Opened 3 years ago
Last modified 3 years ago
#63615 closed update
Please update LibreSSL port to 3.3.5 — at Initial Version
| Reported by: | artkiver (グレェ) | Owned by: | |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | ports | Version: | |
| Keywords: | Cc: | ||
| Port: | libressl |
Description
Hello!
It appears as if the MacPorts LibreSSL port is at version 3.2.3. While https://ports.macports.org/port/libressl/details/ shows a yellow exclamation mark which reads "libressl seems to have been updated (port version 3.2.3 new version: 3.4.0)" the current version on libressl.org is 3.3.5 so I am not really sure where the MacPorts version drift yellow exclamation mark is referencing as I cannot corroborate a version 3.4.0 having been released.
However, 3.3.5 addresses the following two fixes (quoted from https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.3.5-relnotes.txt)
" * A stack overread could occur when checking X.509 name constraints.
From GoldBinocle on GitHub.
- Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier. This compensates for the expiry of the DST Root X3 certificate."
In particular, the latter issue seems to impact some Let's Encrypt users and rectifies a bug which had been in OpenSSL which was fixed circa 2018 that LibreSSL developers apparently overlooked since their project forked approximately four years earlier. Anecdotally, GNUTLS also apparently had a similar bug.
I have tested building LibreSSL with 3.3.5 by changing the version number in the portfile as well as updating the checksums per the instructions outlined here: https://guide.macports.org/chunked/development.creating-portfile.html and it seems to have built cleanly using the newer source tarball!
"# uname -a Darwin enbie132020enuan.local 20.6.0 Darwin Kernel Version 20.6.0: Mon Aug 30 06:12:20 PDT 2021; root:xnu-7195.141.6~3/RELEASE_ARM64_T8101 arm64"
# openssl version LibreSSL 3.3.5
# which openssl /opt/local/bin/openssl"
For reference, the checksums I derived were as follows:
checksums rmd160 76cd468b68ba63b108af9750777b37617da20605 \
sha256 0a51393f0df1cf27e070054a2788a4d073339f363d79cd594076a1b4c48be9a5
Though undoubtedly, the port maintainer should verify those independently.
I guess I also removed the line for the size of the tar.gz since I wasn't entirely sure how MacPorts calculates that, but the port seemed to build OK without that information in the Portfile.
At least from my vantage, this appears as if it is a pretty easy version update, with minimal effort required by the port maintainer, though doubtlessly there may have been some things I overlooked. I couldn't help but notice MacPorts also has a libressl-devel port which is even further behind the main LibreSSL port at version 2.9.2, though I suppose that is still a more recent LibreSSL than the version which ships with Big Sur 11.6 (namely, 2.8.3).
I also noticed that Homebrew has updated their LibreSSL port to 3.3.5, so my guess is for those who really need it, they should be able to find workarounds as I did manually. Nonetheless, I thought I would open a Trac ticket to formalize the version skew/drift a bit more.
Thank you in advance for rectifying this!