move back to openssl

[lrusak]

I forgot about this. Is this something that we want?

Before all the add-ons get built we need to decide.

[MilhouseVH]

Didn't we have a problem building Kodi with debug and openssl? If all the debug/non-debug build issues are solved then this seemed to resolve the ongoing issues caused by libressl and 32-bit ABI support, plus DAZN.

[MilhouseVH]

I think this needs a rebase - it currently won't apply on top of master.

[lrusak]

rebased

the issue with debug builds is building kodi with GOLD on x86_64. I'm not sure how to fix that yet.

[stefansaraev]

huh! why is this ?

[MilhouseVH]

A 20-year root CA will be causing problems in less than 10 months on 32-bit Linux with LibreSSL: libressl/portable#207

We're already seeing these kinds of problems - any certificate with a post-2038 expiry date cannot be verified by LibreSSL on 32-bit Linux. LibreSSL have no plans to fix this (having purposefully removed the OpenSSL workaround for 32-bit platforms), so to verify these post-2038 certs on 32-bit Linux will require an ABI update (in the works but no estimate other than "before 2038"). Alternatively, we switch back to OpenSSL.

Bear in mind that 20 year expiry dates on root CAs is not that uncommon, and 2038 is less than 21 years from now... so unless the Linux 32-bit ABI is updated between now and the end of the year with 64-bit time_t, using LibreSSL to verify certificates will start to become a much bigger issue in less than 10 months time.

We also have another issue with LibreSSL relating to a DAZN addon that fails to verify an upstream server hosting widevine keys - accessing this same server is not a problem with OpenSSL.

I also think some of the other Qt based projects have requested the option of building with OpenSSL as Qt does not support LibreSSL.

So in short, bye bye LibreSSL.

[stefansaraev]

lol. okay :)

[lrusak]

is this still something we want?

[chewitt]

@lrusak can you rebase please, let's bite the bullet

[lrusak]

rebased

[lrusak]

This is good to go however before building all the add-ons I'd like to try bumping openssl to 1.1.0e first to see if we can build everything with that.

[MilhouseVH]

We'll merge as it is now, which works, and we can bump to 1.1.0e later

[MilhouseVH]

A recent post on Y2038 progress in Linux: https://lwn.net/Articles/717076/

Any 32-bit ABI change still looks several years off to me.

[dagwieers]

So LibreELEC v8.0.2 was released, but this does not seem to have been fixed ? So a few add-ons are still broken (and have been for many months now). Can we please get this fixed ASAP in the v8.0 branch ?

[lrusak]

@dagwieers it's not exactly simple. To change the ssl version requires rebuilding all the addons and will break backwards compatibility. So it's better left for a major versions bump. Or possibly 8.2.0 if there is one.