diff --git a/.sai.json b/.sai.json index 8ef479b40..6af699b2e 100644 --- a/.sai.json +++ b/.sai.json @@ -129,6 +129,10 @@ "cmake": "cmake .. -DLWS_WITH_BORINGSSL=1 -DLWS_OPENSSL_INCLUDE_DIRS=\"/usr/local/src/boringssl/include\" -DLWS_OPENSSL_LIBRARIES=\"/usr/local/src/boringssl/build/ssl/libssl.so;/usr/local/src/boringssl/build/crypto/libcrypto.so\" -DLWS_WITH_MINIMAL_EXAMPLES=1", "platforms": "none,linux-fedora-32/x86_64-amd/gcc" }, + "default-examples-libressl": { + "cmake": "cmake .. -DLWS_OPENSSL_LIBRARIES='/opt/libressl-3.3.1/build/tls/libtls.a;/opt/libressl-3.3.1/build/ssl/libssl.a;/opt/libressl-3.3.1/build/crypto/libcrypto.a' -DLWS_OPENSSL_INCLUDE_DIRS=/opt/libressl-3.3.1/include -DLWS_WITH_MINIMAL_EXAMPLES=1", + "platforms": "none,linux-fedora-32/x86_64-amd/gcc" + }, "default-wolfssl": { "cmake": "-DLWS_WITH_WOLFSSL=1 -DLWS_WOLFSSL_INCLUDE_DIRS=/usr/local/include -DLWS_WOLFSSL_LIBRARIES=/usr/local/lib/libwolfssl.so", "platforms": "none,linux-fedora-32/x86_64-amd/gcc" diff --git a/READMEs/README.libressl.md b/READMEs/README.libressl.md new file mode 100644 index 000000000..b794f3b72 --- /dev/null +++ b/READMEs/README.libressl.md @@ -0,0 +1,66 @@ +## Background + +libressl is another fork of Openssl. + +## Example build for libressl itself + +If you unpack or clone into `/path/to/libressl` and enter that dir... + +``` +$ mkdir build +$ cd build +$ cmake .. +$ make -j8 +``` + +## Example build for lws against libressl + +You can just build lws as you would for a specific version of openssl + +``` +$ mkdir build +$ cd build +$ cmake .. -DLWS_OPENSSL_LIBRARIES='/path/to/libressl/build/tls/libtls.a;/path/to/libressl/build/ssl/libssl.a;/path/to//libressl/build/crypto/libcrypto.a' -DLWS_OPENSSL_INCLUDE_DIRS=/path/to/libressl/include -DLWS_WITH_MINIMAL_EXAMPLES=1 +$ make -j8 +``` + +Libressl by default will look for a trust bundle in `/usr/local/etc/ssl/cert.pem`, you either have to +symlink this to your trust bundle if that doesnt happen to be where it is, or give your app the trusted CA +specifically as is done for MBEDTLS and WOLFSSL in the examples. + +In Fedora, the system trust store can be found at `/etc/pki/tls/cert.pem`, so you can symlink it + +``` +$ sudo mkdir -p /usr/local/etc/ssl +$ sudo ln -sf /etc/pki/tls/cert.pem /usr/local/etc/ssl/cert.pem +``` + +after that you can run examples from the build dir, eg, + +``` +$ ./bin/lws-minimal-http-client +[2021/02/08 20:10:52:0781] U: LWS minimal http client [-d] [-l] [--h1] +[2021/02/08 20:10:52:0784] N: LWS: 4.1.99-v4.1.0-269-g762ef33fca, loglevel 1031 +[2021/02/08 20:10:52:0784] N: NET CLI SRV H1 H2 WS IPv6-absent +[2021/02/08 20:10:52:0786] N: ++ [wsi|0|pipe] (1) +[2021/02/08 20:10:52:0787] N: ++ [vh|0|netlink] (1) +[2021/02/08 20:10:52:0802] N: ++ [vh|1|default] (2) +[2021/02/08 20:10:52:1850] N: ++ [wsicli|0|GET/h1/warmcat.com] (1) +[2021/02/08 20:10:52:2982] N: ++ [mux|0|h2_sid1_(wsicli|0|GET/h1/warmcat.com)] (1) +[2021/02/08 20:10:52:3271] U: Connected to 46.105.127.147, http response: 200 +[2021/02/08 20:10:52:3335] U: RECEIVE_CLIENT_HTTP_READ: read 4087 +[2021/02/08 20:10:52:3335] U: RECEIVE_CLIENT_HTTP_READ: read 4096 +[2021/02/08 20:10:52:3526] U: RECEIVE_CLIENT_HTTP_READ: read 4087 +[2021/02/08 20:10:52:3526] U: RECEIVE_CLIENT_HTTP_READ: read 4096 +[2021/02/08 20:10:52:3543] U: RECEIVE_CLIENT_HTTP_READ: read 4087 +[2021/02/08 20:10:52:3543] U: RECEIVE_CLIENT_HTTP_READ: read 4096 +[2021/02/08 20:10:52:3545] U: RECEIVE_CLIENT_HTTP_READ: read 3502 +[2021/02/08 20:10:52:3546] U: LWS_CALLBACK_COMPLETED_CLIENT_HTTP +[2021/02/08 20:10:52:3546] N: -- [wsi|0|pipe] (0) 276.019ms +[2021/02/08 20:10:52:3547] N: -- [mux|0|h2_sid1_(wsicli|0|GET/h1/warmcat.com)] (0) 56.417ms +[2021/02/08 20:10:52:3566] N: -- [vh|1|default] (1) 276.384ms +[2021/02/08 20:10:52:3566] N: -- [wsicli|0|GET/h1/warmcat.com|default|h2|h2] (0) 171.599ms +[2021/02/08 20:10:52:3567] N: -- [vh|0|netlink] (0) 277.974ms +[2021/02/08 20:10:52:3567] U: Completed: OK +``` + diff --git a/lib/tls/CMakeLists.txt b/lib/tls/CMakeLists.txt index 1ea42d373..a499b3308 100644 --- a/lib/tls/CMakeLists.txt +++ b/lib/tls/CMakeLists.txt @@ -304,7 +304,7 @@ CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_256_cfb128 LWS_HAVE_EVP_aes_256_cfb128 PAR CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_128_xts LWS_HAVE_EVP_aes_128_xts PARENT_SCOPE) CHECK_FUNCTION_EXISTS(${VARIA}RSA_verify_pss_mgf1 LWS_HAVE_RSA_verify_pss_mgf1 PARENT_SCOPE) CHECK_FUNCTION_EXISTS(${VARIA}HMAC_CTX_new LWS_HAVE_HMAC_CTX_new PARENT_SCOPE) -CHECK_FUNCTION_EXISTS(${VARIA}SSL_CTX_set_ciphersuites LWS_HAVE_SSL_CTX_set_ciphersuites PARENT_SCOPE) +CHECK_SYMBOL_EXISTS(${VARIA}SSL_CTX_set_ciphersuites LWS_HAVE_SSL_CTX_set_ciphersuites PARENT_SCOPE) CHECK_FUNCTION_EXISTS(${VARIA}EVP_PKEY_new_raw_private_key LWS_HAVE_EVP_PKEY_new_raw_private_key PARENT_SCOPE) if (LWS_WITH_SSL AND NOT LWS_WITH_MBEDTLS) diff --git a/lib/tls/openssl/openssl-client.c b/lib/tls/openssl/openssl-client.c index ad7d2de7b..1c6e08a05 100644 --- a/lib/tls/openssl/openssl-client.c +++ b/lib/tls/openssl/openssl-client.c @@ -762,7 +762,8 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh, #if defined(LWS_WITH_BORINGSSL) (uint32_t) #else -#if (OPENSSL_VERSION_NUMBER >= 0x10003000l) /* not documented by openssl */ +#if (OPENSSL_VERSION_NUMBER >= 0x10003000l) && \ + !defined(LIBRESSL_VERSION_NUMBER) /* not documented by openssl */ (unsigned long) #else (long) @@ -778,7 +779,8 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh, #if defined(LWS_WITH_BORINGSSL) (uint32_t) #else -#if (OPENSSL_VERSION_NUMBER >= 0x10003000l) /* not documented by openssl */ +#if (OPENSSL_VERSION_NUMBER >= 0x10003000l) && \ + !defined(LIBRESSL_VERSION_NUMBER) /* not documented by openssl */ (unsigned long) #else (long) diff --git a/lib/tls/openssl/openssl-server.c b/lib/tls/openssl/openssl-server.c index d7b4b2078..3923f1453 100644 --- a/lib/tls/openssl/openssl-server.c +++ b/lib/tls/openssl/openssl-server.c @@ -581,7 +581,7 @@ lws_tls_server_vhost_backend_init(const struct lws_context_creation_info *info, #if defined(LWS_WITH_BORINGSSL) (uint32_t) #else -#if (OPENSSL_VERSION_NUMBER >= 0x10003000l) /* not documented by openssl */ +#if (OPENSSL_VERSION_NUMBER >= 0x10003000l) && !defined(LIBRESSL_VERSION_NUMBER) /* not documented by openssl */ (unsigned long) #else (long) @@ -597,7 +597,7 @@ lws_tls_server_vhost_backend_init(const struct lws_context_creation_info *info, #if defined(LWS_WITH_BORINGSSL) (uint32_t) #else -#if (OPENSSL_VERSION_NUMBER >= 0x10003000l) /* not documented by openssl */ +#if (OPENSSL_VERSION_NUMBER >= 0x10003000l) && !defined(LIBRESSL_VERSION_NUMBER)/* not documented by openssl */ (unsigned long) #else (long)