[erlang-questions] building OTP with OpenSSL 1.1.0

Andreas Schultz aschultz@REDACTED
Mon Sep 12 09:18:23 CEST 2016 

Hi Sergey, 

> From: "Sergey Kachanovskiy" <sergey.kachanovskiy@REDACTED>
> To: erlang-questions@REDACTED
> Sent: Sunday, September 11, 2016 5:38:00 PM
> Subject: [erlang-questions] building OTP with OpenSSL 1.1.0

> Good day everyone,
> just trying to build 19.0.5 (and then 18.3.4.4 - as PoC) against OpenSSL 1.1.0
> (released recently), and it doesn't build for me. Did anyone have luck with
> such excercise?
> platform is Ubuntu 16.04.1, if that matters...
> here's what I see:
> 1) 1.1.0 does seem to have Kerberos5 support removed, hence configure, checking
> whether OpenSSL has KRB5 support enabled and doing it by relying on a fact that
> in case of no such support OPENSSL_NO_KRB5 is going to be defined (assuming
> this symbol not being defined means KRB5 support is enabled), sees no such
> symbol, and wrongly assumes there's KRB5 support compiled into OpenSSL, and
> looks for krb5.h in "known locations", does not find it there, and disables
> crypto/ssl/ssh applications. An ifndef changed to ifdef in erts/configure
> around line 22590 is a quick fix to let it continue.
> 2) OTP's lib/crypto/c_src/crypto.c wants "openssl/chacha.h" and
> "openssl/poly1305.h". which do not exist in OpenSSL 1.1.0 source. There are
> chacha.h and poly1305.h in crypto/include/internal, but they don't seem to be
> what OTP's crypto.c wants, as they don't contain required functions (like
> CRYPTO_chacha_20, for example)...1.0.2h, the last of OpenSSL's 1.0.x versions,
> simply does not have support for Chacha20/Poly1305, hence OTP compiles ok.
> what looks promising is BoringSSL (from Google) and LibreSSL, both seem to have
> required functions, but I wasn't able to find any signs of OTP built/tested
> against anything except OpenSSL. What do you use for SSL to build your OTP,
> please? Is use of LibreSSL/BoringSSL supported for OTP?

I did the original test for chacha with LibreSSL. At that time, openssl did not have any the required headers. When they decided to add ChaCha, they only added the EVP interface for it and left the other methods as privates. 

So, for the moment, if you want working ChaCha20/Poly1305 support, you have to use LibreSSL. 

For the future, someone has to port the ChaCha20 function for the EVP interface for them to work. 

Andreas 

> As always, crossing fingers I simply missed some small point and/or did
> something wrong, and everything works, and someone's just gonna point me out my
> mistakes :)
> Thanks.
> Best regards,
> Sergey.

> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20160912/37aadbef/attachment.htm>

More information about the erlang-questions mailing list