MacOS: Unable to use more modern LibreSSL libraries for TLS 1.2/1.3 only sites
Original Reporter info from Mantis: trev @trevoz
-
Reporter name: Trevor Roydhouse
Original Reporter info from Mantis: trev @trevoz
- Reporter name: Trevor Roydhouse
Description:
The fix in https://bugs.freepascal.org/view.php?id=36484 breaks macOS ability to connect to web sites using HTTPS with TLSv1.2 or TLSv1.3 protocols only.
The result of the fix is that while FPC 3.0.4 can connect to such sites successfully using the LibreSSL library (using the unversioned /usr/lib/libssl.dylib which is linked to /usr/lib/libssl.35.dylib -- there are also other LibreSSL library versions 43 and 44) FPC 3.2.0 (and trunk) fall back to using the OpenSSL library (specifically /usr/lib/openssl.0.9.8.dylib) which causes the failure.
For a full discussion of the issue: see https://forum.lazarus.freepascal.org/index.php/topic,50350.0.html especially the last page.
Steps to reproduce:
unit Unit1;
{$mode objfpc}{$H+}
interface
uses
Classes, SysUtils, Forms, Controls, Graphics, Dialogs
, fphttpclient, LCLIntf, LCLType, StdCtrls; //, OpenSSLSockets; -- needed for 3.3.1
type
{ TForm1 }
TForm1 = class(TForm)
Button1: TButton;
procedure Button1Click(Sender: TObject);
private
public
end;
var
Form1: TForm1;
implementation
{$R *.lfm}
function GetWebPage(const URL: string): string;
var
Client: TFPHttpClient;
begin
Client := TFPHttpClient.Create(nil);
Try
Client.AllowRedirect := true;
Client.AddHeader('User-Agent', 'Mozilla/5.0(compatible; fpweb)');
Result := Client.Get(URL);
except
on E: Exception do
ShowMessage('Retrieval of: ' + URL + LineEnding
+ 'Failed with error: ' + E.Message + LineEnding
+ 'HTTP code: ' + IntToSTr(Client.ResponseStatusCode)+ LineEnding);
end;
end;
{ TForm1 }
procedure TForm1.Button1Click(Sender: TObject);
begin
ShowMessage(GetWebPage('https://www.ariva.de/'));
end;
end.
Additional information:
FPC 3.2.0 reports using OpenSSL 0.9.8zh 14 January 2016
FPC 3.0.4 reports using LibreSSL 2.2.7 (The default unversioned /usr/lib/libssl.dylib or /usr/lib/libssl.35.dylib ).
Reverting the "fix" for Bug ID 36484 enables FPC 3.3.0 (and trunk) to use the LibreSSL library and connections are again successful. However, the better fix is to:
svn diff
Index: openssl.pas
===================================================================
--- openssl.pas (revision 45778)
+++ openssl.pas (working copy)
@@ -111,7 +111,7 @@
{ ADD NEW ONES WHEN THEY APPEAR!
Always make .so/dylib first, then versions, in descending order!
Add "." .before the version, first is always just "" }
- DLLVersions: array[1..19] of string = ('', '.1.1', '.11', '.10', '.1.0.6', '.1.0.5', '.1.0.4', '.1.0.3',
+ DLLVersions: array[1..24] of string = ('', '.46', '.45', '.44', '.43', '.35', '.1.1', '.11', '.10', '.1.0.6', '.1.0.5', '.1.0.4', '.1.0.3',
'.1.0.2', '.1.0.1','.1.0.0','.0.9.8',
'.0.9.7', '.0.9.6', '.0.9.5', '.0.9.4',
'.0.9.3', '.0.9.2', '.0.9.1');
which allows the original fix to work. It will then find the highest of /usr/lib/libssl.[35|43|44|45|46].dylib etc.
Beware that older versions of macOS only include old OpenSSL libraries (libssl.0.9.7.dylib and libssl.0.9.8.dylib ) and not LibreSSL .
Also note that while OpenSSL's libssl and libcrypto appear to always use the same version, LibreSSL does not necessarily (eg libssl.46.dylib is paired with libcrypto.44.dylib for LibreSSL v2.8.3. ) which also means that -- at least for macOS -- the array also needs .38, .41 and .42. I don't know about Linux or OpenBSD.
Here's macOS by version:
10.11
- OpenSSL 0.9.7, 0.9.8
- LibreSSL libssh.35 and libcrypto.35
10.12
- OpenSSL 0.9.7, 0.9.8
- LibreSSL libssh.35, libssh.39; libcrypto.35, libcrypto.38
10.13
- OpenSSL 0.9.7, 0.9.8
- LibreSSL libssh.35, libssh.43; libcrypto.35, libcrypto.41
10.14
- OpenSSL 0.9.7, 0.9.8
- LibreSSL libssh.35, libssh.43, libssl.44; libcrypto.35, libcrypto.41, libcrypto.42
10.15
- OpenSSL 0.9.7, 0.9.8
- LibreSSL libssh.35, libssh.43, libssl.44, libssl.46; libcrypto.35, libcrypto.41, libcrypto.42, libcrypto.44
11.0 beta 4
- OpenSSL 0.9.7, 0.9.8
- LibreSSL libssh.35, libssh.43, libssl.44, libssl.46; libcrypto.35, libcrypto.41, libcrypto.42, libcrypto.44