SGI: Development

Anyone using newer versions of OpenSSL with IRIX? Like say...a 1.x build? And have it work pretty correctly? I can get 1.0.1 to build, but make test fails all over the place. I'm now using mbedTLS (used to be PolarSSL) with curl so that I can download stuff via https with out hassle, since everyone has disabled SSL2 and 3 at this point it seems....

armanox wrote: I'm now using mbedTLS (used to be PolarSSL) with curl

and that causes problems?

foetz wrote:

armanox wrote: I'm now using mbedTLS (used to be PolarSSL) with curl

and that causes problems?

No, in fact, I was quite pleased when it built with only one modification (I'm going to send it back to them so they can support us!). The issue is the amount of software that does depend on OpenSSL or GNUTLS.

Someone got LibreSSL working, honestly that is what I would push for.

TeamBlackFox wrote: Someone got LibreSSL working, honestly that is what I would push for.

I had said I got it to build, not that it all worked. The SGI compatibility stuff in there (and I might add, the AIX stuff) was all me, but it requires some pieces that I don't have the time to try to port or develop.

well one step at a time. do certain programs only work right with openssl 1.x?
if so does openssl 1.x fail to build? and if yes is it something that is irix specific and cannot be fixed?

foetz wrote: well one step at a time. do certain programs only work right with openssl 1.x?
if so does openssl 1.x fail to build? and if yes is it something that is irix specific and cannot be fixed?

OpenSSL 1.0.1 will build, but fails miserably when you run "make test" on calculating SHA1, and I remember it failing to work correctly when I attempted to use it (things just...didn't work).
OpenSSL 0.9.8 is too old to be useful for a lot of things (since everyone has disabled SSL2 and SSL3), but is the last version that is packaged by nekoware for IRIX.

armanox wrote: OpenSSL 0.9.8 is too old to be useful for a lot of things

could you give a few examples?

One thing's for sure, the LibreSSL guys didn't think too highly of the state of the OpenSSL code when they forked it.

foetz wrote:

armanox wrote: OpenSSL 0.9.8 is too old to be useful for a lot of things

could you give a few examples?

It doesn't support TLS 1.1 and 1.2, for example.

Well then, what are our options? Use an old OpenSSL library, somehow debug the newer version, or port libressl - in both latter cases the task is likely to be monumental, but I would imagine the clean codebase of LibreSSL would be marginally easier

vishnu wrote: One thing's for sure, the LibreSSL guys didn't think too highly of the state of the OpenSSL code when they forked it.

they should've kept the build system tho. libressl comes with a bunch of crap such as hardcoded, gcc specific cflags and such

foetz wrote:

vishnu wrote: One thing's for sure, the LibreSSL guys didn't think too highly of the state of the OpenSSL code when they forked it.

they should've kept the build system tho. libressl comes with a bunch of crap such as hardcoded, gcc specific cflags and such

Well that's retarded. But apparently not as retarded as the OpenSSL codebase:

http://www.openbsd.org/papers/bsdcan14-libressl/mgp00001.html

Even if only a tiny fraction of what he's saying is accurate, wow wwwww .. .

In case you're curious, my efforts for IRIX (and AIX) ended due to issues with arc4random and getentrophy. If I have a sudden explosion of free time I might start hacking away at it again, but my port is pretty dead for the moment (plus I'm a few versions behind now too).

Oh, and the fact that IRIX does not support mapping anonymous pages doesn't help either.

vishnu wrote: http://www.openbsd.org/papers/bsdcan14-libressl/mgp00001.html

funny to read "- Do portability right. " in there. at that they not only completely failed so far but actully made it much worse.
"- Preserve API/ABI compatibility with OpenSSL - We want to be essentially a drop in replacement." which failed as well. e.g. they simply dropped egd stuff completely without leaving any kind of warning, replacement dummy or whatsoever in place.

that aside i'm curious about why the presentation looks like from a 5th grader

armanox wrote: Oh, and the fact that IRIX does not support mapping anonymous pages doesn't help either.

that's an easy fix. i did that for my last postgresql builds. i can dig out the details if you're interested

foetz wrote:

armanox wrote: Oh, and the fact that IRIX does not support mapping anonymous pages doesn't help either.

that's an easy fix. i did that for my last postgresql builds. i can dig out the details if you're interested

Yes please, because if I should go back to it (which I may since I still have an interest) it would prove very useful.

armanox wrote: Yes please, because if I should go back to it (which I may since I still have an interest) it would prove very useful.

no prob. just open /dev/zero and map that fd shared. it was based on this: http://man7.org/tlpi/code/online/dist/m ... map.c.html
in my case adopted to postgresql of course but you can use it for anything else

foetz wrote:

armanox wrote: Yes please, because if I should go back to it (which I may since I still have an interest) it would prove very useful.

no prob. just open /dev/zero and map that fd shared. it was based on this: http://man7.org/tlpi/code/online/dist/m ... map.c.html
in my case adopted to postgresql of course but you can use it for anything else

Well, that solved one problem anyway. I'll start to attack the "getentrophy" section next. (I have a libressl-2.1.2 that compiles, but is totally useless).

i didn't have problems with 0.9.8 so far but the thread here made me curious so i built openssl 1.0.2 and ran a few tests. in particular what you mentioned:


also built a new curl and openssh based on 1.0.2 and they worked, too. maybe i missed something but the things i usually do worked all fine. in case you wanna grab them: viewtopic.php?f=7&t=16728266&p=7377731#p7377731

Interestingly enough 1.0.2a built where 1.0.2 failed for me. Running 'make test' now to see how it does.

Running 'make test' appears successful. They must have fixed something between .1 and .2 because it used to fail miserably. Now I'm going to have to rebuild wget...lol