Hello, I recently tried to build my system with libressl instead of openssl.
In dovecot one issue that popped up was that libressl doesn't have the ECDH auto functions from openssl 1.0.2 beta versions. However as the #ifdef's in dovecot's code check for the openssl version and libressl's version numbers are higher the compilation fails there. Attached is a patch that will change that checks. Instead of checking for the version number it checks for the availability of the feature itself (by checking for the define of SSL_CTRL_SET_ECDH_AUTO). This should make this check more robust and work independently of the version number of the used openssl instance. cu, -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42
diff -Naur dovecot-2.2.13/src/lib-ssl-iostream/iostream-openssl-context.c dovecot-2.2.13-1/src/lib-ssl-iostream/iostream-openssl-context.c
--- dovecot-2.2.13/src/lib-ssl-iostream/iostream-openssl-context.c 2014-02-04 22:28:38.000000000 +0100
+++ dovecot-2.2.13-1/src/lib-ssl-iostream/iostream-openssl-context.c 2014-07-12 18:42:53.592401159 +0200
@@ -416,7 +416,7 @@
return 0;
}
-#if defined(HAVE_ECDH) && OPENSSL_VERSION_NUMBER < 0x10002000L
+#if defined(HAVE_ECDH) && !defined(SSL_CTRL_SET_ECDH_AUTO)
static int
ssl_proxy_ctx_get_pkey_ec_curve_name(const struct ssl_iostream_settings *set,
int *nid_r, const char **error_r)
@@ -446,7 +446,7 @@
const struct ssl_iostream_settings *set ATTR_UNUSED,
const char **error_r ATTR_UNUSED)
{
-#if defined(HAVE_ECDH) && OPENSSL_VERSION_NUMBER < 0x10002000L
+#if defined(HAVE_ECDH) && !defined(SSL_CTRL_SET_ECDH_AUTO)
EC_KEY *ecdh;
int nid;
const char *curve_name;
@@ -459,7 +459,7 @@
used instead of ECDHE, do not reuse the same ECDH key pair for
different sessions. This option improves forward secrecy. */
SSL_CTX_set_options(ssl_ctx, SSL_OP_SINGLE_ECDH_USE);
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+#ifdef SSL_CTRL_SET_ECDH_AUTO
/* OpenSSL >= 1.0.2 automatically handles ECDH temporary key parameter
selection. */
SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
diff -Naur dovecot-2.2.13/src/login-common/ssl-proxy-openssl.c dovecot-2.2.13-1/src/login-common/ssl-proxy-openssl.c
--- dovecot-2.2.13/src/login-common/ssl-proxy-openssl.c 2014-05-07 16:23:24.000000000 +0200
+++ dovecot-2.2.13-1/src/login-common/ssl-proxy-openssl.c 2014-07-12 18:47:37.074857141 +0200
@@ -125,7 +125,7 @@
static void ssl_proxy_ctx_set_crypto_params(SSL_CTX *ssl_ctx,
const struct master_service_ssl_settings *set);
-#if defined(HAVE_ECDH) && OPENSSL_VERSION_NUMBER < 0x10002000L
+#if defined(HAVE_ECDH) && !defined(SSL_CTRL_SET_ECDH_AUTO)
static int ssl_proxy_ctx_get_pkey_ec_curve_name(const struct master_service_ssl_settings *set);
#endif
@@ -1024,7 +1024,7 @@
ssl_proxy_ctx_set_crypto_params(SSL_CTX *ssl_ctx,
const struct master_service_ssl_settings *set ATTR_UNUSED)
{
-#if defined(HAVE_ECDH) && OPENSSL_VERSION_NUMBER < 0x10002000L
+#if defined(HAVE_ECDH) && !defined(SSL_CTRL_SET_ECDH_AUTO)
EC_KEY *ecdh;
int nid;
const char *curve_name;
@@ -1037,7 +1037,7 @@
used instead of ECDHE, do not reuse the same ECDH key pair for
different sessions. This option improves forward secrecy. */
SSL_CTX_set_options(ssl_ctx, SSL_OP_SINGLE_ECDH_USE);
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+#ifdef SSL_CTRL_SET_ECDH_AUTO
/* OpenSSL >= 1.0.2 automatically handles ECDH temporary key parameter
selection. */
SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
@@ -1152,7 +1152,7 @@
EVP_PKEY_free(pkey);
}
-#if defined(HAVE_ECDH) && OPENSSL_VERSION_NUMBER < 0x10002000L
+#if defined(HAVE_ECDH) && !defined(SSL_CTRL_SET_ECDH_AUTO)
static int
ssl_proxy_ctx_get_pkey_ec_curve_name(const struct master_service_ssl_settings *set)
{
signature.asc
Description: PGP signature
