0.12.0 and LibreSSL

[AliceWonderMiscreations]

bitcoin-core 0.11.3 allows --with-libressl but that seems to be gone from 0.12.0.

Is there a patch somewhere to add it back in?

[AliceWonderMiscreations]

This is the error I am getting when attempting to build 0.12.0 w/o any configure switches used

Code:

In file included from addrman.h:13:0,
                 from init.cpp:12:
init.cpp: In function 'bool AppInit2(boost::thread_group&, CScheduler&)':
init.cpp:1081:61: error: 'OPENSSL_VERSION' was not declared in this scope
     LogPrintf("Using OpenSSL version %s\n", OpenSSL_version(OPENSSL_VERSION));
                                                             ^
util.h:77:39: note: in definition of macro 'LogPrintf'
 #define LogPrintf(...) LogPrint(NULL, __VA_ARGS__)
                                       ^
init.cpp:1081:76: error: 'OpenSSL_version' was not declared in this scope
     LogPrintf("Using OpenSSL version %s\n", OpenSSL_version(OPENSSL_VERSION));

LibreSSL 2.3.2

[achow101]

Allowing libressl was dropped several months ago. Read the commit message here: https://github.com/bitcoin/bitcoin/commit/59783884766d00866e190ba5ae761916e932df10 for the reasons why.

[AliceWonderMiscreations]

Allowing libressl was dropped several months ago. Read the commit message here: https://github.com/bitcoin/bitcoin/commit/59783884766d00866e190ba5ae761916e932df10 for the reasons why.

That removes the check for LibreSSL, and implies that the scariness of LibreSSL no longer applies, it won't cause the consensus issues some worried about. Which I doubt would have been any worse than different versions of OpenSSL but...

Anyway thus it seems that it *should* build with LibreSSL and this is a bug.

0.11.2 builds against same version of LibreSSL no problem.

[AliceWonderMiscreations]

Okay it looks like maybe the fix for that OpenSSL issue might be what caused this break with LibreSSL.

I'm convinced it is.

-=-

https://github.com/bitcoin/bitcoin/issues/7580

[Carlton Banks]

That removes the check for LibreSSL, and implies that the scariness of LibreSSL no longer applies, it won't cause the consensus issues some worried about. Which I doubt would have been any worse than different versions of OpenSSL but...

And different version of OpenSSL also have a moratorium out on them in respect of Bitcoin (and I'm surprised you don't know this, seeing as the only Red Hat/.rpm repo that ever existed ran into exactly that issue: using a version of OpenSSL that was "better", but contained different ECDSA code that broke Bitcoin nodes using it).

It's not about "worse" or "better", it's about "produces the same bugs".Yes, LibreSSL is likely a "better" crypto library than OpenSSL for general use, but the Bitcoin blockchain has contained signatures verified with OpenSSL long before LibreSSL even existed.



With 0.12 though, the only functions still handled by OpenSSL are the internal PRNG and AES256 for the wallet encryption. So the previous LibreSSL issues essentially don't exist for 0.12+, although there's very little functionality left for LibreSSL to be called for.

[AliceWonderMiscreations]

That removes the check for LibreSSL, and implies that the scariness of LibreSSL no longer applies, it won't cause the consensus issues some worried about. Which I doubt would have been any worse than different versions of OpenSSL but...

And different version of OpenSSL also have a moratorium out on them in respect of Bitcoin (and I'm surprised you don't know this, seeing as the only Red Hat/.rpm repo that ever existed ran into exactly that issue: using a version of OpenSSL that was "better", but contained different ECDSA code that broke Bitcoin nodes using it).

It's not about "worse" or "better", it's about "produces the same bugs".Yes, LibreSSL is likely a "better" crypto library than OpenSSL for general use, but the Bitcoin blockchain has contained signatures verified with OpenSSL long before LibreSSL even existed.



With 0.12 though, the only functions still handled by OpenSSL are the internal PRNG and AES256 for the wallet encryption. So the previous LibreSSL issues essentially don't exist for 0.12+, although there's very little functionality left for LibreSSL to be called for.

The problem with the Fedora / Red Hat OpenSSL was related to the Red Hat legal team, Red Hat's OpenSSL only supports two or three ECDSA curves, they ripped a bunch out due to legal fears.

However this issue is resolved:

Code:

-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#if defined(LIBRESSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x10100000L)

Basically a fix for openssl 1.1 broke libressl because libressl uses a high OPENSSL_VERSION_NUMBER yet does not use the OpenSSL API from post fork.