Created attachment 37223 [details]
work directory of failed build

.7z file - tar.gz was over 1MB

As previously discussed with gessel and the Port maintainer of libtcnative, the code works with OpenSSL. We don't have an official position no LibreSSL.

I will look into this later this day.

OK, there are several issues here. They aren't FreeBSD specific, but the issue is the incomplete LibreSSL coverage:

> ./include/ssl_private.h:220:9: warning: 'OPENSSL_VERSION' macro redefined [-Wmacro-redefined]
> #define OPENSSL_VERSION                  SSLEAY_VERSION
>         ^
> /usr/local/include/openssl/crypto.h:329:9: note: previous definition is here
> #define OPENSSL_VERSION         0
>         ^

The ifdef around this block assumes that LibreSSL at some point did not have these definitions.

> src/ssl.c:301:9: warning: implicit declaration of function 'SSL_CTX_set_keylog_callback' is invalid in C99
>       [-Wimplicit-function-declaration]
>         SSL_CTX_set_keylog_callback(ctx, ssl_keylog_callback);
>         ^

LibeSSL does not support this. This patch solves the issue:
> diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h
> index d88e393d..26495e46 100644
> --- a/native/include/ssl_private.h
> +++ b/native/include/ssl_private.h
> @@ -241,7 +241,7 @@
>  #define TLS_server_method                SSLv23_server_method
>  #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) */
> 
> -#if OPENSSL_VERSION_NUMBER >= 0x10101000L
> +#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
>  #define HAVE_KEYLOG_CALLBACK
>  #endif

> src/ssl.c:789:41: error: use of undeclared identifier 'thread_exit_key'; did you mean 'pthread_exit'?
>     err = apr_threadkey_private_create(&thread_exit_key, _ssl_thread_exit,
>                                         ^~~~~~~~~~~~~~~
>                                         pthread_exit
> /usr/include/pthread.h:215:7: note: 'pthread_exit' declared here
> void            pthread_exit(void *) __dead2;
>                 ^
> src/ssl.c:789:58: error: use of undeclared identifier '_ssl_thread_exit'
>     err = apr_threadkey_private_create(&thread_exit_key, _ssl_thread_exit,
>                                                          ^
> src/ssl.c:796:5: error: use of undeclared identifier 'threadkey_initialized'
>     threadkey_initialized = 1;
>     ^
> src/ssl.c:799:5: warning: implicit declaration of function 'ssl_thread_setup' is invalid in C99
>       [-Wimplicit-function-declaration]
>     ssl_thread_setup(tcn_global_pool);
>     ^

As sad as it seems. With the ifdefs around threaded init and OpenSSL 1.1.0+ the coverage of LibreSSL seems to be incomplete because LibreSSL reports OpenSSL version 0.

To solve this properly, we need to do the following:

* Require a minimum LibreSSL
* Test for that LibreSSL version in ./configure
* Figure out whether LibreSSL inits threading itself like OpenSSL 1.1.0+
* Revise code blocks for LibreSSL compat:
> [mosipov@mika-ion ~/Projekte/tomcat-native/native]$ grep -r "OPENSSL_VERSION_NUMBER < 0x10100000L" .
> ./include/ssl_private.h:#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> ./include/ssl_private.h:#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) */
> ./include/ssl_private.h:#if (OPENSSL_VERSION_NUMBER < 0x10100000L) && ! (defined(WIN32) || defined(WIN64))
> ./src/ssl.c:#if OPENSSL_VERSION_NUMBER < 0x10100000L
> ./src/ssl.c:#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> ./src/ssl.c:#if OPENSSL_VERSION_NUMBER < 0x10100000L && ! (defined(WIN32) || defined(WIN64))
> ./src/ssl.c:#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> ./src/ssl.c:#if OPENSSL_VERSION_NUMBER < 0x10100000L
> ./src/ssl.c:#if OPENSSL_VERSION_NUMBER < 0x10100000L
> ./src/ssl.c:#if !defined(OPENSSL_NO_ENGINE) || OPENSSL_VERSION_NUMBER < 0x10100000L
> ./src/ssl.c:#if OPENSSL_VERSION_NUMBER < 0x10100000L
> ./src/ssl.c:#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> ./src/ssl.c:#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> ./src/sslcontext.c:#if OPENSSL_VERSION_NUMBER < 0x10100000L
> ./src/sslcontext.c:#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
> ./src/sslcontext.c:#if OPENSSL_VERSION_NUMBER < 0x10100000L
> ./src/sslcontext.c:#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> ./src/sslcontext.c:#else /* if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) */
> ./src/sslcontext.c:#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
> ./src/sslcontext.c:#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> ./src/sslcontext.c:#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> ./src/sslcontext.c:#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> ./src/sslcontext.c:#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> ./src/sslcontext.c:#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
> ./src/sslcontext.c:#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
> ./src/sslcontext.c:#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> ./src/sslcontext.c:#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> ./src/sslcontext.c:#if OPENSSL_VERSION_NUMBER < 0x10100000L
> ./src/sslcontext.c:#if OPENSSL_VERSION_NUMBER < 0x10100000L
> ./src/sslcontext.c:#if OPENSSL_VERSION_NUMBER < 0x10100000L
> ./src/sslinfo.c:#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> ./src/sslutils.c:#if OPENSSL_VERSION_NUMBER < 0x10100000L
> ./src/sslutils.c:#if OPENSSL_VERSION_NUMBER < 0x10100000L

This is what LibreSSL 3.1.1 defines:

> [mosipov@mika-ion ~/Projekte/tomcat-native/native]$ grep -ri -E -e '#define .+_version'  /usr/local/include/openssl/
> /usr/local/include/openssl/crypto.h:#define SSLEAY_VERSION_NUMBER       OPENSSL_VERSION_NUMBER
> /usr/local/include/openssl/crypto.h:#define SSLEAY_VERSION              0
> /usr/local/include/openssl/crypto.h:#define OPENSSL_VERSION             0
> /usr/local/include/openssl/opensslv.h:#define LIBRESSL_VERSION_NUMBER 0x3010100fL
> /usr/local/include/openssl/opensslv.h:#define LIBRESSL_VERSION_TEXT   "LibreSSL 3.1.1"
> /usr/local/include/openssl/opensslv.h:#define OPENSSL_VERSION_NUMBER    0x20000000L
> /usr/local/include/openssl/opensslv.h:#define OPENSSL_VERSION_TEXT      LIBRESSL_VERSION_TEXT
> /usr/local/include/openssl/opensslv.h:#define OPENSSL_VERSION_PTEXT     " part of " OPENSSL_VERSION_TEXT
> /usr/local/include/openssl/opensslv.h:#define SHLIB_VERSION_HISTORY ""
> /usr/local/include/openssl/opensslv.h:#define SHLIB_VERSION_NUMBER "1.0.0"

As soon as I revert b8649e81458194d70667952d9e26df82a79c773f I only see and the code compiles

> ./include/ssl_private.h:220:9: warning: 'OPENSSL_VERSION' macro redefined [-Wmacro-redefined]
> #define OPENSSL_VERSION                  SSLEAY_VERSION
>         ^
> /usr/local/include/openssl/crypto.h:329:9: note: previous definition is here
> #define OPENSSL_VERSION         0
>         ^
> src/ssl.c:301:9: warning: implicit declaration of function 'SSL_CTX_set_keylog_callback' is invalid in C99
>       [-Wimplicit-function-declaration]
>         SSL_CTX_set_keylog_callback(ctx, ssl_keylog_callback);
>         ^

It pretty much seems that the the change was incomplete -- as assumed.

Shall we revert for now?

tomcat-native-1.2.24_1 builds successfully, thank you!

I will supersede this ticket with a new, general one. Downstream patches have been applied, but upstream is still broken.