Open fabian-lauer opened 9 months ago
shawnlaffan
commented
9 months ago Thanks for the report. We can have a go at building OpenSSL3. I won't have a chance until later this month, though.
The MSYS2 project have patches available that can be adapted if needed: https://github.com/msys2/MSYS2-packages/tree/master/openssl
vitusb
commented
3 months ago I also would like to point out that the OpenSSL version 1.1.1 libraries, used in Strawberry Perl 5.38.2.2, are heavily outdated. This situation could be a security issue for all relevant package-dependencies.
I did a test-build of OpenSSL 3.1.5 x64 with zlib-1.3.1 x84 under mingw of Strawberryperl 5.38.2.2 (gcc.exe (MinGW-W64 winlibs x86_64-msvcrt-posix-seh 13.1.0) without "__"-suffix for x64 (zlib has this suffix).
I had to apply some patches in order to use an ancient perl 5.24 version (with Unix-Path support) under MSYS 1.0 and GCC from SP for running the "Configure"-script of OpenSSL 3.1.5 🥵 . The official patches from openssl-commit are not directly usable with OpenSSL 3.1.5 and had to be merged ... The "openssl-3.0.8-relocation.patch" did not worked for me; the build was only possible, when "openssl-3.0.8-relocation.patch" was not applied.
Below are the patches and the binaries, built by MinGW-W64 winlibs x86_64-msvcrt-posix-seh 13.1.0 + Msys 1.19 + an ancient perl 5.24 (be aware, this is only a PoC for testing). I was unable to build OpenSSL 3.1.5 by using a modified version of the openssl-1.1.1-"mingw-builds"-scripts. Last but not least i used a manual configure-line without the scriptings from the "mingw-builds"-sections for the old OpenSSL 1.1.1 version ... All infos are in the Zip-File 👍🏼:
./Configure shared zlib enable-rfc3779 enable-camellia enable-capieng no-idea no-mdc2 no-rc4 no-rc5 --with-zlib-lib=./zlib --with-zlib-include=./zlib/include --prefix=c:/openssl --openssldir=c:/openssl/ssl mingw64
openssl version -a OpenSSL 3.1.5 30 Jan 2024 (Library: OpenSSL 3.1.5 30 Jan 2024) built on: Tue Mar 26 19:06:23 2024 UTC platform: mingw64 options: bn(64,64) compiler: gcc -m64 -Wall -O3 -DL_ENDIAN -DOPENSSL_PIC -DUNICODE -D_UNICODE -DWIN32_LEAN_AND_MEAN -D_MT -DOPENSSL_BUILDING_OPENSSL -DZLIB -DNDEBUG -I./zlib/include OPENSSLDIR: "c:/openssl/ssl" ENGINESDIR: "c:/openssl/lib64/engines-3" MODULESDIR: "c:/openssl/lib64/ossl-modules" Seeding source: os-specific CPUINFO: OPENSSL_ia32cap=0x7ffaf3bfffebffff:0x29c67af
Here are the used patches for OpenSSL 3.1.5: openssl-3.1.5-patches.zip
Here are the used patches for ZLib 1.3.1: zlib-1.3.1-patches.zip
Here are the openssl-binaries (build-extlibs/releases x64): 64bit_openssl-3.1.5-bin_20240326.zip
Here are the zlib-binaries (build-extlibs/releases x64): 64bit_zlib-1.3.1-bin_20240326.zip
It seems to be, that there are a lot of issues when running the "Configure"-Perlscript with older perl-versions. For details, see: https://github.com/openssl/openssl/pull/23452#issuecomment-1923776553
Which version of OpenSSL should be the new target for Strawberryperl ? Any ideas ?
Also the x64 zlib dll (zlib1__.dll) from winlibs personal build version gcc-13.1.0-mingw-w64msvcrt-11.0.0-r5 of Strawberry Perl 5.38.2.2 is version 1.2.11.0. The "zlib1.dll" under "c/bin" is also x64 (not x86) with a version of 1.2.13.0 and has CVE-2022-37434 (zlib through 1.2.12) and CVE-2023-45853 (zlib through 1.3). Both scores are critical 🔥
ZLib latest version is ZLib v1.3.1
shawnlaffan
commented
1 week ago SP 5.40 will use OpenSSL 3.3.0. https://github.com/StrawberryPerl/build-extlibs/releases/tag/gcc13.2_ucrt_posix
There is a 5.40-RC1 available at https://github.com/StrawberryPerl/Perl-Dist-Strawberry/releases/tag/dev_5.40.0_RC1_UCRT
Hi,
currently facing a problem in one of our company projects that the IT sec team is complaining about OpenSSL version used in StrawberryPerl.
Based on this information: https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/ end of life is very close.
Is there any idea or planed software release to fix this problem? e.g. change version to 3.x.x
Thx. Fabian