Re: lib/53675: ldaps appears to be broken

[Brad Spencer <brad%anduin.eldar.org@localhost>]

coypu%sdf.org@localhost writes:

> The following reply was made to PR lib/53675; it has been noted by GNATS.
>
> From: coypu%sdf.org@localhost
> To: gnats-bugs%netbsd.org@localhost
> Cc: 
> Subject: Re: lib/53675: ldaps appears to be broken
> Date: Tue, 6 Aug 2019 07:25:22 +0000
>
>  I recommend reporting this problem upstream.
>  - Is the problem to do with too new OpenSSL, or to do with netbsd
>    changes?
>  
>  Comparing to another OS that uses the same major version OpenSSL will be
>  good (e.g. some of the up to date linuxes)
>  


I did some more work on this bug.

I got a 9.0_BETA system built with a pkgsrc openldap which is compiled
against the system libcrypto.so (1.1.1c) and it works fine with ldaps.
This mostly leads me to conclude that the intree openldap version, which
appears to be 2.4.45 (labeled 2.4.23), should be updated.  An
alternative might be to set something like PREFER_PKGSRC=openldap-client
when building packages, but that would still leave a broken intree set
of ldap utilities.  As it stands right now anything built with pkgsrc
that uses the ldap client and expects working TLS will fail.


There are entries in the CHANGES file for openldap 2.4.47 (the pkgsrc
version) that seem to indicate that support for OpenSSL >= 1.1.1a was
added after 2.4.45.

OpenLDAP 2.4.46 Release (2018/03/22)
Fixed libldap OpenSSL 1.1.1 compatibility with BIO_method (ITS#8791)



I won't have time in the near term, personally, to try and get a new
version into the tree, but I highly advocate for this update.  I can
probably test any changes.



-- 
Brad Spencer - brad%anduin.eldar.org@localhost - KC8VKS - http://anduin.eldar.org