Changes between Initial Version and Version 1 of Ticket #63615
- Timestamp:
- Oct 13, 2021, 4:26:38 AM (3 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #63615
-
Property
Status
changed from
new
toassigned
- Property Owner set to jeremyhu
-
Property
Summary
changed from
Please update LibreSSL port to 3.3.5
tolibressl: update to 3.3.5
-
Property
Priority
changed from
Not set
toNormal
-
Property
Status
changed from
-
Ticket #63615 – Description
initial v1 5 5 However, 3.3.5 addresses the following two fixes (quoted from https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.3.5-relnotes.txt) 6 6 7 "* A stack overread could occur when checking X.509 name constraints.8 From GoldBinocle on GitHub.9 10 * Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.11 This compensates for the expiry of the DST Root X3 certificate." 7 > * A stack overread could occur when checking X.509 name constraints. 8 > From GoldBinocle on GitHub. 9 > 10 > * Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier. 11 > This compensates for the expiry of the DST Root X3 certificate. 12 12 13 13 In particular, the latter issue seems to impact some Let's Encrypt users and rectifies a bug which had been in OpenSSL which was fixed circa 2018 that LibreSSL developers apparently overlooked since their project forked approximately four years earlier. Anecdotally, GNUTLS also apparently had a similar bug. … … 15 15 I have tested building LibreSSL with 3.3.5 by changing the version number in the portfile as well as updating the checksums per the instructions outlined here: https://guide.macports.org/chunked/development.creating-portfile.html and it seems to have built cleanly using the newer source tarball! 16 16 17 "# uname -a 17 {{{ 18 # uname -a 18 19 Darwin enbie132020enuan.local 20.6.0 Darwin Kernel Version 20.6.0: Mon Aug 30 06:12:20 PDT 2021; root:xnu-7195.141.6~3/RELEASE_ARM64_T8101 arm64" 19 20 … … 22 23 23 24 # which openssl 24 /opt/local/bin/openssl" 25 /opt/local/bin/openssl 26 }}} 25 27 26 28 For reference, the checksums I derived were as follows: 27 29 30 {{{ 28 31 checksums rmd160 76cd468b68ba63b108af9750777b37617da20605 \ 29 32 sha256 0a51393f0df1cf27e070054a2788a4d073339f363d79cd594076a1b4c48be9a5 33 }}} 30 34 31 35 Though undoubtedly, the port maintainer should verify those independently.