Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

move back to openssl #1312

Merged
merged 4 commits into from Mar 14, 2017

Conversation

Projects
None yet
5 participants
@lrusak
Copy link
Member

lrusak commented Feb 10, 2017

I forgot about this. Is this something that we want?

Before all the add-ons get built we need to decide.

@MilhouseVH

This comment has been minimized.

Copy link
Contributor

MilhouseVH commented Feb 10, 2017

Didn't we have a problem building Kodi with debug and openssl? If all the debug/non-debug build issues are solved then this seemed to resolve the ongoing issues caused by libressl and 32-bit ABI support, plus DAZN.

@MilhouseVH

This comment has been minimized.

Copy link
Contributor

MilhouseVH commented Feb 11, 2017

I think this needs a rebase - it currently won't apply on top of master.

@lrusak lrusak force-pushed the lrusak:openssl branch from 057845f to 7bdbed1 Feb 11, 2017

@lrusak

This comment has been minimized.

Copy link
Member Author

lrusak commented Feb 11, 2017

rebased

the issue with debug builds is building kodi with GOLD on x86_64. I'm not sure how to fix that yet.

@stefansaraev

This comment has been minimized.

Copy link
Contributor

stefansaraev commented Feb 12, 2017

huh! why is this ?

@MilhouseVH

This comment has been minimized.

Copy link
Contributor

MilhouseVH commented Feb 12, 2017

A 20-year root CA will be causing problems in less than 10 months on 32-bit Linux with LibreSSL: libressl-portable/portable#207

We're already seeing these kinds of problems - any certificate with a post-2038 expiry date cannot be verified by LibreSSL on 32-bit Linux. LibreSSL have no plans to fix this (having purposefully removed the OpenSSL workaround for 32-bit platforms), so to verify these post-2038 certs on 32-bit Linux will require an ABI update (in the works but no estimate other than "before 2038"). Alternatively, we switch back to OpenSSL.

Bear in mind that 20 year expiry dates on root CAs is not that uncommon, and 2038 is less than 21 years from now... so unless the Linux 32-bit ABI is updated between now and the end of the year with 64-bit time_t, using LibreSSL to verify certificates will start to become a much bigger issue in less than 10 months time.

We also have another issue with LibreSSL relating to a DAZN addon that fails to verify an upstream server hosting widevine keys - accessing this same server is not a problem with OpenSSL.

I also think some of the other Qt based projects have requested the option of building with OpenSSL as Qt does not support LibreSSL.

So in short, bye bye LibreSSL.

@stefansaraev

This comment has been minimized.

Copy link
Contributor

stefansaraev commented Feb 12, 2017

lol. okay :)

@lrusak

This comment has been minimized.

Copy link
Member Author

lrusak commented Feb 28, 2017

is this still something we want?

@chewitt

This comment has been minimized.

Copy link
Member

chewitt commented Mar 10, 2017

@lrusak can you rebase please, let's bite the bullet

@lrusak lrusak force-pushed the lrusak:openssl branch from 7bdbed1 to 62586fa Mar 10, 2017

@lrusak

This comment has been minimized.

Copy link
Member Author

lrusak commented Mar 10, 2017

rebased

lrusak added some commits Mar 14, 2017

@lrusak lrusak force-pushed the lrusak:openssl branch from 62586fa to 8b34241 Mar 14, 2017

@lrusak

This comment has been minimized.

Copy link
Member Author

lrusak commented Mar 14, 2017

This is good to go however before building all the add-ons I'd like to try bumping openssl to 1.1.0e first to see if we can build everything with that.

@MilhouseVH
Copy link
Contributor

MilhouseVH left a comment

We'll merge as it is now, which works, and we can bump to 1.1.0e later

@MilhouseVH MilhouseVH merged commit 82b6c4c into LibreELEC:master Mar 14, 2017

@MilhouseVH

This comment has been minimized.

Copy link
Contributor

MilhouseVH commented Apr 8, 2017

A recent post on Y2038 progress in Linux: https://lwn.net/Articles/717076/

Any 32-bit ABI change still looks several years off to me.

@dagwieers

This comment has been minimized.

Copy link
Contributor

dagwieers commented May 28, 2017

So LibreELEC v8.0.2 was released, but this does not seem to have been fixed ? So a few add-ons are still broken (and have been for many months now). Can we please get this fixed ASAP in the v8.0 branch ?

@lrusak

This comment has been minimized.

Copy link
Member Author

lrusak commented May 28, 2017

@dagwieers it's not exactly simple. To change the ssl version requires rebuilding all the addons and will break backwards compatibility. So it's better left for a major versions bump. Or possibly 8.2.0 if there is one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.