Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 25 Apr 2017 02:22:37 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-ports-bugs@FreeBSD.org
Subject:   [Bug 212149] security/strongswan: Runtime failures with LibreSSL
Message-ID:  <bug-212149-13-nwuiBq0s1n@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-212149-13@https.bugs.freebsd.org/bugzilla/>
References:  <bug-212149-13@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D212149

dewayne@heuristicsystems.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #182037|0                           |1
        is obsolete|                            |

--- Comment #17 from dewayne@heuristicsystems.com.au ---
Created attachment 182070
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D182070&action=
=3Dedit
libressl Makefile patch - helps migration to libressl

Bernard,
Thanks for your help.  After a few more iterations, of chasing my tail with
patches, I decided that this game had to end.

I hacked /usr/include/openssl/opensslv.h

#define OPENSSL_VERSION_NUMBER 0x1000107fL /* openssl at time of libressl f=
ork
*/
/* #define OPENSSL_VERSION_NUMBER       0x20000000L  Just to test if strong=
swan
will ever work!*/

and for good measure "ln -s /usr/local/include/openssl /usr/include/openssl=
". I
moved my working copies of strongswan and hostapd; svnlite pulled the latest
and rebuilt.

I've added my patch to the libressl Makefile, which I've included (discard =
my
CFLAGS change as that is local.  I only use/tested on amd64, hence the
constraint.

Result
strongswan 5.5.2, and other problematic ports: freeradius3, haproxy and hos=
tapd
2.6 all built cleanly and preliminary testing looks positive.

Perhaps not a long-term solution, and I'm sure we need to get this fixed for
the long haul. My realistic expectation - ALL upstream applications that use
openssl 1.0.X internals in their source, are going to need to change/'hack
around' to accomodate the new openssl 1.1.x (opaque) structures.  At which
point we'll need to address properly, but until openssl 1.0.x retires &/or
libressl changes significantly we "should" be ok until then.=20=20

For me, the key trigger for change will be, who actually provides safe ECC,=
 but
that's another story. ;)

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-212149-13-nwuiBq0s1n>