1) don't use openssl unless really needed (either a port requires something
which is particularly openssl-specific, or there is some other special reason),
and 2) add some comments to the port explaining why libressl isn't used.
in the normal case ports should use libressl. don't just use openssl to avoid
a few patches because of stupid version detection ifdefs.
Changes between 1.0.1l and 1.0.2 [22 Jan 2015]
...
*) SSL/TLS tracing code. This parses out SSL/TLS records using the
message callback and prints the results. Needs compile time option
"enable-ssl-trace". New options to s_client and s_server to enable
tracing.
[Steve Henson]
It is especially handy when looking at TLS handshakes, e.g. to try
figure out why nc(1)/libtls TLSv1.3 fails but openssl(1)/libssl doesn't.
LibreSSL's openssl(1) has
-msg
Show all protocol messages with hex dump.
but it is not as nearly insightful as OpenSSL's s_client(1)
-trace
Show verbose trace output of protocol messages. OpenSSL needs
to be compiled with enable-ssl-trace for this option to work.
Upstream enabled "ssl-trace" by default as of 10.06.2021, see commit
726f92e016bac53175ed5d5321bce1ddf6b207d6.
Feedback sthen tb
OK tb
- Fixed a NULL pointer deref in the X509_issuer_and_serial_hash()
function (CVE-2021-23841)
- Fixed the RSA_padding_check_SSLv23() function and the
RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks
- Fixed an overflow in the EVP_CipherUpdate, EVP_EncryptUpdate and
EVP_DecryptUpdate functions (CVE-2021-23840)
- Fixed SRP_Calc_client_key so that it runs in constant time
As diagnosed by kettenis, running the regress/lib/libssl/interop/openssl
test results in a SIGILL or SIGBUS due to an alignment issue. The reason
for this is that the configure magic fails to pick up -m64 which is
needed for the perlasm to generate the correct flavor of assembly.
None of the approaches for setting variables in the main port Makefile
worked. Since we already patch out -O3 from Configure, I added -m64
there. The resulting binary seems to work well. The interop tests on
sparc64 pass with this patch.
Many thanks to kettenis for figuring this out and to sthen who helped
me save a lot of time with FLAVOR=no_man.
ok sthen
- Fixed NULL pointer deref in the GENERAL_NAME_cmp function, CVE-2020-1971
- In 1.1.1h, an expired trusted (root) certificate was not anymore rejected
when validating a certificate path.
On OpenBSD, setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, ...) only allows
setting to 1 (which is the default anyway). Setting to 0 results in EINVAL.
This doesn't fix everything, there are still some other problems with binds
to v6 addresses with OpenSSL 1.1 on OpenBSD.
Detection succeeds on sparc64 where clang uses gas, but then build fails
because of a mix of -Wa,foobar unused argument warning and -Werror.
Just drop the use of --noexecstack, the stack is always marked
non-executable on OpenBSD.
ok sthen@ (maintainer)
