Re: First release of LibreSSL portable is available.
Hey Ted, I should have been more clear in my previous email, but would it be possible to also revert OPENSSL_VERSION_NUMBER back to 0x1000107fL (or 0x1000108fL)? This way LibreSSL would work as a drop-in replacement without applications needing to add explicit support for LibreSSL. Ideas are still bouncing around, but basically OpenSSL fucked up from the start. Have you guys decided on anything or are you still bouncing ideas? I see that 2.0.1 still ships with: #define LIBRESSL_VERSION_NUMBER 0x2000L #define OPENSSL_VERSION_NUMBER 0x2000L Or to rephrase my question, is this going to stay like that and should 3rd party applications start adding !defined LIBRESSL_VERSION_NUMBER in order to compile with LibreSSL? Instead of defining (e.g.) OPENSSL_HAS_ECDH, new versions which are compiled without it define OPENSSL_NO_ECDH and then your application code checks ifndef OPENSSL_NO_ECDH. But that test also passes on older versions that lack the feature entirely, and then the guarded code won't compile. That's true, they've dropped the ball on that. Testing for ifdef OPENSSL_FEATURE would work with both old libraries that don't know about the feature and new libraries that don't support it. As expected, OPENSSL does the opposite and makes life harder for everyone. To be fair, most of the popular functions from OpenSSL (SSL_CTX_{set,get}, etc) can be tested like that, thanks to the way control functions are implemented (but not everyone is using this in order to determine availability of the features). What they broke is that the defines aren't guarded with #ifndef OPENSSL_NO_ECDH, etc. in the headers, so sometimes you need more #ifdefs in order to make it work with library build with no-xxx. However, some functions aren't really features, for example X509_check_host() from OpenSSL-1.0.2, and OPENSSL_VERSION_NUMBER check is the only reliable way to test for it... That is, unless you're compiling against LibreSSL :( Best regards, Piotr Sikora
Re: First release of LibreSSL portable is available.
On Fri, Jul 11, 2014 at 11:07:10PM +, Miod Vallat wrote: it. As expected, OPENSSL does the opposite and makes life harder for everyone. Hasn't this been the OpenSSL roadmap since the very beginning? Jury is still out as whether they did it on purpose, or whether it was just a side-effect of the lack of funding, or whether they did it on purpose to later complain about the lack of funding.
Re: First release of LibreSSL portable is available.
On Fri, Jul 11, 2014 at 9:52 PM, tekk t...@parlementum.net wrote: Thanks Bob and all the other LibreSSL hackers. Thanks - While I seem to have been quasi defaulted into the public face for this thing (probably due to size and volume) I hope you can emphasize the all the other hackers. Yes, I've done a lot of work on it, but frankly a lot of openbsd committers have worked on it, and continue to do so. miod@, tedu@, jsing@ and a host of others have done a ton of stuff, and our new developer bcook@ (Brent Cook, AKA busterb) is really behind making portable possible at this stage. Point is this is a team effort. -Bob
Re: First release of LibreSSL portable is available.
CCLD openssl ../crypto/.libs/libcrypto.so: undefined reference to `clock_gettime' collect2: ld returned 1 exit status make[1]: *** [openssl] Error 1 Setting LDFLAGS to -lrt fixes the issue. Rather than LDFLAGS, it should be in LDADD/LIBADD. --8-- Subject: build: resolve link-time failure libtool: link: gcc -O2 -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -Wall -Werror -std=c99 -g -Wno-pointer-sign -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE -o .libs/openssl [ *.o ... ] ../crypto/.libs/libcrypto.so ../ssl/.libs/libssl.so -Wl,-rpath -Wl,/usr/lib64 ../crypto/.libs/libcrypto.so: undefined reference to `clock_gettime' collect2: error: ld returned 1 exit status --- crypto/Makefile.am |3 +++ 1 file changed, 3 insertions(+) Index: libressl-2.0.0/crypto/Makefile.am === --- libressl-2.0.0.orig/crypto/Makefile.am +++ libressl-2.0.0/crypto/Makefile.am @@ -19,6 +19,7 @@ libcompatnoopt_la_SOURCES = compat/expli # other compatibility functions libcompat_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS) libcompat_la_SOURCES = +libcompat_la_LIBADD = if NO_STRLCAT libcompat_la_SOURCES += compat/strlcat.c @@ -46,12 +47,14 @@ libcompat_la_SOURCES += compat/arc4rando if NO_GETENTROPY if TARGET_LINUX libcompat_la_SOURCES += compat/getentropy_linux.c +libcompat_la_LIBADD += -lrt endif if TARGET_DARWIN libcompat_la_SOURCES += compat/getentropy_osx.c endif if TARGET_SOLARIS libcompat_la_SOURCES += compat/getentropy_solaris.c +libcompat_la_LIBADD += -lrt endif endif
First release of LibreSSL portable is available.
The first release of LibreSSL portable has been released. LibreSSL can be found in the LibreSSL directory of your favorite OpenBSD mirror. http://ftp.openbsd.org/pub/OpenBSD/LibreSSL has it, and other mirrors will soon. libressl-2.0.0.tar.gz has been tested to build on various versions of Linux, Solaris, Mac OSX, and FreeBSD. This is intended as an initial release to allow the community to start using and providing feedback. We will be adding support for other platforms as time and resources permit. As always, donations (http://www.openbsdfoundation.org/donations.html) are appreciated to assist in our efforts. Enjoy, -Bob
Re: First release of LibreSSL portable is available.
On Fri, Jul 11, 2014 at 12:21:12 -0600, Bob Beck wrote: The first release of LibreSSL portable has been released. LibreSSL can be found in the LibreSSL directory of your favorite OpenBSD mirror. http://ftp.openbsd.org/pub/OpenBSD/LibreSSL has it, and other mirrors will soon. libressl-2.0.0.tar.gz has been tested to build on various versions of Linux, Solaris, Mac OSX, and FreeBSD. Hello Bob, It's great to see this release from a community of developers that are dedicated to doing things right! After seeing your announcement, I immediately tried to build it on my workstation (RHEL 6.5), but it unfortunately fails: CCLD openssl ../crypto/.libs/libcrypto.so: undefined reference to `clock_gettime' collect2: ld returned 1 exit status make[1]: *** [openssl] Error 1 Setting LDFLAGS to -lrt fixes the issue. -- Iain Morgan
Re: First release of LibreSSL portable is available.
Hello, libressl-2.0.0.tar.gz has been tested to build on various versions of Linux, Solaris, Mac OSX, and FreeBSD. This is intended as an initial release to allow the community to start using and providing feedback. We will be adding support for other platforms as time and resources permit. Congratulations on the first release! However, I have an issue with the versioning. You defined OPENSSL_VERSION_NUMBER as 0x2000L (2.0.0) without providing any way to differentiate between OpenSSL and LibreSSL (for example, BoringSSL provides OPENSSL_IS_BORINGSSL). This means that applications that already support features from OpenSSL-1.0.2 and/or OpenSSL-1.1.0 won't compile against LibreSSL, because they see version 2.0.0, not 1.0.1 (which LibreSSL was forked off). Best regards, Piotr Sikora
Re: First release of LibreSSL portable is available.
It's already fixed, so will be on the next tarball roll On Fri, Jul 11, 2014 at 3:07 PM, Piotr Sikora piotr.sik...@frickle.com wrote: Hello, libressl-2.0.0.tar.gz has been tested to build on various versions of Linux, Solaris, Mac OSX, and FreeBSD. This is intended as an initial release to allow the community to start using and providing feedback. We will be adding support for other platforms as time and resources permit. Congratulations on the first release! However, I have an issue with the versioning. You defined OPENSSL_VERSION_NUMBER as 0x2000L (2.0.0) without providing any way to differentiate between OpenSSL and LibreSSL (for example, BoringSSL provides OPENSSL_IS_BORINGSSL). This means that applications that already support features from OpenSSL-1.0.2 and/or OpenSSL-1.1.0 won't compile against LibreSSL, because they see version 2.0.0, not 1.0.1 (which LibreSSL was forked off). Best regards, Piotr Sikora
Re: First release of LibreSSL portable is available.
Hi, On Fri, Jul 11, 2014 at 12:21:12PM -0600, Bob Beck wrote: The first release of LibreSSL portable has been released. LibreSSL can be found in the LibreSSL directory of your favorite OpenBSD mirror. http://ftp.openbsd.org/pub/OpenBSD/LibreSSL has it, and other mirrors sounds great! Would you mind publishing checksums stuff for that? TIA! Kind regards, --Toni++
Re: First release of LibreSSL portable is available.
Hey Bob, It's already fixed, so will be on the next tarball roll Thanks! I should have been more clear in my previous email, but would it be possible to also revert OPENSSL_VERSION_NUMBER back to 0x1000107fL (or 0x1000108fL)? This way LibreSSL would work as a drop-in replacement without applications needing to add explicit support for LibreSSL. Right now, with OPENSSL_VERSION_NUMBER 0x2000L, existing software must change: #if OPENSSL_VERSION_NUMBER = 0x10002000L ... #endif to: #if OPENSSL_VERSION_NUMBER = 0x10002000L \ !defined LIBRESSL_VERSION_NUMBER ... #endif in order to compile with LibreSSL, for no good reason. Best regards, Piotr Sikora
Re: First release of LibreSSL portable is available.
On Sat, Jul 12, 2014 at 00:22, Piotr Sikora wrote: Hey Bob, It's already fixed, so will be on the next tarball roll Thanks! I should have been more clear in my previous email, but would it be possible to also revert OPENSSL_VERSION_NUMBER back to 0x1000107fL (or 0x1000108fL)? This way LibreSSL would work as a drop-in replacement without applications needing to add explicit support for LibreSSL. Ideas are still bouncing around, but basically OpenSSL fucked up from the start. Instead of defining (e.g.) OPENSSL_HAS_ECDH, new versions which are compiled without it define OPENSSL_NO_ECDH and then your application code checks ifndef OPENSSL_NO_ECDH. But that test also passes on older versions that lack the feature entirely, and then the guarded code won't compile. Testing for ifdef OPENSSL_FEATURE would work with both old libraries that don't know about the feature and new libraries that don't support it. As expected, OPENSSL does the opposite and makes life harder for everyone.
Re: First release of LibreSSL portable is available.
it. As expected, OPENSSL does the opposite and makes life harder for everyone. Hasn't this been the OpenSSL roadmap since the very beginning?
Re: First release of LibreSSL portable is available.
Thanks Bob and all the other LibreSSL hackers. Just switched my slackware 14.1 box over to libressl instead of openssl and it's working great so far, no problems at all.