Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Icinga2 fails to build against LibreSSL 3.8.3 #10034

Open
davehayes opened this issue Mar 29, 2024 · 1 comment · May be fixed by #9943
Open

Icinga2 fails to build against LibreSSL 3.8.3 #10034

davehayes opened this issue Mar 29, 2024 · 1 comment · May be fixed by #9943
Assignees
@Al2Klimov

Comments

@davehayes
Copy link

Describe the bug

Building against LibreSSL produces the following poudriere output from the build log:

[00:00:22] /wrkdirs/usr/ports/net-mgmt/icinga2/work/icinga2-2.14.2/lib/base/tlsutility.cpp:103:11: error: use of undeclared identifier 'SSL_OP_NO_RENEGOTIATION'
[00:00:22]         flags |= SSL_OP_NO_RENEGOTIATION;
[00:00:22]                  ^
[00:00:22] 1 error generated.

Looking in the code I tried this quite naive patch:

--- lib/base/tlsutility.cpp.orig        2024-03-28 19:53:10.494298000 -0700
+++ lib/base/tlsutility.cpp     2024-03-28 19:55:12.786507000 -0700
@@ -93,7 +93,7 @@

        flags |= SSL_OP_CIPHER_SERVER_PREFERENCE;

-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L && defined(LIBRESSL_VERSION_NUMBER)
        SSL_CTX_set_info_callback(sslContext, [](const SSL* ssl, int where, int) {
                if (where & SSL_CB_HANDSHAKE_DONE) {
                        ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;

but this gave a different error:

[00:00:22] /wrkdirs/usr/ports/net-mgmt/icinga2/work/icinga2-2.14.2/lib/base/tlsutility.cpp:99:7: error: member access into incomplete type 'const SSL' (aka 'const ssl_st')
[00:00:22]                         ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
[00:00:22]                            ^
[00:00:22] /usr/local/include/openssl/ossl_typ.h:172:16: note: forward declaration of 'ssl_st'
[00:00:22] typedef struct ssl_st SSL;
[00:00:22]                ^
[00:00:22] 1 error generated.

To Reproduce

Build net-mgmt/icinga2 from the current ports tree with SSL=libressl in your make.conf

Expected behavior

Given the exponentially increasing complexity of computer science these days, I have given up the notion of expectations in this area. Some people might expect this to build against LibreSSL as it has in the past. :) I do understand that OpenSSL and LibreSSL are both changing fairly quickly.

Your Environment

Include as many relevant details about the environment you experienced the problem in

  • Version used: Icinga 2.14.2
  • Operating System and version: FreeBSD 13.2-STABLE
@oxzi
Copy link
Member

oxzi commented Apr 2, 2024

I am not quite sure, but would you mind trying out the patch from #9943.

In the OpenBSD ports, there is currently another patch addressing this issue. Unfortunately, I found nothing similar in the FreeBSD port.

@Al2Klimov Al2Klimov self-assigned this Apr 2, 2024
@Al2Klimov Al2Klimov linked a pull request Apr 2, 2024 that will close this issue
Disable TLS renegotiation and fix compile error on OpenBSD #9943
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Al2Klimov Al2Klimov

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Disable TLS renegotiation and fix compile error on OpenBSD Icinga/icinga2
3 participants
@Al2Klimov @davehayes @oxzi