net-misc/openconnect-5.01 claims to be incompatible with ( >=openssl-1.0.1d <openssl-1.0.1f) and ~openssl-1.0.0k See configure.ac: if test "$check_openssl_dtls" = "yes"; then AC_MSG_CHECKING([for known-broken versions of OpenSSL]) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include <openssl/opensslv.h>],[#if \ (OPENSSL_VERSION_NUMBER == 0x10002000L || \ (OPENSSL_VERSION_NUMBER >= 0x100000b0L && OPENSSL_VERSION_NUMBER <= 0x100000c0L) || \ (OPENSSL_VERSION_NUMBER >= 0x10001040L && OPENSSL_VERSION_NUMBER <= 0x10001060L)) #error Bad OpenSSL #endif ])], [AC_MSG_RESULT(no)], [AC_MSG_RESULT(yes) AC_ERROR([This version of OpenSSL is known to be broken with Cisco DTLS. See http://rt.openssl.org/Ticket/Display.html?id=2984&user=guest&pass=guest Add --without-openssl-version-check to configure args to avoid this check, or perhaps consider building with GnuTLS instead.])]) fi Attempting to build openconnect-5.01 with USE=-gnutls against dev-libs/openssl-1.0.1e-r1 results in configure failure: * Package: net-misc/openconnect-5.01 * Repository: gentoo * Maintainer: mattsch@gmail.com hasufell@gentoo.org,proxy-maint@gentoo.org * USE: amd64 elibc_glibc kernel_linux linguas_en_US linguas_ru nls userland_GNU * FEATURES: preserve-libs sandbox userpriv usersandbox * Determining the location of the kernel source code * Found kernel source directory: * /usr/src/linux * Found kernel object directory: * /lib/modules/3.9.4/build * Found sources for kernel version: * 3.9.4 * Checking for TUN/TAP support ... [ ok ] >>> Unpacking source... >>> Unpacking openconnect-5.01.tar.gz to /var/tmp/portage/net-misc/openconnect-5.01/work >>> Unpacking openconnect-script-20121108205904.tar.gz to /var/tmp/portage/net-misc/openconnect-5.01/work >>> Source unpacked in /var/tmp/portage/net-misc/openconnect-5.01/work >>> Preparing source in /var/tmp/portage/net-misc/openconnect-5.01/work/openconnect-5.01 ... >>> Source prepared. >>> Configuring source in /var/tmp/portage/net-misc/openconnect-5.01/work/openconnect-5.01 ... * econf: updating openconnect-5.01/config.guess with /usr/share/gnuconfig/config.guess * econf: updating openconnect-5.01/config.sub with /usr/share/gnuconfig/config.sub ./configure --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --libdir=/usr/lib64 --disable-silent-rules --disable-dependency-tracking --with-vpnc-script=/etc/openconnect/openconnect.sh --disable-static --enable-nls --with-openssl --without-gnutls --without-libproxy --without-stoken --without-liboath [...] checking for OPENSSL... yes checking for known-broken versions of OpenSSL... yes configure: error: This version of OpenSSL is known to be broken with Cisco DTLS. See http://rt.openssl.org/Ticket/Display.html?id=2984&user=guest&pass=guest Add --without-openssl-version-check to configure args to avoid this check, or perhaps consider building with GnuTLS instead. !!! Please attach the following file when seeking support: !!! /var/tmp/portage/net-misc/openconnect-5.01/work/openconnect-5.01/config.log * ERROR: net-misc/openconnect-5.01 failed (configure phase): * econf failed
Can you try to kill that check in configure.ac and see if that is just a bug in the configuration or intended behavior? (I don't run full ~arch) If the latter is the case, then I will just fix the dependency.
This is claimed to be a runtime failure (handshake failure during authentication), and at the moment I don't have access to any OpenConnect servers against which I could run tests. [The reason I tried to install net-misc/openconnect was to check that net-misc/networkmanager-openconnect still builds.]
Is there a fix of any kind to be expected in the foreseeable future?
(In reply to Dennis Schridde from comment #3) > Is there a fix of any kind to be expected in the foreseeable future? I think it would be up to upstream to patch it to fix versions of openssl that don't work. They are aware of problems with openssl though. It seems upstreams preference now is to build with gnutls by default.
(In reply to Dennis Schridde from comment #3) > Is there a fix of any kind to be expected in the foreseeable future? At least until openssl-1.0.1f is released, a quick workaround is to emerge openconnect with USE=gnutls.
(In reply to Julian Ospald (hasufell) from comment #1) > Can you try to kill that check in configure.ac and see if that is just a bug > in the configuration or intended behavior? (I don't run full ~arch) > > If the latter is the case, then I will just fix the dependency. It's intended behavior according to 5.00 release notes: David Woodhouse (48): Switch to using GnuTLS by default Document recent OpenSSL brokenness, update GnuTLS/DTLS info Add build time and run time handling of recent OpenSSL brokenness
(In reply to Alexandre Rostovtsev from comment #5) > (In reply to Dennis Schridde from comment #3) > > Is there a fix of any kind to be expected in the foreseeable future? > > At least until openssl-1.0.1f is released, a quick workaround is to emerge > openconnect with USE=gnutls. Should I change the openssl dep or do we just wait for 1.0.1f?
(In reply to Julian Ospald (hasufell) from comment #7) > (In reply to Alexandre Rostovtsev from comment #5) > > (In reply to Dennis Schridde from comment #3) > > > Is there a fix of any kind to be expected in the foreseeable future? > > > > At least until openssl-1.0.1f is released, a quick workaround is to emerge > > openconnect with USE=gnutls. > > Should I change the openssl dep or do we just wait for 1.0.1f? That's a good question. I think at the very least, there should be version checks within the openssl dependency to make sure it doesn't try to build with a broken version.
(In reply to Julian Ospald (hasufell) from comment #7) > Should I change the openssl dep or do we just wait for 1.0.1f? My suggestions: 1. change the dep to block incompatible openssl versions; and 2. set +gnutls in IUSE, at least until 1.0.1f is released. (In reply to Matthew Schultz from comment #8) > I think at the very least, there should be version > checks within the openssl dependency to make sure it doesn't try to build > with a broken version. The blocker needs to be both in depend and rdepend. Of course building against a buggy openssl won't work, but more importantly, building openconnect against a non-buggy stable openssl and then upgrading to a broken unstable openssl will result in a silently broken openconnect.
(In reply to Alexandre Rostovtsev from comment #9) > (In reply to Julian Ospald (hasufell) from comment #7) > > Should I change the openssl dep or do we just wait for 1.0.1f? > > My suggestions: > 1. change the dep to block incompatible openssl versions; and > 2. set +gnutls in IUSE, at least until 1.0.1f is released. > I think this is better than a blocker and is resolved nicely by portage, no? !gnutls? ( || ( <dev-libs/openssl-1.0.1d[static-libs?] >=dev-libs/openssl-1.0.1f[static-libs?] ) )
(In reply to Julian Ospald (hasufell) from comment #10) Sure, I meant any dependency syntax that blocks the broken version, not necessarily a "!" atom. Sorry for poor wording. Just don't forget that 1.0.0k (released upstream, but not in gx86 yet) is also incompatible :)
(In reply to Alexandre Rostovtsev from comment #11) > (In reply to Julian Ospald (hasufell) from comment #10) > Sure, I meant any dependency syntax that blocks the broken version, not > necessarily a "!" atom. Sorry for poor wording. > > Just don't forget that 1.0.0k (released upstream, but not in gx86 yet) is > also incompatible :) Can you commit? My cvs access is screwed somehow.
(In reply to Julian Ospald (hasufell) from comment #12) > Can you commit? My cvs access is screwed somehow. Committed. + 29 Jun 2013; Alexandre Rostovtsev <tetromino@gentoo.org> + openconnect-5.01.ebuild: + Do not depend on incompatible openssl versions, and enable gnutls USE flag by + default (bug #474504, acked by hasufell).
