Broken for OpenSSL 1.1

Fred Wright fw at fwright.net
Thu Dec 22 04:51:42 UTC 2022 

On Wed, 21 Dec 2022, Hal Murray wrote:

>> but if breaking OpenSSL 1.1 was unintentional, then it needs to  be fixed
>
> I'm not aware of any intententional breakage.  I'm pretty sure we would have
> done it at configure time.

I don't think *unintentional* breakage would be done at configure time. 
:-)

I'm aware of the intentional version check that prevents building without 
--disable-nts on any of my Linux or BSD VMs, or my BeagleBone timeservers.

> I have git head building on several older systems that are still using 1.1
> I'm pretty sure that at least one of them is running but I'd have to poke
> around a bit to verify that.
>
> What version of 1.1 is MacPorts using?  Are they doing anything non-standard?

It's 1.1.1s, which is the latest 1.1.  I don'think there's anything 
nonstandard besides using versioned install locations so that multiple 
versions can be installed side-by-side.

> The CMAC stuff was never supported and is now deprecated.  If we are going to
> have troubles like this, that's a likely corner.

Yeah, I've seen all those warnings fly by in some cases, though not this 
one.

> devel at ntpsec.org said:
>> Undefined symbols:
>>    "_EVP_CIPHER_key_length", referenced from:
>>        _check_key_length in libntp.a(authreadkeys.c.1.o)
>>        _check_mac_length in libntp.a(authreadkeys.c.1.o)
>>    "_SSL_get_peer_certificate", referenced from:
>>        _check_certificate in nts_client.c.1.o ld: symbol(s) not found
>> collect2: ld returned 1 exit status
>
> Those are underbar symbols.  I don't think we use any of them directly.
> Current man page says:
> [big long list]
>       functions were renamed to include "get" or "get0" in their names in
>       OpenSSL 3.0, respectively. The old names are kept as non-deprecated
>       alias macros.

The leading underscores are prepended by the compiler to form the linker 
symbols, and not the way the symbols appear in the source.  Note the 
referencing function names.

I guess if you don't see the issue I'll have to look more closely; I 
thought you might "just know" the problem.

Fred Wright

More information about the devel mailing list