[SUGGEST BUILD SCRIPTS] openssl and libressl

Arch based Porteus community project
Post Reply
aus9

[SUGGEST BUILD SCRIPTS] openssl and libressl

Post#1 by aus9 » 03 Dec 2015, 22:36

openssl has just announced a new release
The OpenSSL project team is pleased to announce the release of
version 1.0.2e of our open source toolkit for SSL/TLS. For details
of changes and known issues see the release notes at:

http://www.openssl.org/news/openssl-1.0.2-notes.html
EDIT

index

post 4 is openssl v 1.0.2e build script
post 7 is openssl tests (they all PASS)
post 9 is libressl v 2.2.5 build script
post 10 is libressl tests (they all PASS)

mbedtls ....not pursued as I am unable to get a true test to prove similar claims to PASS
----also the commands so vastly different people will need a tutorial on it and I am not an expert on it
Last edited by aus9 on 12 Dec 2015, 23:47, edited 6 times in total.

User avatar
francois
Contributor
Contributor
Posts: 4902
Joined: 28 Dec 2010, 14:25
Distribution: kde xfce porteus manjaro kubun
Location: Enfin l'été, le changement climatique attendu: le soleil.

Re: openssl and alternatives

Post#2 by francois » 04 Dec 2015, 03:27

You are doing very well aus9. :wink:
Voltaire: Le mieux est l'ennemi du bien.

User avatar
brokenman
Site Admin
Site Admin
Posts: 5436
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v3.2rcX all desktops
Location: Brazil
Contact:

Re: openssl and alternatives

Post#3 by brokenman » 04 Dec 2015, 12:59

I see in Changelog website that there is a v1.1.X SSL in the pipeline. SSLv2 was disabled and some changes made to testing mechanism (uses a different module) and some other quite massive changes.
How do i become super user?
Wear your underpants on the outside and put on a cape.

aus9

Re: openssl and alternatives

Post#4 by aus9 » 06 Dec 2015, 08:46

post 4 for openssl v 1.0.2e

got my first chance to build it but having issues as previously mentioning on converting it
conversion is post 7

here is new build for openssl
# $Id$
# Maintainer: aus9 <aus9@Porteus.org>
# Nemesis depends 05-devel.xzm with zlib perl ca-certificates
arch=('x86_64')
conflicts=('openssl')
license=('custom:BSD')
_pkgname=openssl
pkgname=${_pkgname}
# use a pacman compatible version scheme
pkgrel=3
#pkgver=$_ver
pkgdesc='The Open Source toolkit for Secure Sockets Layer and Transport Layer Security with disabled ssl2 and ssl3.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)'
provides=("openssl=${pkgver}")
url='https://www.openssl.org'
_ver=1.0.2e
pkgver=${_ver/[a-z]/.${_ver//[0-9.]/}}
source=("https://www.openssl.org/source/${_pkgna ... er}.tar.gz"
"https://www.openssl.org/source/${_pkgna ... tar.gz.asc")
md5sums=('5262bfa25b60ed9de9f28d5d52d77fc5'
'5aae13d1330bcbb7c91debf3a7ca43c7')
validpgpkeys=('8657ABB260F056B1E5190839D9C4D26D0E604491')

build() {
cd $srcdir/$_pkgname-$_ver
./config -t
./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib shared zlib no-ssl2 no-ssl3
make depend
make -j5
make test
}

package() {
cd $srcdir/$_pkgname-$_ver
make INSTALL_PREFIX=$pkgdir MANDIR=/usr/share/man MANSUFFIX=ssl install
install -D -m644 LICENSE $pkgdir/usr/share/licenses/$_pkgname/LICENSE
# post install strip shared objects-thru duckduckgo
###################################
find $pkgdir -print0 | xargs -0 file | grep -e "shared object" | grep ELF \
| cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true
}
namcap no longer works as ssl2 was disabled by my previous work

anyhow

Code: Select all

makepkg PKGBUILD
builds it but unable to test it

I still don't know how to use arc2xzm to convert it, if thats the correct tool

I have the XZ and I have kept the /tmp/pkg (folder) which is Arch style

cheers
Last edited by aus9 on 09 Dec 2015, 04:44, edited 1 time in total.

User avatar
brokenman
Site Admin
Site Admin
Posts: 5436
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v3.2rcX all desktops
Location: Brazil
Contact:

Re: openssl and alternatives

Post#5 by brokenman » 06 Dec 2015, 17:49

Try to convert the standalone package with:

Code: Select all

pkg2xzm /path/to/package.tar.xz
How do i become super user?
Wear your underpants on the outside and put on a cape.

aus9

Re: openssl and alternatives

Post#6 by aus9 » 06 Dec 2015, 22:34

thanks code empty space truncated

Code: Select all

pkg2xzm openssl-1.0.2.e-0-x86_64.pkg.tar.xz 
loading packages...
looking for conflicting packages...
Packages (1) openssl-1.0.2.e-0
Total Installed Size:   6.43 MiB
Net Upgrade Size:      -2.62 MiB
:: Proceed with installation? [Y/n] y
(1/1) checking keys in keyring                                                     [################################################] 100%
(1/1) checking package integrity                                                   [################################################] 100%
(1/1) loading package files                                                        [################################################] 100%
(1/1) checking for file conflicts                                                  [################################################] 100%
(1/1) checking available disk space                                                [################################################] 100%
(1/1) reinstalling openssl                                                         [################################################] 100%
Enter custom destination for module or press enter for default: 
 /tmp/openssl-1.0.2.e-0-x86_64.xzm
> 
Parallel mksquashfs: Using 4 processors
Creating 4.0 filesystem on /tmp/openssl-1.0.2.e-0-x86_64.xzm, block size 262144.
[=========================================================================================================================\] 482/482 100%
Exportable Squashfs 4.0 filesystem, xz compressed, data block size 262144
	compressed data, compressed metadata, compressed fragments, compressed xattrs
	duplicates are removed
Filesystem size 2675.51 Kbytes (2.61 Mbytes)
	39.44% of uncompressed filesystem size (6782.96 Kbytes)
Inode table size 11442 bytes (11.17 Kbytes)
	16.32% of uncompressed inode table size (70117 bytes)
Directory table size 17206 bytes (16.80 Kbytes)
	32.15% of uncompressed directory table size (53518 bytes)
Number of duplicate files found 0
Number of inodes 1684
Number of files 470
Number of fragments 14
Number of symbolic links  1188
Number of device nodes 0
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 26
Number of ids (unique uids + gids) 1
Number of uids 1
	root (0)
Number of gids 1
	root (0)
2.7M	/tmp/openssl-1.0.2.e-0-x86_64.xzm
2.7M	/tmp/openssl-1.0.2.e-0-x86_64.xzm
its got 2 outputs
2.7M /tmp/openssl-1.0.2.e-0-x86_64.xzm
2.7M /tmp/openssl-1.0.2.e-0-x86_64.xzm

Total Installed Size: 6.43 MiB makes me think its installs as well?

aus9

Re: openssl and alternatives

Post#7 by aus9 » 06 Dec 2015, 22:45

post 7 test of openssl
no matter now I can test....thanks for correct command

Code: Select all

activate openssl-1.0.2.e-0-x86_64.xzm 
 openssl-1.0.2.e-0-x86_64.xzm activated. 
root /mnt/sda3/porteus/optional # openssl version
OpenSSL 1.0.2e 3 Dec 2015
lynx https://cert-test.sandbox.google.com/ PASS

Code: Select all

true|openssl s_client -ssl3 -servername www.bing.com -connect www.bing.com:443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1449441789
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
Another PASS

will look at alternatives when I have time
Last edited by aus9 on 09 Dec 2015, 04:45, edited 1 time in total.

aus9

Re: openssl and alternatives

Post#8 by aus9 » 08 Dec 2015, 04:03

I am reluctant to reveal my PKGBUILD for mbedtls as I have yet to find a good client test similar to the openssl test

all attempts to work with mbedtls are not stopped.
As I am happy with results for both openssl and libressl
Last edited by aus9 on 12 Dec 2015, 23:45, edited 1 time in total.

aus9

Re: openssl and alternatives

Post#9 by aus9 » 08 Dec 2015, 06:05

post nine (this post) and post ten relate to the building and testing of libressl

post nine begins
sorry for sucking eggs, anyone building this MUST not use any cheatcode that has changes= see reason in codebox please.
In case it is not obvious the build script uses conflicts with openssl.....altho I will reveal more shortly

Ok lets start

PKGBUILD in quote box
# $Id$
# Maintainer: aus9 <aus9@Porteus.org>
# Nemesis depends 05-devel.xzm with zlib perl ca-certificates
arch=('x86_64')
conflicts=('openssl')
license=('custom:BSD')
pkgname=libressl
# use a pacman compatible version scheme
pkgrel=0
pkgdesc='LibreSSL is a version of the TLS/crypto stack forked from OpenSSL in 2014,
with goals of modernizing the codebase, improving security, and applying best practice development processes.'
provides=("libressl")
url='http://ftp.openbsd.org/pub/OpenBSD/LibreSSL'
ver=2.2.5
pkgver=${ver/[a-z]/.${ver//[0-9.]/}}
source=("$url/${pkgname}-${ver}.tar.gz")
sha1sums=('893c60c9500a6e0ab6cdb50668b290313403ba77')

build() {
cd $srcdir/$pkgname-$ver
./configure --prefix=/usr --with-openssldir=/etc/ssl
make -j5
make check
}

package() {
cd "$pkgname-$pkgver"
make DESTDIR="$pkgdir" install
install -D -m644 COPYING $pkgdir/usr/share/licenses/$_pkgname/LICENSE
# post install fixs
mv $pkgdir/usr/include/tls.h $pkgdir/usr/include/openssl
rm -rf $pkgdir/etc/ssl/cert.pem
}
Now watch this action in code box

Code: Select all

root /tmp # pkg2xzm libressl-2.2.5-0-x86_64.pkg.tar.xz 
loading packages...
looking for conflicting packages...
:: libressl and openssl are in conflict. Remove openssl? [y/N] y

Packages (2) openssl-1.0.2.d-1 [removal]  libressl-2.2.5-0

Total Installed Size:   4.96 MiB
Net Upgrade Size:      -4.08 MiB

:: Proceed with installation? [Y/n] y
(1/1) checking keys in keyring                                                                      [###########################################################] 100%
(1/1) checking package integrity                                                                    [###########################################################] 100%
(1/1) loading package files                                                                         [###########################################################] 100%
(1/1) checking for file conflicts                                                                   [###########################################################] 100%
(2/2) checking available disk space                                                                 [###########################################################] 100%
(1/1) removing openssl                                                                              [###########################################################] 100%
(1/1) installing libressl                                                                           [###########################################################] 100%

Enter custom destination for module or press enter for default: 
 /tmp/libressl-2.2.5-0-x86_64.xzm

> 
Parallel mksquashfs: Using 4 processors
Creating 4.0 filesystem on /tmp/libressl-2.2.5-0-x86_64.xzm, block size 262144.
[=====================================================================================================================================================-] 390/390 100%

Exportable Squashfs 4.0 filesystem, xz compressed, data block size 262144
	compressed data, compressed metadata, compressed fragments, compressed xattrs
	duplicates are removed
Filesystem size 1906.00 Kbytes (1.86 Mbytes)
	36.25% of uncompressed filesystem size (5258.58 Kbytes)
Inode table size 10072 bytes (9.84 Kbytes)
	15.76% of uncompressed inode table size (63890 bytes)
Directory table size 15884 bytes (15.51 Kbytes)
	34.46% of uncompressed directory table size (46091 bytes)
Number of duplicate files found 0
Number of inodes 1566
Number of files 381
Number of fragments 10
Number of symbolic links  1164
Number of device nodes 0
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 21
Number of ids (unique uids + gids) 1
Number of uids 1
	root (0)
Number of gids 1
	root (0)

1.9M	/tmp/libressl-2.2.5-0-x86_64.xzm
1.9M	/tmp/libressl-2.2.5-0-x86_64.xzm
Tests are post ten
Last edited by aus9 on 09 Dec 2015, 04:49, edited 2 times in total.

aus9

Re: openssl and alternatives

Post#10 by aus9 » 08 Dec 2015, 06:10

post ten is the test of libressl

lynx https://cert-test.sandbox.google.com/ is a PASS but using my cert bundle with no attempt to convert to their pem file

2)

Code: Select all

true|openssl s_client -ssl3 -servername www.bing.com -connect www.bing.com:443
unknown option -ssl3
this is a PASS because as previously discussed it attempts to use only ssl version 3 to connect to a remote server so if fails with a cipher of 0000 its a PASS
and in this case it borks because the package upstream has been deliberately built NOT to support ssl3

In case its not obvious, they still use /usr/bin/openssl as the executable.

and so now we can different result for next information

Code: Select all

openssl version
LibreSSL 2.2.5

aus9

Re: openssl and alternatives

Post#11 by aus9 » 08 Dec 2015, 06:38

I have now finished all testing and am happy if brokenman chooses either openssl or libressl.

Post Reply