[Issue 10039] New: configure fails to detect SSL_export_keying_material_early with LibreSSL
https://bugs.openldap.org/show_bug.cgi?id=10039
Issue ID: 10039 Summary: configure fails to detect SSL_export_keying_material_early with LibreSSL Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: build Assignee: bugs@openldap.org Reporter: orbea@riseup.net Target Milestone: ---
Created attachment 957 --> https://bugs.openldap.org/attachment.cgi?id=957&action=edit config.log
When configuring OpenLDAP using --with-tls=openssl with LibreSSL the configure will fail to detect SSL_export_keying_material_early since LibreSSL doesn't support this function yet. However OpenLDAP doesn't actually use this function so this can be easily solved by checking for SSL_library_init which is a more standard function which both OpenSSL and LibreSSL support which OpenLDAP actually uses in libraries/libldap/tls_o.c.
checking openssl/ssl.h usability... yes checking openssl/ssl.h presence... yes checking for openssl/ssl.h... yes checking for SSL_export_keying_material_early in -lssl... no configure: error: Could not locate TLS/SSL package
Other than this the build succeeds correctly with at least LibreSSL 3.7.
https://bugs.openldap.org/show_bug.cgi?id=10039
--- Comment #1 from orbea@riseup.net --- Created attachment 958 --> https://bugs.openldap.org/attachment.cgi?id=958&action=edit Build fix patch
https://bugs.openldap.org/show_bug.cgi?id=10039
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |INVALID
--- Comment #2 from Howard Chu hyc@openldap.org --- No. This was changed explicitly to prevent use of older OpenSSL APIs. See ITS#9640.
Closing this ITS.
https://bugs.openldap.org/show_bug.cgi?id=10039
--- Comment #3 from orbea@riseup.net --- I made an LibreSSL issue.
https://git.openldap.org/openldap/openldap/-/merge_requests/612
https://bugs.openldap.org/show_bug.cgi?id=10039
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED Keywords|needs_review |
https://bugs.openldap.org/show_bug.cgi?id=10039
--- Comment #4 from orbea@riseup.net --- @Howard Chu
Would using SSL_CTX_set_ciphersuites() be an acceptable compromise as suggested in the LibreSSL issue?
https://github.com/libressl/portable/issues/836#issuecomment-1502095024
https://bugs.openldap.org/show_bug.cgi?id=10039
Ondřej Kuzník ondra@mistotebe.net changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=9460
https://bugs.openldap.org/show_bug.cgi?id=10039
Ondřej Kuzník ondra@mistotebe.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|INVALID |--- Status|VERIFIED |UNCONFIRMED
--- Comment #5 from Ondřej Kuzník ondra@mistotebe.net --- Hi, thanks for letting us know, this might work to allow linking against libressl. Assuming their API is sufficiently close to OpenSSL's in how OpenLDAP uses it to actually work: we have to take your word for it that it does. Also we haven't seen anyone stepping up to maintain this combination so far, even if we accept your patch, be advised it might still bitrot without ongoing care.
https://bugs.openldap.org/show_bug.cgi?id=10039
--- Comment #6 from orbea@riseup.net --- Of course, in the event OpenLDAP starts using functionality which works in OpenSSL, but not LiberSSL I will report it to OpenBSD. They also use OpenLDAP so they will have direct incentive to fix it. Although I can understand they do not currently have plans to implement SSL_export_keying_material() when there do not seem to be many users of this function while there are other functions projects other than OpenLDAP could benefit from having. The last few releases LibreSSL has made significant progress in bridging the gap with OpenSSL and hopefully that trend will continue.
https://bugs.openldap.org/show_bug.cgi?id=10039
--- Comment #7 from Ondřej Kuzník ondra@mistotebe.net --- On Wed, Apr 12, 2023 at 01:46:54PM +0000, openldap-its@openldap.org wrote:
Of course, in the event OpenLDAP starts using functionality which works in OpenSSL, but not LiberSSL I will report it to OpenBSD. They also use OpenLDAP so they will have direct incentive to fix it. Although I can understand they do not currently have plans to implement SSL_export_keying_material() when there do not seem to be many users of this function while there are other functions projects other than OpenLDAP could benefit from having. The last few releases LibreSSL has made significant progress in bridging the gap with OpenSSL and hopefully that trend will continue.
If you've satisfied yourself that it works in your workloads (whatever you need over what the test suite exercises already), I'd say feel free to update and reopen your merge request.
Regards,
https://bugs.openldap.org/show_bug.cgi?id=10039
--- Comment #8 from orbea@riseup.net --- Created attachment 960 --> https://bugs.openldap.org/attachment.cgi?id=960&action=edit OpenLDAP successful build log with LibreSSL 3.6.2
https://bugs.openldap.org/show_bug.cgi?id=10039
--- Comment #9 from orbea@riseup.net --- Created attachment 961 --> https://bugs.openldap.org/attachment.cgi?id=961&action=edit OpenLDAP successful build log with LibreSSL 3.7.2
https://bugs.openldap.org/show_bug.cgi?id=10039
--- Comment #10 from orbea@riseup.net --- Created attachment 962 --> https://bugs.openldap.org/attachment.cgi?id=962&action=edit OpenLDAP current git successful build log with LibreSSL 3.6.2
https://bugs.openldap.org/show_bug.cgi?id=10039
orbea@riseup.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #962|OpenLDAP current git |OpenLDAP current git description|successful build log with |(7e6c71e) successful build |LibreSSL 3.6.2 |log with LibreSSL 3.7.2
https://bugs.openldap.org/show_bug.cgi?id=10039
orbea@riseup.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #961|OpenLDAP successful build |OpenLDAP 2.6.4 successful description|log with LibreSSL 3.7.2 |build log with LibreSSL | |3.7.2
https://bugs.openldap.org/show_bug.cgi?id=10039
orbea@riseup.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #960|OpenLDAP successful build |OpenLDAP 2.6.4 successful description|log with LibreSSL 3.6.2 |build log with LibreSSL | |3.6.2
https://bugs.openldap.org/show_bug.cgi?id=10039
--- Comment #11 from orbea@riseup.net --- I attached 3 build logs with the tests showing that current LibreSSL versions can build OpenLDAP on Gentoo as I have claimed. I will open a new MR next.
https://bugs.openldap.org/show_bug.cgi?id=10039
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.5.15
https://bugs.openldap.org/show_bug.cgi?id=10039
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@openldap.org |hyc@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=10039
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |IN_PROGRESS Ever confirmed|0 |1
https://bugs.openldap.org/show_bug.cgi?id=10039
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|IN_PROGRESS |RESOLVED
--- Comment #12 from Quanah Gibson-Mount quanah@openldap.org --- head:
• cb73e60a by orbea at 2023-05-15T19:17:51+00:00 ITS#10039 Test for SSL_CTX_set_ciphersuites()
RE26:
• cd2a914b by orbea at 2023-05-16T16:22:48+00:00 ITS#10039 Test for SSL_CTX_set_ciphersuites()
RE25:
• 9701abb4 by orbea at 2023-05-16T16:55:17+00:00 ITS#10039 Test for SSL_CTX_set_ciphersuites()
https://bugs.openldap.org/show_bug.cgi?id=10039
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
-
openldap-its@openldap.org