Bug #104489 for Net-SSLeay: support for current LibreSSL

Sun May 17 20:25:19 2015 alexander.bluhm [...] gmx.net - Ticket created

Subject:

support for current LibreSSL

Newer LibreSSL has added support for ALPN and ephemeral has been removed. This patch updates Net::SSLeay accordingly. Unfortunately LibreSSL has no way to detect the supported feature set. So I suggest to use the latest version. I am still discussing the isse with the LibreSSL developers. I am not sure how to check for LibreSSL in Perl code. In my previous patch I used ... if &Net::SSLeay::LIBRESSL_VERSION_NUMBER; That did not work for OpenSSL so you changed it to ... if defined &Net::SSLeay::LIBRESSL_VERSION_NUMBER; This is broken with LibreSSL, so let's try ... if defined Net::SSLeay::LIBRESSL_VERSION_NUMBER(); Could you test wether the latter also works with OpenSSL and use it instead? --- SSLeay.xs.orig Fri Jan 16 23:19:24 2015 +++ SSLeay.xs Mon Jan 19 02:15:01 2015 @@ -5773,7 +5773,7 @@ OCSP_response_results(rsp,...) #endif -#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_TLSEXT) && !defined(LIBRESSL_VERSION_NUMBER) +#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_TLSEXT) int SSL_CTX_set_alpn_select_cb(ctx,callback,data=&PL_sv_undef) --- t/local/35_ephemeral.t.orig Tue Dec 4 02:49:11 2012 +++ t/local/35_ephemeral.t Mon Jan 19 02:20:29 2015 @@ -2,8 +2,14 @@ use strict; use warnings; -use Test::More tests => 3; +use Test::More; use Net::SSLeay; + +BEGIN { + plan skip_all => "libressl removed support for ephemeral/temporary RSA private keys" if defined Net::SSLeay::LIBRESSL_VERSION_NUMBER(); +} + +plan tests => 3; Net::SSLeay::randomize(); Net::SSLeay::load_error_strings(); --- t/local/41_alpn_support.t.orig Tue Jan 13 06:44:31 2015 +++ t/local/41_alpn_support.t Mon Jan 19 02:16:07 2015 @@ -11,7 +11,6 @@ use Config; BEGIN { plan skip_all => "openssl 1.0.2 required" unless Net::SSLeay::SSLeay >= 0x10002000; - plan skip_all => "libressl not supported" if defined &Net::SSLeay::LIBRESSL_VERSION_NUMBER; plan skip_all => "fork() not supported on $^O" unless $Config{d_fork}; }

Mon May 18 03:04:54 2015 mikem [...] airspayce.com - Correspondence added

Subject:	Re: [rt.cpan.org #104489] support for current LibreSSL
Date:	Mon, 18 May 2015 17:04:35 +1000
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Mike McCauley <mikem [...] airspayce.com>

Hi, Looks *almost* OK. tests OK with openssl, but one warning: t/local/35_ephemeral.t ................. Your vendor has not defined SSLeay macro LIBRESSL_VERSION_NUMBER at t/local/35_ephemeral.t line 9. Is there another way that might work for you? Cheers. On Sunday, May 17, 2015 08:25:26 PM you wrote: Show quoted text

> Sun May 17 20:25:19 2015: Request 104489 was acted upon. > Transaction: Ticket created by bluhm > Queue: Net-SSLeay > Subject: support for current LibreSSL > Broken in: 1.68 > Severity: (no value) > Owner: Nobody > Requestors: alexander.bluhm@gmx.net > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=104489 > > > > Newer LibreSSL has added support for ALPN and ephemeral has been > removed. This patch updates Net::SSLeay accordingly. > > Unfortunately LibreSSL has no way to detect the supported feature > set. So I suggest to use the latest version. I am still discussing > the isse with the LibreSSL developers. > > I am not sure how to check for LibreSSL in Perl code. > In my previous patch I used > ... if &Net::SSLeay::LIBRESSL_VERSION_NUMBER; > That did not work for OpenSSL so you changed it to > ... if defined &Net::SSLeay::LIBRESSL_VERSION_NUMBER; > This is broken with LibreSSL, so let's try > ... if defined Net::SSLeay::LIBRESSL_VERSION_NUMBER(); > > Could you test wether the latter also works with OpenSSL and use > it instead? > > --- SSLeay.xs.orig Fri Jan 16 23:19:24 2015 > +++ SSLeay.xs Mon Jan 19 02:15:01 2015 > @@ -5773,7 +5773,7 @@ OCSP_response_results(rsp,...) > > #endif > > -#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_TLSEXT) && > !defined(LIBRESSL_VERSION_NUMBER) +#if OPENSSL_VERSION_NUMBER >= > 0x10002000L && !defined(OPENSSL_NO_TLSEXT) > > int > SSL_CTX_set_alpn_select_cb(ctx,callback,data=&PL_sv_undef) > --- t/local/35_ephemeral.t.orig Tue Dec 4 02:49:11 2012 > +++ t/local/35_ephemeral.t Mon Jan 19 02:20:29 2015 > @@ -2,8 +2,14 @@ > > use strict; > use warnings; > -use Test::More tests => 3; > +use Test::More; > use Net::SSLeay; > + > +BEGIN { > + plan skip_all => "libressl removed support for ephemeral/temporary RSA > private keys" if defined Net::SSLeay::LIBRESSL_VERSION_NUMBER(); +} > + > +plan tests => 3; > > Net::SSLeay::randomize(); > Net::SSLeay::load_error_strings(); > --- t/local/41_alpn_support.t.orig Tue Jan 13 06:44:31 2015 > +++ t/local/41_alpn_support.t Mon Jan 19 02:16:07 2015 > @@ -11,7 +11,6 @@ use Config; > > BEGIN { > plan skip_all => "openssl 1.0.2 required" unless Net::SSLeay::SSLeay >= > 0x10002000; - plan skip_all => "libressl not supported" if defined > &Net::SSLeay::LIBRESSL_VERSION_NUMBER; plan skip_all => "fork() not > supported on $^O" unless $Config{d_fork}; }

-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474

Mon May 18 03:04:55 2015 The RT System itself - Status changed from 'new' to 'open'

Mon May 18 15:49:14 2015 alexander.bluhm [...] gmx.net - Correspondence added

Subject:	Re: [rt.cpan.org #104489] support for current LibreSSL
Date:	Mon, 18 May 2015 21:48:57 +0200
To:	Mike McCauley via RT <bug-Net-SSLeay [...] rt.cpan.org>
From:	Alexander Bluhm <alexander.bluhm [...] gmx.net>

On Mon, May 18, 2015 at 03:05:05AM -0400, Mike McCauley via RT wrote: Show quoted text

> t/local/35_ephemeral.t ................. Your vendor has not defined SSLeay > macro LIBRESSL_VERSION_NUMBER at t/local/35_ephemeral.t line 9. > > Is there another way that might work for you?

I have looked into the autoloader that generates the error and found the constant() function. ... if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER"); For OpenBSD with LibreSSL it returns 0x20000000. Please try it with OpenSSL. bluhm --- SSLeay.xs.orig Fri Jan 16 23:19:24 2015 +++ SSLeay.xs Mon Jan 19 02:15:01 2015 @@ -5773,7 +5773,7 @@ OCSP_response_results(rsp,...) #endif -#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_TLSEXT) && !defined(LIBRESSL_VERSION_NUMBER) +#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_TLSEXT) int SSL_CTX_set_alpn_select_cb(ctx,callback,data=&PL_sv_undef) --- t/local/35_ephemeral.t.orig Tue Dec 4 02:49:11 2012 +++ t/local/35_ephemeral.t Mon Jan 19 02:20:29 2015 @@ -2,8 +2,14 @@ use strict; use warnings; -use Test::More tests => 3; +use Test::More; use Net::SSLeay; + +BEGIN { + plan skip_all => "libressl removed support for ephemeral/temporary RSA private keys" if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER"); +} + +plan tests => 3; Net::SSLeay::randomize(); Net::SSLeay::load_error_strings(); --- t/local/41_alpn_support.t.orig Tue Jan 13 06:44:31 2015 +++ t/local/41_alpn_support.t Mon Jan 19 02:16:07 2015 @@ -11,7 +11,6 @@ use Config; BEGIN { plan skip_all => "openssl 1.0.2 required" unless Net::SSLeay::SSLeay >= 0x10002000; - plan skip_all => "libressl not supported" if defined &Net::SSLeay::LIBRESSL_VERSION_NUMBER; plan skip_all => "fork() not supported on $^O" unless $Config{d_fork}; }

Mon May 18 17:09:57 2015 mikem [...] airspayce.com - Correspondence added

Subject:	Re: [rt.cpan.org #104489] support for current LibreSSL
Date:	Tue, 19 May 2015 07:09:42 +1000
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Mike McCauley <mikem [...] airspayce.com>

Hi, thanks for your suggestion. Works fine. Your changes will be in the next release of NetSSLeay which I expect will be quite soon. In the meantime they are in SVN 436. Cheers. On Monday, May 18, 2015 03:49:15 PM Alexander Bluhm via RT wrote: Show quoted text

> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=104489 > > > On Mon, May 18, 2015 at 03:05:05AM -0400, Mike McCauley via RT wrote:

> > t/local/35_ephemeral.t ................. Your vendor has not defined > > SSLeay > > macro LIBRESSL_VERSION_NUMBER at t/local/35_ephemeral.t line 9. > > > > Is there another way that might work for you?

> > I have looked into the autoloader that generates the error and found > the constant() function. > ... if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER"); > For OpenBSD with LibreSSL it returns 0x20000000. > > Please try it with OpenSSL. > > bluhm > > --- SSLeay.xs.orig Fri Jan 16 23:19:24 2015 > +++ SSLeay.xs Mon Jan 19 02:15:01 2015 > @@ -5773,7 +5773,7 @@ OCSP_response_results(rsp,...) > > #endif > > -#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_TLSEXT) && > !defined(LIBRESSL_VERSION_NUMBER) +#if OPENSSL_VERSION_NUMBER >= > 0x10002000L && !defined(OPENSSL_NO_TLSEXT) > > int > SSL_CTX_set_alpn_select_cb(ctx,callback,data=&PL_sv_undef) > --- t/local/35_ephemeral.t.orig Tue Dec 4 02:49:11 2012 > +++ t/local/35_ephemeral.t Mon Jan 19 02:20:29 2015 > @@ -2,8 +2,14 @@ > > use strict; > use warnings; > -use Test::More tests => 3; > +use Test::More; > use Net::SSLeay; > + > +BEGIN { > + plan skip_all => "libressl removed support for ephemeral/temporary RSA > private keys" if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER"); +} > + > +plan tests => 3; > > Net::SSLeay::randomize(); > Net::SSLeay::load_error_strings(); > --- t/local/41_alpn_support.t.orig Tue Jan 13 06:44:31 2015 > +++ t/local/41_alpn_support.t Mon Jan 19 02:16:07 2015 > @@ -11,7 +11,6 @@ use Config; > > BEGIN { > plan skip_all => "openssl 1.0.2 required" unless Net::SSLeay::SSLeay >= > 0x10002000; - plan skip_all => "libressl not supported" if defined > &Net::SSLeay::LIBRESSL_VERSION_NUMBER; plan skip_all => "fork() not > supported on $^O" unless $Config{d_fork}; }

-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474

Sun Jul 08 06:56:30 2018 chrisn [...] cpan.org - Status changed from 'open' to 'resolved'

Sun Jul 08 06:56:30 2018 chrisn [...] cpan.org - Given to MIKEM

Sun Jul 08 06:56:31 2018 chrisn [...] cpan.org - Fixed in 1.69 added