Date: Fri, 23 Sep 2016 16:47:38 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 212926] security/openconnect: openconnect prefers /usr/local/lib/libssl.so, breaking DTLS Message-ID: <bug-212926-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D212926 Bug ID: 212926 Summary: security/openconnect: openconnect prefers /usr/local/lib/libssl.so, breaking DTLS Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: zi@FreeBSD.org Reporter: cgull@glup.org Assignee: zi@FreeBSD.org Flags: maintainer-feedback?(zi@FreeBSD.org) FreeBSD 11.0-RC3, openconnect-7.07 from /latest/ package repo If the security/openssl package (1.02_15,1) is installed, DTLS over UDP fai= ls and this VPN client reverts to TLS over TCP, which is quite suboptimal. If= it is *not* installed, DTLS works fine. This package requires a hack/feature in the TLS implementation to support Cisco's pre-standard DTLS. OpenSSL's inclusion of this varies according to version. Both the package and system OpenSSL are 1.02h, which is one of the versions that does not have the hack upstream. Apparently the system OpenS= SL is patched to include this. See http://www.infradead.org/openconnect/anyconnect.html for details. The OpenConnect build sets the binary's RPATH to be /usr/local/lib: jhood@lister:/usr/home/jhood 0 $ objdump -x /usr/local/sbin/openconnect | = grep RPATH RPATH /usr/local/lib This comes from the OpenConnect configure/build, not from the FreeBSD port.= I haven't figured out precisely where the -rpath flag is coming from yet-- configure or one of the dependencies' pkg-config. Since both system and ports OpenSSL provide libssl.so.8, openconnect uses t= he ports openssl.so.8 if available and the system file if not. configure.ac does an OpenSSL version check but the port disables it with --without-openssl-version-check (correctly, I think, since base OpenSSL is patched). Additionally 'make check' has a test for this issue when built w= ith OpenSSL but that doesn't seem to detect this problem. Building the upstream source configured for GnuTLS works fine. GnuTLS has = had the DTLS hack/feature for some time. I'm not sure what the best solution here is: eliminate the RPATH from the build, switch to using GnuTLS by default to avoid OpenSSL entirely, or sayi= ng this works as designed. Bug #212254 (LibreSSL support) touches on a number of similar/related issue= s. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-212926-13>