From owner-freebsd-ports-bugs@freebsd.org Mon May 13 21:15:54 2019 Return-Path: Delivered-To: freebsd-ports-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AAAB9159B473 for ; Mon, 13 May 2019 21:15:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 462956EE02 for ; Mon, 13 May 2019 21:15:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 065D2159B472; Mon, 13 May 2019 21:15:54 +0000 (UTC) Delivered-To: ports-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BDBCE159B471 for ; Mon, 13 May 2019 21:15:53 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5ACFD6EDFD for ; Mon, 13 May 2019 21:15:53 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 99999CB24 for ; Mon, 13 May 2019 21:15:52 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id x4DLFqpA027033 for ; Mon, 13 May 2019 21:15:52 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id x4DLFqxX027023 for ports-bugs@FreeBSD.org; Mon, 13 May 2019 21:15:52 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 237757] www/nginx-devel: OCSP stapling broken with security/libressl 2.9.1 Date: Mon, 13 May 2019 21:15:52 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: info@eliasohm.de X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ports-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 May 2019 21:15:55 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D237757 --- Comment #8 from Elias Ohm --- But for the nginx part they really should fix that. It's not that they need such fallback within their own code and not that th= ere is no more approriate way to handle that is not available using official documented interfaces. If they account for the interface enhancment and evolution in the one place they should do it in the other places also. And even if they expect they could get an pre-populated context from Plugins which may still use the old extra vars instead of the more appropriate new certificate chain (which I did not checked to be honest), it's much better = then to expect the plugins to deliver the contexed with the newer structure, implementing an expolicit fallback to the extra chain (recognising the issue and can report warnings about legacy plugins that should better be updated = and such). For builders that want to build nginx against a non default lib they eighth= er could provide some configuration - or the builders would be in the Duty to = deal with that (so define SSL_CTX_get_extra_chain_certs_only to point to SSL_CTX_get_extra_chain_certs). For the LibreSSL it would at least be a possibly breaking Change for applications that expect exactly the LibreSSL interface and rely on getting extra chain from the context never returns the chain of the current certificate. Thought there are probably not too many applications affected by that. Anyway that is the exact explanation for the issue. And for me a patch to nginx is more approriate. Best at upstream nginx or if they deny for any (for me not realy understandable reason) as a local fix t= o be able to build with libressl, if someone insits to do so. Of course if they would change LibreSSL that would solve the specific issue reported here eighter. (While it's unlilkely that there are too many simili= ar cases like this around that would Profit from that, I assume.) --=20 You are receiving this mail because: You are the assignee for the bug.=