[MacPorts] #63615: Please update LibreSSL port to 3.3.5

MacPorts noreply at macports.org
Wed Oct 13 00:17:51 UTC 2021 

#63615: Please update LibreSSL port to 3.3.5
----------------------+----------------------
 Reporter:  artkiver  |      Owner:  (none)
     Type:  update    |     Status:  new
 Priority:  Not set   |  Milestone:
Component:  ports     |    Version:
 Keywords:            |       Port:  libressl
----------------------+----------------------
 Hello!

 It appears as if the MacPorts LibreSSL port is at version 3.2.3. While
 https://ports.macports.org/port/libressl/details/ shows a yellow
 exclamation mark which reads "libressl seems to have been updated (port
 version 3.2.3 new version: 3.4.0)" the current version on libressl.org is
 3.3.5 so I am not really sure where the MacPorts version drift yellow
 exclamation mark is referencing as I cannot corroborate a version 3.4.0
 having been released.

 However, 3.3.5 addresses the following two fixes (quoted from
 https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.3.5-relnotes.txt)

 "  * A stack overread could occur when checking X.509 name constraints.
     From GoldBinocle on GitHub.

   * Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.
     This compensates for the expiry of the DST Root X3 certificate."

 In particular, the latter issue seems to impact some Let's Encrypt users
 and rectifies a bug which had been in OpenSSL which was fixed circa 2018
 that LibreSSL developers apparently overlooked since their project forked
 approximately four years earlier. Anecdotally, GNUTLS also apparently had
 a similar bug.

 I have tested building LibreSSL with 3.3.5 by changing the version number
 in the portfile as well as updating the checksums per the instructions
 outlined here: https://guide.macports.org/chunked/development.creating-
 portfile.html and it seems to have built cleanly using the newer source
 tarball!

 "# uname -a
 Darwin enbie132020enuan.local 20.6.0 Darwin Kernel Version 20.6.0: Mon Aug
 30 06:12:20 PDT 2021; root:xnu-7195.141.6~3/RELEASE_ARM64_T8101 arm64"

 # openssl version
 LibreSSL 3.3.5

 # which openssl
 /opt/local/bin/openssl"

 For reference, the checksums I derived were as follows:

 checksums           rmd160  76cd468b68ba63b108af9750777b37617da20605 \
                     sha256
 0a51393f0df1cf27e070054a2788a4d073339f363d79cd594076a1b4c48be9a5

 Though undoubtedly, the port maintainer should verify those independently.

 I guess I also removed the line for the size of the tar.gz since I wasn't
 entirely sure how MacPorts calculates that, but the port seemed to build
 OK without that information in the Portfile.

 At least from my vantage, this appears as if it is a pretty easy version
 update, with minimal effort required by the port maintainer, though
 doubtlessly there may have been some things I overlooked. I couldn't help
 but notice MacPorts also has a libressl-devel port which is even further
 behind the main LibreSSL port at version 2.9.2, though I suppose that is
 still a more recent LibreSSL than the version which ships with Big Sur
 11.6 (namely, 2.8.3).

 I also noticed that Homebrew has updated their LibreSSL port to 3.3.5, so
 my guess is for those who really need it, they should be able to find
 workarounds as I did manually. Nonetheless, I thought I would open a Trac
 ticket to formalize the version skew/drift a bit more.

 Thank you in advance for rectifying this!

-- 
Ticket URL: <https://trac.macports.org/ticket/63615>
MacPorts <https://www.macports.org/>
Ports system for macOS

More information about the macports-tickets mailing list