<html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000"><div>Hi Sergey,</div><div><br></div><hr id="zwchr" data-marker="__DIVIDER__"><div data-marker="__HEADERS__"><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"Sergey Kachanovskiy" <sergey.kachanovskiy@gmx.de><br><b>To: </b>erlang-questions@erlang.org<br><b>Sent: </b>Sunday, September 11, 2016 5:38:00 PM<br><b>Subject: </b>[erlang-questions] building OTP with OpenSSL 1.1.0<br></blockquote></div><div data-marker="__QUOTED_TEXT__"><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><div style="font-family: Verdana;font-size: 12.0px;"><div>Good day everyone,</div><div>just trying to build 19.0.5 (and then 18.3.4.4 - as PoC) against OpenSSL 1.1.0 (released recently), and it doesn't build for me. Did anyone have luck with such excercise?</div><div>platform is Ubuntu 16.04.1, if that matters...</div><div>here's what I see:</div><div>1) 1.1.0 does seem to have Kerberos5 support removed, hence configure, checking whether OpenSSL has KRB5 support enabled and doing it by relying on a fact that in case of no such support OPENSSL_NO_KRB5 is going to be defined (assuming this symbol not being defined means KRB5 support is enabled), sees no such symbol, and wrongly assumes there's KRB5 support compiled into OpenSSL, and looks for krb5.h in "known locations", does not find it there, and disables crypto/ssl/ssh applications. An ifndef changed to ifdef in erts/configure around line 22590 is a quick fix to let it continue.</div><div>2) OTP's lib/crypto/c_src/crypto.c wants "openssl/chacha.h" and "openssl/poly1305.h". which do not exist in OpenSSL 1.1.0 source. There are chacha.h and poly1305.h in crypto/include/internal, but they don't seem to be what OTP's crypto.c wants, as they don't contain required functions (like CRYPTO_chacha_20, for example)...1.0.2h, the last of OpenSSL's 1.0.x versions, simply does not have support for Chacha20/Poly1305, hence OTP compiles ok.</div><div>what looks promising is BoringSSL (from Google) and LibreSSL, both seem to have required functions, but I wasn't able to find any signs of OTP built/tested against anything except OpenSSL. What do you use for SSL to build your OTP, please? Is use of LibreSSL/BoringSSL supported for OTP?</div></div></blockquote><div><br></div><div>I did the original test for chacha with LibreSSL. At that time, openssl did not have any the required headers. When they decided to add ChaCha, they only added the EVP interface for it and left the other methods as privates.</div><div><br data-mce-bogus="1"></div><div>So, for the moment, if you want working ChaCha20/Poly1305 support, you have to use LibreSSL.</div><div><br data-mce-bogus="1"></div><div>For the future, someone has to port the ChaCha20 function for the EVP interface for them to work.</div><div><br data-mce-bogus="1"></div><div>Andreas</div><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><div style="font-family: Verdana;font-size: 12.0px;"><div>As always, crossing fingers I simply missed some small point and/or did something wrong, and everything works, and someone's just gonna point me out my mistakes :)</div><div>Thanks.</div><div>Best regards,</div><div>Sergey.</div></div><br>_______________________________________________<br>erlang-questions mailing list<br>erlang-questions@erlang.org<br>http://erlang.org/mailman/listinfo/erlang-questions<br></blockquote></div></div></body></html>