Index: branches/2019Q3/security/openvpn/Makefile
===================================================================
--- branches/2019Q3/security/openvpn/Makefile	(revision 511398)
+++ branches/2019Q3/security/openvpn/Makefile	(revision 511399)
@@ -1,145 +1,143 @@
 # Created by: Matthias Andree <mandree@FreeBSD.org>
 # $FreeBSD$
 
 PORTNAME=		openvpn
 DISTVERSION=		2.4.7
 PORTREVISION?=		0
 CATEGORIES=		security net
 MASTER_SITES=		https://swupdate.openvpn.org/community/releases/ \
 			https://build.openvpn.net/downloads/releases/
 
 MAINTAINER=		mandree@FreeBSD.org
 COMMENT?=		Secure IP/Ethernet tunnel daemon
 
 LICENSE=		GPLv2
 LICENSE_FILE=		${WRKSRC}/COPYRIGHT.GPL
 
 USES=			cpe libtool pkgconfig shebangfix tar:xz
 
 CONFLICTS_INSTALL?=	openvpn-2.[!4].* openvpn-[!2].* openvpn-beta-[0-9]* openvpn-devel-[0-9]* openvpn-mbedtls-[0-9]*
 
 GNU_CONFIGURE=		yes
 SHEBANG_FILES=		sample/sample-scripts/verify-cn \
 			sample/sample-scripts/auth-pam.pl \
 			sample/sample-scripts/ucn.pl
 CONFIGURE_ARGS+=	--enable-strict
-# avoid picking up CMAKE, we don't have cmocka in the tarballs..
+# avoid picking up CMAKE, we don't have cmocka in the tarballs.
 CONFIGURE_ENV+=		ac_cv_prog_CMAKE= CMAKE=
 
 # let OpenVPN's configure script pick up the requisite libraries,
 # but do not break the plugin build if an older version is installed
 CPPFLAGS+=		-I${WRKSRC}/include -I${LOCALBASE}/include
 LDFLAGS+=		-L${LOCALBASE}/lib
 
 # set PLUGIN_LIBDIR so that unqualified plugin paths are found:
 CPPFLAGS+=		-DPLUGIN_LIBDIR=\\\"${PREFIX}/lib/openvpn/plugins\\\"
 
 OPTIONS_DEFINE=		PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME \
 			TEST LZ4 SMALL TUNNELBLICK
 OPTIONS_DEFAULT=	EASYRSA OPENSSL TEST LZ4
 OPTIONS_SINGLE=		SSL
 OPTIONS_SINGLE_SSL=	OPENSSL MBEDTLS
 PKCS11_DESC=		Use security/pkcs11-helper
 EASYRSA_DESC=		Install security/easy-rsa RSA helper package
 MBEDTLS_DESC=		SSL/TLS via mbedTLS (lacks TLS v1.3)
 TUNNELBLICK_DESC=	Tunnelblick XOR scramble patch (READ HELP!)
 X509ALTUSERNAME_DESC=	Enable --x509-username-field (OpenSSL only)
 SMALL_DESC=		Build a smaller executable with fewer features
 
 EASYRSA_RUN_DEPENDS=	easy-rsa>=0:security/easy-rsa
 
 PKCS11_LIB_DEPENDS=	libpkcs11-helper.so:security/pkcs11-helper
 PKCS11_CONFIGURE_ENABLE=	pkcs11
 PKCS11_PREVENTS=	MBEDTLS
 PKCS11_PREVENTS_MSG=	OpenVPN cannot use pkcs11-helper with mbedTLS. Disable PKCS11, or use OpenSSL instead
 
 TUNNELBLICK_EXTRA_PATCHES=	${FILESDIR}/extra-tunnelblick-openvpn_xorpatch
 
 X509ALTUSERNAME_CONFIGURE_ENABLE=	x509-alt-username
 
 X509ALTUSERNAME_PREVENTS=	MBEDTLS
 X509ALTUSERNAME_PREVENTS_MSG=	OpenVPN ${DISTVERSION} cannot use --x509-username-field with mbedTLS. Disable X509ALTUSERNAME, or use OpenSSL instead
 
 OPENSSL_USES=		ssl
 OPENSSL_CONFIGURE_ON=	--with-crypto-library=openssl
-IGNORE_SSL=		libressl libressl-devel
 
 LZ4_CONFIGURE_OFF=	--disable-lz4
 
 SMALL_CONFIGURE_ON=	--enable-small
 
 MBEDTLS_LIB_DEPENDS=	libmbedtls.so:security/mbedtls
 MBEDTLS_CONFIGURE_ON=	--with-crypto-library=mbedtls
 
 USE_RC_SUBR=		openvpn
-USE_LDCONFIG=		${PREFIX}/lib
 
 SUB_FILES=		pkg-message openvpn-client
 
 .ifdef (LOG_OPENVPN)
 CFLAGS+=		-DLOG_OPENVPN=${LOG_OPENVPN}
 .endif
 
 LIB_DEPENDS+=		liblzo2.so:archivers/lzo2
 
 LZ4_LIB_DEPENDS+=	liblz4.so:archivers/liblz4
 
 PORTDOCS=		*
 PORTEXAMPLES=		*
 
 TEST_ALL_TARGET=	check
 TEST_TEST_TARGET_OFF=	check
 
 pre-configure:
 .ifdef (LOG_OPENVPN)
 	@${ECHO} "Building with LOG_OPENVPN=${LOG_OPENVPN}"
 .else
 	@${ECHO} ""
 	@${ECHO} "You may use the following build options:"
 	@${ECHO} ""
 	@${ECHO} "      LOG_OPENVPN={Valid syslog facility, default LOG_DAEMON}"
 	@${ECHO} "      EXAMPLE:  make LOG_OPENVPN=LOG_LOCAL6"
 	@${ECHO} ""
 .endif
 
 post-configure:
 	${REINPLACE_CMD} '/^CFLAGS =/s/$$/ -fPIC/' \
 	    ${WRKSRC}/src/plugins/auth-pam/Makefile \
 	    ${WRKSRC}/src/plugins/down-root/Makefile
 
 .include <bsd.port.options.mk>
 
 .if ${PORT_OPTIONS:MMBEDTLS}
 _tlslibs=libmbedtls libmbedx509 libmbedcrypto
 .else
 # OpenSSL
 _tlslibs=libssl libcrypto
 .endif
 
 # sanity check that we don't inherit incompatible SSL libs through,
 # for instance, pkcs11-helper:
 post-build:
 	@a=$$(LC_ALL=C ldd -f '%o\n' ${WRKSRC}/src/openvpn/openvpn \
 	|	${SORT} -u) ; set -- $$(for i in ${_tlslibs} ; do ${PRINTF} '%s\n' "$$a" | ${GREP} $${i}.so | wc -l ; done | ${SORT} -u) ;\
 	if test "$$*" != "1" ; then ${ECHO_CMD} >&2 "${.CURDIR} FAILED: either of ${_tlslibs} libraries linked multiple times" ; ${PRINTF} '%s\n' "$$a"; ${RM} ${BUILD_COOKIE} ; exit 1 ; fi
 
 post-install:
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-down-root.so
 	${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.up ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up
 	${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.down ${STAGEDIR}${PREFIX}/libexec/openvpn-client.down
 	@${REINPLACE_CMD} 's|resolvconf -p -a|resolvconf -a|' ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up
 	${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client
 	${MKDIR} ${STAGEDIR}${PREFIX}/include
 
 post-install-DOCS-on:
 	${MKDIR} ${STAGEDIR}${DOCSDIR}/
 .for i in AUTHORS ChangeLog PORTS
 	${INSTALL_DATA} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/
 .endfor
 
 post-install-EXAMPLES-on:
 	(cd ${WRKSRC}/sample && ${COPYTREE_SHARE} \* ${STAGEDIR}${EXAMPLESDIR}/)
 	${CHMOD} ${BINMODE} ${STAGEDIR}${EXAMPLESDIR}/sample-scripts/*
 
 .include <bsd.port.mk>
Index: branches/2019Q3/security/openvpn/files/patch-libressl
===================================================================
--- branches/2019Q3/security/openvpn/files/patch-libressl	(revision 511398)
+++ branches/2019Q3/security/openvpn/files/patch-libressl	(revision 511399)
@@ -1,20 +1,66 @@
---- ./src/openvpn/openssl_compat.h	2018-03-01 07:22:19.000000000 +0000
-+++ ./src/openvpn/openssl_compat.h	2018-03-12 10:44:08.876010487 +0000
-@@ -711,7 +711,7 @@
- }
- #endif /* SSL_CTX_get_max_proto_version */
+commit 5bc848a02665f26e83e5dbe8f4ef95f55e5e19bd
+Author: Matthias Andree <matthias.andree@gmx.de>
+Date:   Mon Aug 12 23:37:52 2019 +0200
+
+    Fix regression, reinstate LibreSSL support.
+    
+    OpenVPN 2.4.6 could be compiled with LibreSSL, 2.4.7 cannot.  This was broken
+    since 9de7fe0a "Add support for tls-ciphersuites for TLS 1.3".
+    
+    This patch avoids using TLS 1.3 directly, be it that OpenSSL was compiled
+    without TLS 1.3 support, or LibreSSL was used.
+    
+    This patch was based on an OpenBSD patch by
+    Jeremie Courreges-Anglas <jca@openbsd.org>, see
+    https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/net/openvpn/patches/patch-src_openvpn_ssl_openssl_c
+    but was revised to be more obvious and check actual feature macros,
+    do not rely on current LibreSSL implementation details alone.
+    
+    Franco Fichtner reports that OPNsense has been a long-time user
+    of LibreSSL without reported breakage, see also:
+    https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238382#c10
+    
+    Signed-off-by: Matthias Andree <matthias.andree@gmx.de>
+
+diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
+index a78dae99..293bb192 100644
+--- ./src/openvpn/ssl_openssl.c
++++ ./src/openvpn/ssl_openssl.c
+@@ -206,7 +206,7 @@ info_callback(INFO_CALLBACK_SSL_CONST SSL *s, int where, int ret)
+ int
+ tls_version_max(void)
+ {
+-#if defined(TLS1_3_VERSION)
++#if defined(TLS1_3_VERSION) && !defined(OPENSSL_NO_TLS1_3)
+     return TLS_VER_1_3;
+ #elif defined(TLS1_2_VERSION) || defined(SSL_OP_NO_TLSv1_2)
+     return TLS_VER_1_2;
+@@ -233,7 +233,7 @@ openssl_tls_version(int ver)
+     {
+         return TLS1_2_VERSION;
+     }
+-#if defined(TLS1_3_VERSION)
++#if defined(TLS1_3_VERSION) && !defined(OPENSSL_NO_TLS1_3)
+     else if (ver == TLS_VER_1_3)
+     {
+         return TLS1_3_VERSION;
+@@ -459,8 +459,8 @@ tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
+         return;
+     }
  
--#ifndef SSL_CTX_set_min_proto_version
-+#if !defined(SSL_CTX_set_min_proto_version) && !defined(LIBRESSL_VERSION_NUMBER)
- /** Mimics SSL_CTX_set_min_proto_version for OpenSSL < 1.1 */
- static inline int
- SSL_CTX_set_min_proto_version(SSL_CTX *ctx, long tls_ver_min)
-@@ -740,7 +740,7 @@
- }
- #endif /* SSL_CTX_set_min_proto_version */
+-#if (OPENSSL_VERSION_NUMBER < 0x1010100fL)
+-        crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher. "
++#if (OPENSSL_VERSION_NUMBER < 0x1010100fL) || !defined(TLS1_3_VERSION) || defined(OPENSSL_NO_TLS1_3)
++        crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher, or without TLS 1.3 support. "
+                        "Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.",
+                         ciphers);
+ #else
+@@ -1846,7 +1846,7 @@ show_available_tls_ciphers_list(const char *cipher_list,
+         crypto_msg(M_FATAL, "Cannot create SSL_CTX object");
+     }
  
--#ifndef SSL_CTX_set_max_proto_version
-+#if !defined(SSL_CTX_set_max_proto_version) && !defined(LIBRESSL_VERSION_NUMBER)
- /** Mimics SSL_CTX_set_max_proto_version for OpenSSL < 1.1 */
- static inline int
- SSL_CTX_set_max_proto_version(SSL_CTX *ctx, long tls_ver_max)
+-#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL)
++#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL) && defined(TLS1_3_VERSION) && !defined(OPENSSL_NO_TLS1_3)
+     if (tls13)
+     {
+         SSL_CTX_set_min_proto_version(tls_ctx.ctx, TLS1_3_VERSION);
Index: branches/2019Q3
===================================================================
--- branches/2019Q3	(revision 511398)
+++ branches/2019Q3	(revision 511399)

Property changes on: branches/2019Q3
___________________________________________________________________
Modified: svn:mergeinfo
## -0,0 +0,1 ##
   Merged /head:r511397