On Wed, Jan 09, 2019 at 12:18:31PM +0200, Stefan Strogin wrote:
> When using LibreSSL build fails with:
>
> ../src/crypto/tls_openssl.o: in function `tls_connection_client_cert':
> ../src/crypto/tls_openssl.c:2817: undefined reference to `SSL_use_certificate_chain_file'
> collect2: error: ld returned 1 exit status
> make: *** [Makefile:1901: wpa_supplicant] Error 1
>
> There is now such function in LibreSSL.
Do you mean "there is no such function" instead of there now being such
a function? I did not see this in LibreSSL 2.9.0 either.
> Also SSL_OP_NO_TLSv1_3 was not defined till 2.9.0.
Sure, but why would that need a change in tls_openssl.c?
> diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
> @@ -2804,7 +2804,7 @@ static int tls_connection_client_cert(struct tls_connection *conn,
> return 0;
> }
>
> -#if OPENSSL_VERSION_NUMBER >= 0x10100000L
> +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
> if (SSL_use_certificate_chain_file(conn->ssl, client_cert) == 1) {
> ERR_clear_error();
> wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_chain_file"
So this makes sense if the "now" in the commit message was a typo.
> @@ -4486,7 +4486,10 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
> }
> }
> #endif
> -#if OPENSSL_VERSION_NUMBER >= 0x10101000L
> +#if (!defined(LIBRESSL_VERSION_NUMBER) && \
> + OPENSSL_VERSION_NUMBER >= 0x10100000L) || \
> + (defined(LIBRESSL_VERSION_NUMBER) && \
> + LIBRESSL_VERSION_NUMBER >= 0x20900000L)
> #ifdef SSL_OP_NO_TLSv1_3
> if (params->flags & TLS_CONN_EAP_FAST) {
> /* Need to disable TLS v1.3 at least for now since OpenSSL 1.1.1
But I don't see why this would be needed. That #ifdef SSL_OP_NO_TLSv1_3
takes care of this without having to make the version check any more
complex. At least this builds fine for me against LibreSSL 2.8.3.
--
Jouni Malinen PGP id EFC895FA
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
