If you're smart enought to use LibreSSL on FreeBSD: Heads-Up, I've just updated the port to 2.7, rebuild all dependent ports!
http://svnweb.freebsd.org/changeset/ports/468572
@ThTh LOL. That increases the ports count by about 50% :D and adds too much load to the package builders.
@brnrd Then, we have just to deprecate OpenSSL ;-)
@brnrd I'm no longer sure if using it was really smart. With 2.7 some ports fail to build (at least security/py-cryptography@py36), and I expect TLS 1.3 to be available in openssl much sooner.
@AMDmi3 If it's only TLSv1.3 you're after then OpenSSL 1.1.1 will be released about 4-5 months earlier.
That's not the only difference between Libre and Open though :D
@brnrd
I'm after working setup with up to date protocol support primarily
@AMDmi3 And there's patches! https://wiki.freebsd.org/LibreSSL/2.7 Shout if your missing something there.
@brnrd
You must be kidding. I'm missing a sane maintainership approach where patches are applied before everything is broken by the update.
@AMDmi3 point taken. With hindsight I agree I pulled the trigger too early. "Everything" and not "sane" are exaggerations that are unnecessary to convey your point of view
@brnrd comments on the way I convey my point of view are as unnecessary
Hey @brnrd !
Just did the upgrade and as you guess, this was not a piece of cake 🙃
Our of 1358 ports to build, security/py-cryptography, lang/ruby24 and dns/bind910 where broken, skipping 466 ports.
Hopefully patches are available in Bugzilla and apply cleanly.
After patching these ports, lang/rust was the only one left broken, and it also has working patches in Bugzilla.
Would adding a "I tested it and it works" to the bugs help make them be committed earlier? Thanks!
@smortex That would surely help for PRs where it is not already clear that these patches are OK.
Were you able to patch your tree sufficiently to get all packages built? If not, what was missing?
@brnrd Everything was available in Bugzilla, no more work needed.
I used: 226906, 226903 (actually, I used the merge request patch from GitHub that is linked into the comments, not the patch of the issue: I use an old version and only when viewing that this diff was supposed to be usable with older version did I tried to use it), 226852 and 226955.
@brnrd Meh, while trying to fix @_bapt_ port security/py-yubikey-manager, I am hacking some python to bring support for #FreeBSD to https://github.com/Yubico/python-fido2 (which I am not used to), but running the library unit tests fails, and I have not yet added code. The 26 failures ends with:
ImportError: /usr/local/lib/python3.6/site-packages/cryptography/hazmat/bindings/_openssl.abi3.so: Undefined symbol "DTLS_method
Does it ring a bell? I see we have py-cryptography-2.1.4 while upstream has 2.2.2…
@brnrd Ah!
No reference to the culpit in the project repo, and I finally found this:
https://github.com/libressl-portable/portable/issues/380
My guess: secutiry/py-cryptography must be told that DTLS 1.2 is *not* supported with libressl.
@brnrd Follow-up: by adding "-DOPENSSL_NO_DTLS" to CFLAGS, I could workaround this problem, but only to fail a bit later on another missing symbol: EVP_PKEY_get1_tls_encodedpoit.
Full backtrace here:
https://gist.github.com/smortex/f57ac36803a27f14dbd2901109e70a56
@smortex Got you covered, about to upload a new patch to bugzilla/phabricator :D
DTLS is not the only thing that fails 😎
@brnrd Good news, I am looking forward to test this!
BTW, my inability to fix Python bindings to a C library makes me think that writing a Python adapter with bindings to the libusbhid C library will not be an easy task 😨 …
@smortex Just updated the patch in the PR, can you give that a try?
@brnrd w00t! It works!
👍
@brnrd We need flavors for thèse dépendent ports!