Project

General

Profile

Feature #8982

Support building with OpenSSL 1.1

Added by Andy Fiddaman over 1 year ago. Updated over 1 year ago.

Status:
Closed
Priority:
Low
Assignee:
Category:
lib - userland libraries
Start date:
2018-01-23
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:

Description

The following gate components fail to build against OpenSSL 1.1 due to API changes.

  • sendmail
  • libpkcs11
  • libkrb5
  • libkmf
  • wanboot

(OpenSSL 1.0 is supported until 2019-12-31 but distributions may wish to get ahead, we plan to move mostly to v1.1 in OmniOS as of November 2018)

We've started this work at https://github.com/omniosorg/illumos-omnios/tree/openssl


Related issues

Related to illumos gate - Feature #9070: Remove wanboot from gateClosed2018-02-07

Actions
Related to illumos gate - Feature #9156: Remove openssl dependency from pkcs11_tpmClosed2018-02-21

Actions
Related to illumos gate - Bug #9546: Restore support for building against LibreSSLClosed2018-05-21

Actions

History

#1

Updated by Andy Fiddaman over 1 year ago

#2

Updated by Andy Fiddaman over 1 year ago

  • Related to Feature #9156: Remove openssl dependency from pkcs11_tpm added
#3

Updated by Andy Fiddaman over 1 year ago

Notes from testing krb5 pkinit preauth.

bloody# klist
klist: No credentials cache file found (ticket cache FILE:/tmp/krb5cc_0)

bloody# kinit bloody.omniosce.org
Apr 13 20:04:54 bloody krb5kdc[7503](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 172.27.10.9: NEEDED_PREAUTH: bloody.omniosce.org@OMNIOSCE.ORG for krbtgt/OMNIOSCE.ORG@OMNIOSCE.ORG, Additional pre-authentication required
Apr 13 20:04:54 bloody krb5kdc[7503](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 172.27.10.9: ISSUE: authtime 1523649894, etypes {rep=18 tkt=18 ses=18}, bloody.omniosce.org@OMNIOSCE.ORG for krbtgt/OMNIOSCE.ORG@OMNIOSCE.ORG

bloody# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: bloody.omniosce.org@OMNIOSCE.ORG

Valid starting                Expires                Service principal
04/13/18 20:04:54  04/14/18 04:04:54  krbtgt/OMNIOSCE.ORG@OMNIOSCE.ORG
        renew until 04/20/18 20:04:54
#4

Updated by Andy Fiddaman over 1 year ago

Testing notes for kmf openssl backend:

DSA & RSA import

bloody% pktool import keystore=file infile=rsa.p12 outkey=l.pem outcert=ll.pem
Enter password to use for accessing the PKCS12 file:
Found 1 certificate(s) and 1 key(s) in rsa.p12

bloody% pktool import keystore=file infile=dsa.p12 outkey=l.pem outcert=ll.pem
Enter password to use for accessing the PKCS12 file:
Found 1 certificate(s) and 1 key(s) in dsa.p12

Certificate/key creation:

for type in rsa dsa; do
        pktool gencert keystore=file \
                outcert=$certs/$type-cert.pem \
                outkey=$certs/$type-key.pem \
                serial=1 \
                subject="CN=illumos tester" \
                format=pem \
                keytype=$type \
                keylen=2048 \
                lifetime=1-year
done
#5

Updated by Electric Monk over 1 year ago

  • Status changed from New to Closed
  • % Done changed from 40 to 100

git commit 300fdee27f8b59b381c1a0316bdee52fdfdb9213

commit  300fdee27f8b59b381c1a0316bdee52fdfdb9213
Author: Andy Fiddaman <omnios@citrus-it.co.uk>
Date:   2018-05-03T02:06:02.000Z

    8982 Support building with OpenSSL 1.1
    Reviewed by: Dominik Hassler <hadfl@omniosce.org>
    Reviewed by: Igor Kozhukhov <igor@dilos.org>
    Reviewed by: Ken Mays <maybird1776@yahoo.com>
    Reviewed by: Jason King <jason.king@joyent.com>
    Approved by: Dan McDonald <danmcd@joyent.com>

#6

Updated by Andrew Stormont over 1 year ago

  • Related to Bug #9546: Restore support for building against LibreSSL added

Also available in: Atom PDF