#58205 closed defect (fixed)
qt4-mac: preparing for openssl 1.1 migration
Reported by: | yan12125 (Chih-Hsuan Yen) | Owned by: | michaelld (Michael Dickens) |
---|---|---|---|
Priority: | Normal | Milestone: | |
Component: | ports | Version: | |
Keywords: | Cc: | ||
Port: | qt4-mac |
Description
I'm working on migrating the openssl port to the latest 1.1.x version (1). As qt < 5.10 are not compatible with openssl 1.1 (2), please either make qt4-mac depending on openssl10 or patch this port to build with openssl 1.1.x. Arch Linux's patch (3) may be useful.
(1) https://github.com/macports/macports-ports/pull/3822
(2) https://wiki.qt.io/New_Features_in_Qt_5.10
(3) https://git.archlinux.org/svntogit/packages.git/tree/trunk/qt4-openssl-1.1.patch?h=packages/qt4
Attachments (1)
Change History (12)
comment:1 Changed 5 years ago by yan12125 (Chih-Hsuan Yen)
comment:2 Changed 5 years ago by kencu (Ken)
looks useful <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=214691>.
Not exactly simple...
comment:3 Changed 5 years ago by michaelld (Michael Dickens)
Looks like Arch Linux removed Qt4 < https://git.archlinux.org/svntogit/packages.git/commit/?id=979cd87bda942d70c604a01dc90153f7369a1b38 >. Ken's link for FreeBSD seems like the way to go: < https://bz-attachments.freebsd.org/attachment.cgi?id=199589 >. Nice tidy patchfile to test!
comment:4 Changed 5 years ago by kencu (Ken)
This patch originated with RJVB -- I made only a tiny mod based on another patch found on the web. It builds against openssl 1.1.1. Just doing some testing of various ports with is now, to see how it works.
There are quite a few patches available by googling "qt4 openssl 1.1 patch". here's another <https://salsa.debian.org/qt-kde-team/qt/qt4-x11/blob/a4f456e3427239c1233b7ae782f82f1b3083016d/debian/patches/openssl_1.1.patch>
Changed 5 years ago by kencu (Ken)
Attachment: | patch-ken-rjvb-qt4-openssl111.diff added |
---|
Patch from @RVJB, based on unix patches - minor mod by ken -- builds against openssl 1.1.1
comment:5 Changed 5 years ago by kencu (Ken)
I think this bit of the patch needs an openssl version test and #ifdefs added, like the bit above has, to keep compatible with older openssl versions (< 1.1):
@@ -276,7 +280,7 @@ QByteArray QSslCertificate::serialNumber() const { QMutexLocker lock(QMutexPool::globalInstanceGet(d.data())); if (d->serialNumberString.isEmpty() && d->x509) { - ASN1_INTEGER *serialNumber = d->x509->cert_info->serialNumber; + ASN1_INTEGER *serialNumber = q_X509_get_serialNumber(d->x509); // if we cannot convert to a long, just output the hexadecimal number if (serialNumber->length > 4) { QByteArray hexString;
comment:6 Changed 5 years ago by kencu (Ken)
Other than that, though, I built smtube with qt4-mac against openssl 1.1.1, and it all works.
comment:7 Changed 5 years ago by kencu (Ken)
I looked it over some more, and I think in the end it is looking better to go with the patch exactly as RJVB has it. Rebuilding now with the new (old) patch...
comment:8 Changed 5 years ago by ken-cunningham-webuse
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
comment:9 Changed 5 years ago by devernay (Frédéric Devernay)
Hi, thanks for this patch! We should also ifdef-protect the lines dealing with SSLv3, because openssl 1.1 may be configured without SSLv3, which is considered harmful (see https://wiki.openssl.org/index.php/SSL_and_TLS_Protocols#POODLE_:_SSLv3_harmful )
Here is the patch, to be merged with the current one: https://code.qt.io/cgit/qt/qtbase.git/commit?id=6839aead0430a9b07b60fa3a1a7d685fe5d2d1ef
comment:10 Changed 5 years ago by devernay (Frédéric Devernay)
In fact, ssl3 is even disabled by default in openssl 1.1.1.
From openssl's Configure:
# All of the following are disabled by default: our %disabled = ( # "what" => "comment" ... "ssl3" => "default", "ssl3-method" => "default",
comment:11 Changed 5 years ago by kencu (Ken)
Hey, Frederic, we need to see more of you around here!
Hi Michael Dickens any blocker? This port appears to be the most popular one among ports not ready for OpenSSL 1.1 migration.