[Bug 212926] security/openconnect: openconnect prefers /usr/local/lib/libssl.so, breaking DTLS

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Fri Sep 23 16:47:38 UTC 2016 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212926

            Bug ID: 212926
           Summary: security/openconnect: openconnect prefers
                    /usr/local/lib/libssl.so, breaking DTLS
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: zi at FreeBSD.org
          Reporter: cgull at glup.org
          Assignee: zi at FreeBSD.org
             Flags: maintainer-feedback?(zi at FreeBSD.org)

FreeBSD 11.0-RC3, openconnect-7.07 from /latest/ package repo

If the security/openssl package (1.02_15,1) is installed, DTLS over UDP fails
and this VPN client reverts to TLS over TCP, which is quite suboptimal.  If it
is *not* installed, DTLS works fine.

This package requires a hack/feature in the TLS implementation to support
Cisco's pre-standard DTLS.  OpenSSL's inclusion of this varies according to
version.  Both the package and system OpenSSL are 1.02h, which is one of the
versions that does not have the hack upstream.  Apparently the system OpenSSL
is patched to include this.  See
http://www.infradead.org/openconnect/anyconnect.html for details.

The OpenConnect build sets the binary's RPATH to be /usr/local/lib:

jhood at lister:/usr/home/jhood 0 $ objdump -x /usr/local/sbin/openconnect  | grep
RPATH
  RPATH       /usr/local/lib

This comes from the OpenConnect configure/build, not from the FreeBSD port.  I
haven't figured out precisely where the -rpath flag is coming from yet--
configure or one of the dependencies' pkg-config.

Since both system and ports OpenSSL provide libssl.so.8, openconnect uses the
ports openssl.so.8 if available and the system file if not.

configure.ac does an OpenSSL version check but the port disables it with
--without-openssl-version-check (correctly, I think, since base OpenSSL is
patched).  Additionally 'make check' has a test for this issue when built with
OpenSSL but that doesn't seem to detect this problem.

Building the upstream source configured for GnuTLS works fine.  GnuTLS has had
the DTLS hack/feature for some time.

I'm not sure what the best solution here is:  eliminate the RPATH from the
build, switch to using GnuTLS by default to avoid OpenSSL entirely, or saying
this works as designed.

Bug #212254 (LibreSSL support) touches on a number of similar/related issues.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-ports-bugs mailing list