On 2023/06/06 09:45:09 -0700, Andi Vajda <o...@ovaltofu.org> wrote: > > On Tue, 6 Jun 2023, Omar Polo wrote: > > > Hello, > > > > thanks for testing! > > > > Regarding the build failure when using LibreSSL, I can reproduce on > > OpenBSD: it's because the bundled libtls is meant to be used with > > OpenSSL. I'll take a look at having it build with LibreSSL too but > > that's more a quality-check rather than a priority since LibreSSL > > already ships libtls (or it should be.) > > Building with libressl was a supported configuration before.
building with libressl is still a supported configuration. There's a bug in the configure script that's not obvious to me right now, plus some deficiencies of our portable layer on NetBSD. I'll need to fire up a vm and investigate. Will probably release a RC3 once fixed, depending on how big the changes are. > I don't think > it must necessarily be supported for this release but the valid combos of > (libtls, openssl, libressl) supported by opensmtpd must be made explicit as > the current situation is a bit confusing for the non SSL expert: > - opensmtpd can be built with openssl 1.1.1 > - opensmtpd can be built with openssl 3.x > - opensmtpd can be built with libressl (or could in 6.8.0p2) > - opensmtpd bundles libtls and that must be used with openssl 3 > - libressl bundles libtls > I'm confused ;-) I agree, unfortunately it's pretty confusing! The idea would be either - openssl 1.1 or 3.x, with or without libretls - libressl BUT since of a regression of libretls 3.7.0 on OpenSSL 3, for the time being it is - openssl 1.1, with or without libretls - openssl 3.x AND MUST USE --with-bundled-libtls - libressl I've mailed the developer of libretls but haven't heard back yet. A fix for this issue was committed to libressl and it's part of the 3.8.0 release, so I guess that libretls will get it anyway sooner or later. I haven't add any clever checks to the configure since this is not trivial and I don't like clever checks. I'll try to make it as clear as possible in the release changelog that the bundled libtls MUST be used with OpenSSL 3.x. If you end up building with libretls and OpenSSL 3.X you'll find out very soon that it doesn't work: all the TLS connection will fail during the handshake. Furthermore, with the next release of libretls (no idea when) this issue will be solved. > > What's interesting is why the configure is not picking up libtls from > > your LibreSSL installation. Probably you can 'force' it by setting > > CFLAGS/LDFLAGS pointing at the local libressl installation, but it > > shouldn't be necessary. Can you please share (off-list) the > > config.log? > > Mailed off-list. Thank you for all the info! Unfortunately other than noticing a couple of things that *must* be fixed in the portable layer before the release, I wasn't able to understand the root of the issues. It'll be a perfect excuse to play a bit with NetBSD however :-)
