org/incoming/ > > Submission from: (NULL) (50.25.160.41) > > > > > > Compiling against LibreSSL v2.4.1 failed linking with SSL_CTX_up_ref and > > X509_NAME_get0_der undefined. I added checking if > LIBRESSL_VERSION_NUMBER to the > > same conditional compilation ifs that are defined for old versions of > OpenSSL. > > > > https://github.com/cptaffe/openldap > > Please read the Developer Guidelines. I'm not going to pull an arbitrary > repo > to find someone's patch. > > http://www.openldap.org/devel/contributing.html > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ >
Connor Taffe wrote: > Fixed, attached is a patch. I'm a bit concerned that you're only checking for the existence of LIBRESSL instead of actually comparing the version number. Since the OpenSSL change is based on their v1.1 API, do you know if/when LibreSSL plans to adopt the new API? > On Sun, Jun 19, 2016 at 8:02 PM Howard Chu <hyc@symas.com > <mailto:hyc@symas.com>> wrote: > > cpaynetaffe@gmail.com <mailto:cpaynetaffe@gmail.com> wrote: > > Full_Name: Connor Taffe > > Version: master > > OS: Ubuntu devel > > URL: ftp://ftp.openldap.org/incoming/ > > Submission from: (NULL) (50.25.160.41) > > > > > > Compiling against LibreSSL v2.4.1 failed linking with SSL_CTX_up_ref and > > X509_NAME_get0_der undefined. I added checking if > LIBRESSL_VERSION_NUMBER to the > > same conditional compilation ifs that are defined for old versions of > OpenSSL. > > > > https://github.com/cptaffe/openldap > > Please read the Developer Guidelines. I'm not going to pull an arbitrary repo > to find someone's patch. > > http://www.openldap.org/devel/contributing.html > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Good point, I was assuming that LibreSSL was focused on only maintaining compatibility with v1.0.1 though, as they've created their own libtls for future programs. Git grep didn't show anything in the v2.4.1 portable repo. The v1.1 API is still in pre-release it looks like, and the relevant functions have only been in OpenSSL since January and March respectively according to git. In fact LibreSSL has had only a handful of commits this year in portable, mostly focused on building with cmake and some fixes, but no API additions. Neither function is available in the -current OpenBSD cvs tree either. I've emailed libressl@openbsd.org to inquire further. On Mon, Jun 20, 2016 at 1:38 AM Howard Chu <hyc@symas.com> wrote: > Connor Taffe wrote: > > Fixed, attached is a patch. > > I'm a bit concerned that you're only checking for the existence of LIBRESSL > instead of actually comparing the version number. Since the OpenSSL change > is > based on their v1.1 API, do you know if/when LibreSSL plans to adopt the > new API? > > > On Sun, Jun 19, 2016 at 8:02 PM Howard Chu <hyc@symas.com > > <mailto:hyc@symas.com>> wrote: > > > > cpaynetaffe@gmail.com <mailto:cpaynetaffe@gmail.com> wrote: > > > Full_Name: Connor Taffe > > > Version: master > > > OS: Ubuntu devel > > > URL: ftp://ftp.openldap.org/incoming/ > > > Submission from: (NULL) (50.25.160.41) > > > > > > > > > Compiling against LibreSSL v2.4.1 failed linking with > SSL_CTX_up_ref and > > > X509_NAME_get0_der undefined. I added checking if > > LIBRESSL_VERSION_NUMBER to the > > > same conditional compilation ifs that are defined for old > versions of > > OpenSSL. > > > > > > https://github.com/cptaffe/openldap > > > > Please read the Developer Guidelines. I'm not going to pull an > arbitrary repo > > to find someone's patch. > > > > http://www.openldap.org/devel/contributing.html > > > > -- > > -- Howard Chu > > CTO, Symas Corp. http://www.symas.com > > Director, Highland Sun http://highlandsun.com/hyc/ > > Chief Architect, OpenLDAP http://www.openldap.org/project/ > > > > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ >
Connor Taffe wrote: > Good point, > > I was assuming that LibreSSL was focused on only maintaining compatibility > with v1.0.1 though, as they've created their own libtls for future programs. > > Git grep didn't show anything in the v2.4.1 portable repo. > The v1.1 API is still in pre-release it looks like, and the relevant functions > have > only been in OpenSSL since January and March respectively according to git. > In fact LibreSSL has had only a handful of commits this year in portable, > mostly focused on building with cmake and some fixes, but no API additions. > > Neither function is available in the -current OpenBSD cvs tree either. > > I've emailed libressl@openbsd.org <mailto:libressl@openbsd.org> to inquire > further. Thanks. In the meantime I think the sane thing to do is just invert the current #if. Swap the code so it's #if OPENSSL_VERSION_NUMBER >= 0x01010000 new stuff #else old stuff #endif then we can ignore this until LibreSSL catches up. > > On Mon, Jun 20, 2016 at 1:38 AM Howard Chu <hyc@symas.com > <mailto:hyc@symas.com>> wrote: > > Connor Taffe wrote: > > Fixed, attached is a patch. > > I'm a bit concerned that you're only checking for the existence of LIBRESSL > instead of actually comparing the version number. Since the OpenSSL change is > based on their v1.1 API, do you know if/when LibreSSL plans to adopt the > new API? > > > On Sun, Jun 19, 2016 at 8:02 PM Howard Chu <hyc@symas.com > <mailto:hyc@symas.com> > > <mailto:hyc@symas.com <mailto:hyc@symas.com>>> wrote: > > > > cpaynetaffe@gmail.com <mailto:cpaynetaffe@gmail.com> > <mailto:cpaynetaffe@gmail.com <mailto:cpaynetaffe@gmail.com>> wrote: > > > Full_Name: Connor Taffe > > > Version: master > > > OS: Ubuntu devel > > > URL: ftp://ftp.openldap.org/incoming/ > > > Submission from: (NULL) (50.25.160.41) > > > > > > > > > Compiling against LibreSSL v2.4.1 failed linking with > SSL_CTX_up_ref and > > > X509_NAME_get0_der undefined. I added checking if > > LIBRESSL_VERSION_NUMBER to the > > > same conditional compilation ifs that are defined for old > versions of > > OpenSSL. > > > > > > https://github.com/cptaffe/openldap > > > > Please read the Developer Guidelines. I'm not going to pull an > arbitrary repo > > to find someone's patch. > > > > http://www.openldap.org/devel/contributing.html > > > > -- > > -- Howard Chu > > CTO, Symas Corp. http://www.symas.com > > Director, Highland Sun http://highlandsun.com/hyc/ > > Chief Architect, OpenLDAP http://www.openldap.org/project/ > > > > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Unfortunately LibreSSL defines OPENSSL_VERSION_NUBMER as 0x02000000. On Mon, Jun 20, 2016 at 11:40 AM Howard Chu <hyc@symas.com> wrote: > Connor Taffe wrote: > > Good point, > > > > I was assuming that LibreSSL was focused on only maintaining > compatibility > > with v1.0.1 though, as they've created their own libtls for future > programs. > > > > Git grep didn't show anything in the v2.4.1 portable repo. > > The v1.1 API is still in pre-release it looks like, and the relevant > functions > > have > > only been in OpenSSL since January and March respectively according to > git. > > In fact LibreSSL has had only a handful of commits this year in portable, > > mostly focused on building with cmake and some fixes, but no API > additions. > > > > Neither function is available in the -current OpenBSD cvs tree either. > > > > I've emailed libressl@openbsd.org <mailto:libressl@openbsd.org> to > inquire > > further. > > Thanks. In the meantime I think the sane thing to do is just invert the > current #if. Swap the code so it's > > #if OPENSSL_VERSION_NUMBER >= 0x01010000 > new stuff > #else > old stuff > #endif > > then we can ignore this until LibreSSL catches up. > > > > On Mon, Jun 20, 2016 at 1:38 AM Howard Chu <hyc@symas.com > > <mailto:hyc@symas.com>> wrote: > > > > Connor Taffe wrote: > > > Fixed, attached is a patch. > > > > I'm a bit concerned that you're only checking for the existence of > LIBRESSL > > instead of actually comparing the version number. Since the OpenSSL > change is > > based on their v1.1 API, do you know if/when LibreSSL plans to adopt > the > > new API? > > > > > On Sun, Jun 19, 2016 at 8:02 PM Howard Chu <hyc@symas.com > > <mailto:hyc@symas.com> > > > <mailto:hyc@symas.com <mailto:hyc@symas.com>>> wrote: > > > > > > cpaynetaffe@gmail.com <mailto:cpaynetaffe@gmail.com> > > <mailto:cpaynetaffe@gmail.com <mailto:cpaynetaffe@gmail.com>> wrote: > > > > Full_Name: Connor Taffe > > > > Version: master > > > > OS: Ubuntu devel > > > > URL: ftp://ftp.openldap.org/incoming/ > > > > Submission from: (NULL) (50.25.160.41) > > > > > > > > > > > > Compiling against LibreSSL v2.4.1 failed linking with > > SSL_CTX_up_ref and > > > > X509_NAME_get0_der undefined. I added checking if > > > LIBRESSL_VERSION_NUMBER to the > > > > same conditional compilation ifs that are defined for old > > versions of > > > OpenSSL. > > > > > > > > https://github.com/cptaffe/openldap > > > > > > Please read the Developer Guidelines. I'm not going to pull an > > arbitrary repo > > > to find someone's patch. > > > > > > http://www.openldap.org/devel/contributing.html > > > > > > -- > > > -- Howard Chu > > > CTO, Symas Corp. http://www.symas.com > > > Director, Highland Sun http://highlandsun.com/hyc/ > > > Chief Architect, OpenLDAP > http://www.openldap.org/project/ > > > > > > > > > -- > > -- Howard Chu > > CTO, Symas Corp. http://www.symas.com > > Director, Highland Sun http://highlandsun.com/hyc/ > > Chief Architect, OpenLDAP http://www.openldap.org/project/ > > > > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ >
This is LibreSSL's response. ---------- Forwarded message --------- From: Bob Beck <beck@obtuse.com> Date: Tue, Jun 21, 2016 at 11:45 AM Subject: Re: OpenSSL v1.1 API To: Connor Taffe <cpaynetaffe@gmail.com> Cc: <libressl@openbsd.org> I would say we would plan on it "when we need it" - We will support TLS 1.3 as it stabilizes, but at this stage I couldn't say when/if particular OpenSSL'isms might be supported. BoringSSL hasn't pulled in X509_NAME_get0_der either yet - so I think we will be taking what I would describe as a cautious and selective approach to new features from OpenSSL - During the same time as we've moved from about 750,000 of code at the fork to about 350,000 - OpenSSL is now over 1,000,000 lines - So we're probably not going to be about wholesale code importing from OpenSSL - We will be taking things selectively and with a degree of caution. Of note - we *do* support a newer API - libtls - which may be more than fine for most of OpenLDAP's needs: See http://man.openbsd.org/OpenBSD-current/man3/tls_init.3 and/or http://www.openbsd.org/papers/libtls-fsec-2015/ On Mon, Jun 20, 2016 at 09:21:43AM +0000, Connor Taffe wrote: > Hey, > > Does LibreSSL plan to implement the OpenSSL v1.1 API? > > I've submitted a patch to OpenLDAP to allow compilation with LibreSSL > v2.4.1. The patch currently checks if LIBRESSL_VERSION_NUMBER is defined > and if so uses the fallback code for versions of OpenSSL < 1.1. > > The maintainers would like to cap the version on the LibreSSL check if > implementation of the OpenSSL v1.1 API is planned. > > Specifically (to this case) OpenSSL added the SSL_CTX_up_ref function in > commit c5ebfcab713a82a1d46a51c8c2668c419425b387 in March of this year, and > added X509_NAME_get0_der in commit 7ab507495b86371756575d606af556b4fd74e27a > in January of this year. > > ---------- Forwarded message --------- > From: Howard Chu <hyc@symas.com> > Date: Mon, Jun 20, 2016 at 1:38 AM > Subject: Re: (ITS#8445) LibreSSL v2.4 compile > To: Connor Taffe <cpaynetaffe@gmail.com>, <openldap-its@openldap.org> > > > Connor Taffe wrote: > > Fixed, attached is a patch. > > I'm a bit concerned that you're only checking for the existence of LIBRESSL > instead of actually comparing the version number. Since the OpenSSL change > is > based on their v1.1 API, do you know if/when LibreSSL plans to adopt the > new API? > > > On Sun, Jun 19, 2016 at 8:02 PM Howard Chu <hyc@symas.com > > <mailto:hyc@symas.com>> wrote: > > > > cpaynetaffe@gmail.com <mailto:cpaynetaffe@gmail.com> wrote: > > > Full_Name: Connor Taffe > > > Version: master > > > OS: Ubuntu devel > > > URL: ftp://ftp.openldap.org/incoming/ > > > Submission from: (NULL) (50.25.160.41) > > > > > > > > > Compiling against LibreSSL v2.4.1 failed linking with > SSL_CTX_up_ref and > > > X509_NAME_get0_der undefined. I added checking if > > LIBRESSL_VERSION_NUMBER to the > > > same conditional compilation ifs that are defined for old versions > of > > OpenSSL. > > > > > > https://github.com/cptaffe/openldap > > > > Please read the Developer Guidelines. I'm not going to pull an > arbitrary repo > > to find someone's patch. > > > > http://www.openldap.org/devel/contributing.html > > > > -- > > -- Howard Chu > > CTO, Symas Corp. http://www.symas.com > > Director, Highland Sun http://highlandsun.com/hyc/ > > Chief Architect, OpenLDAP http://www.openldap.org/project/ > > > > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/
moved from Incoming to Software Enhancements
See also ITS#7978, ITS#8666
changed notes
*** This issue has been marked as a duplicate of issue 7978 ***