dev-libs/libressl-2.3.1 ChangeLog states: 2.3.0 - SSLv3 removed, libtls API changes, portability improvements * SSLv3 is now permanently removed from the tree. affected is --- dev-qt/qtcore-4.8.7-r1 qsslsocket_openssl_symbols_p.h:169:39: error: ‘SSLv3_client_method’ was not declared --- net-libs/rb_libtorrent-1.0.7 /usr/include/boost/asio/ssl/impl/context.ipp:91:29: error: ‘::SSLv3_method’ has not been declared --- net-wireless/crda-3.18-r1 /usr/lib64/python2.7/site-packages/M2Crypto/_m2crypto.so: undefined symbol: SSLv3_method --- net-libs/nghttp2-1.5.0 /usr/include/boost/asio/ssl/impl/context.ipp:91:29: error: '::SSLv3_method' The biggest problem for me personal when using libressl-2.3x is: obviously not compatible with qt4/kde4 which I would love to further use. I had hoped a change to libressl would be as easy as to insert libressl into the ebuild of rb_libtorrent ... but it is not :( Reproducible: Always
Thus above ebuilds are all compatible with dev-libs/libressl-2.2.4 but lack a strong enough subslot dependency to restrict dev-libs/libressl-2.3.x Also maybe affected <=dev-libs/boost-1.57.0 --- A downgrade of libressl helps me for now
(In reply to Ulenrich from comment #0) > dev-libs/libressl-2.3.1 ChangeLog states: > 2.3.0 - SSLv3 removed, libtls API changes, portability improvements > * SSLv3 is now permanently removed from the tree. > This is an upstream decision. I don't know what to do with it except drop libressl support from the affected ebuilds. If I have time I'll try to talk to upstream about it. You can try to, and direct them to this bug for discussion.
(In reply to Anthony Basile from comment #2) > (In reply to Ulenrich from comment #0) > > dev-libs/libressl-2.3.1 ChangeLog states: > > 2.3.0 - SSLv3 removed, libtls API changes, portability improvements > > * SSLv3 is now permanently removed from the tree. > > > > This is an upstream decision. I don't know what to do with it except drop > libressl support from the affected ebuilds. If I have time I'll try to talk > to upstream about it. You can try to, and direct them to this bug for > discussion. More precisely, we need to know whether upstream will continue supporting the 2.2.x branch with SSLv3 and act accordingly.
I found at https://wiki.freebsd.org/LibreSSL/PatchingPorts#SSLv2.2FSSLv3_method_failures supposed patches would look like: --- #ifndef OPENSSL_NO_SSL3 ctx = SSL_CTX_new (server ? SSLv3_server_method() : SSLv3_client_method ()); #else ctx = SSL_CTX_new (server ? SSLv23_server_method() : SSLv23_client_method ()); SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv2); #endif --- Comment there about this rerouting of the SSLvN abi: "You can use SSLv23 methods, these have been retained in LibreSSL but negotiate TLSv1, TLSv1.1 or TLSv1.2." I found more about future plans at https://wiki.freebsd.org/LibreSSL/History#LibreSSL_2.3.0 - LibreSSL 2.3 Based on the development branch for OpenBSD 5.9 (release 2016-05-01). - Thus Libressl-2.3 is the current devel branch probably released 2016 with OpenBSD. A few lines above you will see - 0? Dec 2015 LibreSSL 2.2.5 not yet Released - that libressl-2.2 will get further maintainance soon. In more general they see the TLS method as the successor of SSL.
Wikipedia lists SSLv3 as insecure and outdated: https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations#Protocol_support therfore openSSL gets a big warning red color, because it enables SSL.
These are the ones that hit the bug for me: dev-qt/qtnetwork-5.5.1 dev-qt/qtcore-4.8.7-r1 app-crypt/qca-2.1.1 For ruby I could use: https://github.com/lluixhi/libressl/blob/5ada3b0ee60971dbce36611a14a8ab6584ff5c56/dev-lang/ruby/files/ruby-2.2.3-ssl3.patch
I'm going to mask dev-libs/libressl-2.3.1 until we fix this. upstream says SSLv3 has got to die and so we're going to have to fix those packages that need it. until then, libressl-2.3.1 has to be masked. unmask locally for testing.
dev-lang/ruby-2.2-3-r2 is also affected (other versions probably, but I only tried to build the mentioned one)
(In reply to Christian Apeltauer from comment #8) > dev-lang/ruby-2.2-3-r2 is also affected (other versions probably, but I only > tried to build the mentioned one) https://github.com/gentoo/libressl/commit/684ef0bc51045f969a4784233983c1db88fc2b60 Update Ruby versions, add SSLv3 patch for LibreSSL 2.3.0+ With that commit the ncurses slot bug is fixed. For dev-lang/ruby-2.2.4 the ruby-2.2.3-ssl3.patch fails. The patch was merged upstream: https://github.com/ruby/ruby/commit/801e1fe46d83c856844ba18ae4751478c59af0d1 * ext/openssl/ossl_ssl.c (static const struct): Only add SSLv3 support if the SSL library supports it. Thanks Kurt Roeckx <kurt@roeckx.be> [Bug #11376] * ext/openssl/extconf.rb: check for SSLv3 support in the SSL implementation. * test/openssl/test_ssl.rb (class OpenSSL): Skip tests that need SSLv3 if there is no support.
(In reply to jospezial from comment #9) > (In reply to Christian Apeltauer from comment #8) > > dev-lang/ruby-2.2-3-r2 is also affected (other versions probably, but I only > > tried to build the mentioned one) > > https://github.com/gentoo/libressl/commit/ > 684ef0bc51045f969a4784233983c1db88fc2b60 > Update Ruby versions, add SSLv3 patch for LibreSSL 2.3.0+ > > With that commit the ncurses slot bug is fixed. > > > For dev-lang/ruby-2.2.4 the ruby-2.2.3-ssl3.patch fails. > The patch was merged upstream: > > https://github.com/ruby/ruby/commit/801e1fe46d83c856844ba18ae4751478c59af0d1 > * ext/openssl/ossl_ssl.c (static const struct): Only add SSLv3 support > > if the SSL library supports it. Thanks Kurt Roeckx <kurt@roeckx.be> > [Bug #11376] > > * ext/openssl/extconf.rb: check for SSLv3 support in the SSL > implementation. > > * test/openssl/test_ssl.rb (class OpenSSL): Skip tests that need SSLv3 > if there is no support. These eventually need to make it to the tree. Have they been passed upstream?
Status update on this bug. Patched in the libressl overlay are: dev-qt/qtcore (From freebsd no-sslv3) - The QT project doesn't care, but the patches are simple enough. dev-qt/qtnetwork - Not a SSLv3 bug, but again, QT project doesn't care. dev-libs/boost - Should fix net-libs/rb_libtorrent and net-libs/nghttp2 - Fixed in boost 1.60.0, still masked. dev-python/m2crypto - Should fix net-wireless/crda build - Fixed upstream, will be in M2Crypto 0.24.0, whenever that hits portage dev-lang/ruby - Fixed upstream in all maintained branches - Should actually be fixed in all current versions of ruby in portage. app-crypt/qca - Latest version patched - Fixed upstream, next release is fixed.
(In reply to Anthony Basile from comment #7) > I'm going to mask dev-libs/libressl-2.3.1 until we fix this. upstream says > SSLv3 has got to die and so we're going to have to fix those packages that > need it. until then, libressl-2.3.1 has to be masked. unmask locally for > testing. update here, i've lifted all masks on libress-2.3.x and 2.4.x this will start to put pressure on maintainers to drop sslv3. its coming in openssl too.
@Anthony Stated for the master developing branch at https://github.com/openssl/openssl/blob/master/NEWS --- Major changes between OpenSSL 1.0.2h and OpenSSL 1.1.0 [in pre-release] ... SSLv2 support removed Kerberos ciphersuite support removed --- not found any info about SSLv3 there yet.
Maybe this could be made a tracker for removing sslv2 and sslv3 finally from reverse deps. For that, I would suggest Toralf to run a tinderbox either with libressl or with openssl with the relevant flags disabled (I think that even gnutls also got recently that USE flags... in that case maybe one tracker per package would be better :/)
All of these are resolved with dev-libs/libressl-{2.6.4, 2.7.2}. Please test again.
dev-libs/libressl is gone from Gentoo. Please set status to obsolete.
(In reply to jospezial from comment #16) > dev-libs/libressl is gone from Gentoo. > Please set status to obsolete. I get the intention here but I suspect there’s 1000s of NEEDINFO/TESTREQUEST bugs which we could now cal obsolete with new information. The bugs are already closed and bumping them makes it harder to see recent new bugs with activity that I need to check.
(In reply to Sam James from comment #17) > (In reply to jospezial from comment #16) > > dev-libs/libressl is gone from Gentoo. > > Please set status to obsolete. > > I get the intention here but I suspect there’s 1000s of NEEDINFO/TESTREQUEST > bugs which we could now cal obsolete with new information. The bugs are > already closed and bumping them makes it harder to see recent new bugs with > activity that I need to check. I have my list of bugs where I contributed. Sometimes I look in the older bugs that are open or have another status of "need action". If the older bugs are at resolved fixed/upst/obsol/invalid, then they don't bother me. For example I could set Bug 532678 TEST-REQUEST → FIXED after a view years.
