Fossil

Check-in [115544e9]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:add support for TLS 1.3, when compiled with OpenSSL 1.1.1 (LTS). Windows build adapted to use OpenSSL 1.1.1 by default. Still compiles and runs with older OpenSSL as well
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 115544e97517f447c7e668ce47f9714255abdd128c80f485f55baa4b618fcf3c
User & Date: jan.nijtmans 2018-09-15 20:27:33
References
2018-09-18
19:37
Backout of [115544e97517f447]. Unbreaks the SSL enabled build for MSVC on Windows, due to OpenSSL build system changes that are not accounted for by the check-in. Also, there were crashes with MinGW produced binaries using OpenSSL 1.1.1. check-in: e0cc10f0 user: mistachkin tags: trunk
Context
2018-09-18
19:37
Backout of [115544e97517f447]. Unbreaks the SSL enabled build for MSVC on Windows, due to OpenSSL build system changes that are not accounted for by the check-in. Also, there were crashes with MinGW produced binaries using OpenSSL 1.1.1. check-in: e0cc10f0 user: mistachkin tags: trunk
2018-09-16
15:43
Make sure that Fossil is always compiled with SQLite >= 3.25.0. Add mention of TLS 1.3 to changelog. check-in: d0dcf908 user: jan.nijtmans tags: trunk
2018-09-15
20:27
add support for TLS 1.3, when compiled with OpenSSL 1.1.1 (LTS). Windows build adapted to use OpenSSL 1.1.1 by default. Still compiles and runs with older OpenSSL as well check-in: 115544e9 user: jan.nijtmans tags: trunk
18:33
Rerun mkindex.tcl to get an updated permutedindex.html file. check-in: ce1d61ac user: drh tags: trunk
2018-09-11
14:54
merge trunk Closed-Leaf check-in: 368c78a8 user: jan.nijtmans tags: openssl-1.1
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to src/makemake.tcl.

   692    692   else
   693    693   SSLCONFIG = mingw64
   694    694   ZLIBCONFIG =
   695    695   ZLIBTARGETS =
   696    696   endif
   697    697   
   698    698   #### Disable creation of the OpenSSL shared libraries.  Also, disable support
   699         -#    for both SSLv2 and SSLv3 (i.e. thereby forcing the use of TLS).
          699  +#    for SSLv3 (i.e. thereby forcing the use of TLS).
   700    700   #
   701         -SSLCONFIG += no-ssl2 no-ssl3 no-weak-ssl-ciphers no-shared
          701  +SSLCONFIG += no-ssl3 no-weak-ssl-ciphers no-shared
   702    702   
   703    703   #### When using zlib, make sure that OpenSSL is configured to use the zlib
   704    704   #    that Fossil knows about (i.e. the one within the source tree).
   705    705   #
   706    706   ifndef FOSSIL_ENABLE_MINIZ
   707    707   SSLCONFIG +=  --with-zlib-lib=$(PWD)/$(ZLIBDIR) --with-zlib-include=$(PWD)/$(ZLIBDIR) zlib
   708    708   endif
   709    709   
   710    710   #### The directories where the OpenSSL include and library files are located.
   711    711   #    The recommended usage here is to use the Sysinternals junction tool
   712    712   #    to create a hard link between an "openssl-1.x" sub-directory of the
   713    713   #    Fossil source code directory and the target OpenSSL source directory.
   714    714   #
   715         -OPENSSLDIR = $(SRCDIR)/../compat/openssl-1.0.2p
          715  +OPENSSLDIR = $(SRCDIR)/../compat/openssl-1.1.1
   716    716   OPENSSLINCDIR = $(OPENSSLDIR)/include
   717    717   OPENSSLLIBDIR = $(OPENSSLDIR)
   718    718   
   719    719   #### Either the directory where the Tcl library is installed or the Tcl
   720    720   #    source code directory resides (depending on the value of the macro
   721    721   #    FOSSIL_TCL_SOURCE).  If this points to the Tcl install directory,
   722    722   #    this directory must have "include" and "lib" sub-directories.  If
................................................................................
  1564   1564   
  1565   1565   # Enable support for the SQLite Encryption Extension?
  1566   1566   !ifndef USE_SEE
  1567   1567   USE_SEE = 0
  1568   1568   !endif
  1569   1569   
  1570   1570   !if $(FOSSIL_ENABLE_SSL)!=0
  1571         -SSLDIR    = $(B)\compat\openssl-1.0.2p
         1571  +SSLDIR    = $(B)\compat\openssl-1.1.1
  1572   1572   SSLINCDIR = $(SSLDIR)\inc32
  1573   1573   !if $(FOSSIL_DYNAMIC_BUILD)!=0
  1574   1574   SSLLIBDIR = $(SSLDIR)\out32dll
  1575   1575   !else
  1576   1576   SSLLIBDIR = $(SSLDIR)\out32
  1577   1577   !endif
  1578   1578   SSLLFLAGS = /nologo /opt:ref /debug
  1579   1579   SSLLIB    = ssleay32.lib libeay32.lib user32.lib gdi32.lib crypt32.lib
  1580   1580   !if "$(PLATFORM)"=="amd64" || "$(PLATFORM)"=="x64"
  1581   1581   !message Using 'x64' platform for OpenSSL...
  1582   1582   # BUGBUG (OpenSSL): Using "no-ssl*" here breaks the build.
  1583         -# SSLCONFIG = VC-WIN64A no-asm no-ssl2 no-ssl3 no-weak-ssl-ciphers
         1583  +# SSLCONFIG = VC-WIN64A no-asm no-ssl3 no-weak-ssl-ciphers
  1584   1584   SSLCONFIG = VC-WIN64A no-asm
  1585   1585   !if $(FOSSIL_DYNAMIC_BUILD)!=0
  1586   1586   SSLCONFIG = $(SSLCONFIG) shared
  1587   1587   !else
  1588   1588   SSLCONFIG = $(SSLCONFIG) no-shared
  1589   1589   !endif
  1590   1590   SSLSETUP  = ms\do_win64a.bat
................................................................................
  1591   1591   !if $(FOSSIL_DYNAMIC_BUILD)!=0
  1592   1592   SSLNMAKE  = ms\ntdll.mak all
  1593   1593   !else
  1594   1594   SSLNMAKE  = ms\nt.mak all
  1595   1595   !endif
  1596   1596   # BUGBUG (OpenSSL): Using "OPENSSL_NO_SSL*" here breaks dynamic builds.
  1597   1597   !if $(FOSSIL_DYNAMIC_BUILD)==0
  1598         -SSLCFLAGS = -DOPENSSL_NO_SSL2 -DOPENSSL_NO_SSL3 -DOPENSSL_NO_WEAK_SSL_CIPHERS
         1598  +SSLCFLAGS = -DOPENSSL_NO_SSL3 -DOPENSSL_NO_WEAK_SSL_CIPHERS
  1599   1599   !endif
  1600   1600   !elseif "$(PLATFORM)"=="ia64"
  1601   1601   !message Using 'ia64' platform for OpenSSL...
  1602   1602   # BUGBUG (OpenSSL): Using "no-ssl*" here breaks the build.
  1603         -# SSLCONFIG = VC-WIN64I no-asm no-ssl2 no-ssl3 no-weak-ssl-ciphers
         1603  +# SSLCONFIG = VC-WIN64I no-asm no-ssl3 no-weak-ssl-ciphers
  1604   1604   SSLCONFIG = VC-WIN64I no-asm
  1605   1605   !if $(FOSSIL_DYNAMIC_BUILD)!=0
  1606   1606   SSLCONFIG = $(SSLCONFIG) shared
  1607   1607   !else
  1608   1608   SSLCONFIG = $(SSLCONFIG) no-shared
  1609   1609   !endif
  1610   1610   SSLSETUP  = ms\do_win64i.bat
................................................................................
  1611   1611   !if $(FOSSIL_DYNAMIC_BUILD)!=0
  1612   1612   SSLNMAKE  = ms\ntdll.mak all
  1613   1613   !else
  1614   1614   SSLNMAKE  = ms\nt.mak all
  1615   1615   !endif
  1616   1616   # BUGBUG (OpenSSL): Using "OPENSSL_NO_SSL*" here breaks dynamic builds.
  1617   1617   !if $(FOSSIL_DYNAMIC_BUILD)==0
  1618         -SSLCFLAGS = -DOPENSSL_NO_SSL2 -DOPENSSL_NO_SSL3 -DOPENSSL_NO_WEAK_SSL_CIPHERS
         1618  +SSLCFLAGS = -DOPENSSL_NO_SSL3 -DOPENSSL_NO_WEAK_SSL_CIPHERS
  1619   1619   !endif
  1620   1620   !else
  1621   1621   !message Assuming 'x86' platform for OpenSSL...
  1622   1622   # BUGBUG (OpenSSL): Using "no-ssl*" here breaks the build.
  1623         -# SSLCONFIG = VC-WIN32 no-asm no-ssl2 no-ssl3 no-weak-ssl-ciphers
         1623  +# SSLCONFIG = VC-WIN32 no-asm no-ssl3 no-weak-ssl-ciphers
  1624   1624   SSLCONFIG = VC-WIN32 no-asm
  1625   1625   !if $(FOSSIL_DYNAMIC_BUILD)!=0
  1626   1626   SSLCONFIG = $(SSLCONFIG) shared
  1627   1627   !else
  1628   1628   SSLCONFIG = $(SSLCONFIG) no-shared
  1629   1629   !endif
  1630   1630   SSLSETUP  = ms\do_ms.bat
................................................................................
  1631   1631   !if $(FOSSIL_DYNAMIC_BUILD)!=0
  1632   1632   SSLNMAKE  = ms\ntdll.mak all
  1633   1633   !else
  1634   1634   SSLNMAKE  = ms\nt.mak all
  1635   1635   !endif
  1636   1636   # BUGBUG (OpenSSL): Using "OPENSSL_NO_SSL*" here breaks dynamic builds.
  1637   1637   !if $(FOSSIL_DYNAMIC_BUILD)==0
  1638         -SSLCFLAGS = -DOPENSSL_NO_SSL2 -DOPENSSL_NO_SSL3 -DOPENSSL_NO_WEAK_SSL_CIPHERS
         1638  +SSLCFLAGS = -DOPENSSL_NO_SSL3 -DOPENSSL_NO_WEAK_SSL_CIPHERS
  1639   1639   !endif
  1640   1640   !endif
  1641   1641   !endif
  1642   1642   
  1643   1643   !if $(FOSSIL_ENABLE_TCL)!=0
  1644   1644   TCLDIR    = $(B)\compat\tcl-8.6
  1645   1645   TCLSRCDIR = $(TCLDIR)

Changes to win/Makefile.mingw.

   156    156   else
   157    157   SSLCONFIG = mingw64
   158    158   ZLIBCONFIG =
   159    159   ZLIBTARGETS =
   160    160   endif
   161    161   
   162    162   #### Disable creation of the OpenSSL shared libraries.  Also, disable support
   163         -#    for both SSLv2 and SSLv3 (i.e. thereby forcing the use of TLS).
          163  +#    for SSLv3 (i.e. thereby forcing the use of TLS).
   164    164   #
   165         -SSLCONFIG += no-ssl2 no-ssl3 no-weak-ssl-ciphers no-shared
          165  +SSLCONFIG += no-ssl3 no-weak-ssl-ciphers no-shared
   166    166   
   167    167   #### When using zlib, make sure that OpenSSL is configured to use the zlib
   168    168   #    that Fossil knows about (i.e. the one within the source tree).
   169    169   #
   170    170   ifndef FOSSIL_ENABLE_MINIZ
   171    171   SSLCONFIG +=  --with-zlib-lib=$(PWD)/$(ZLIBDIR) --with-zlib-include=$(PWD)/$(ZLIBDIR) zlib
   172    172   endif
   173    173   
   174    174   #### The directories where the OpenSSL include and library files are located.
   175    175   #    The recommended usage here is to use the Sysinternals junction tool
   176    176   #    to create a hard link between an "openssl-1.x" sub-directory of the
   177    177   #    Fossil source code directory and the target OpenSSL source directory.
   178    178   #
   179         -OPENSSLDIR = $(SRCDIR)/../compat/openssl-1.0.2p
          179  +OPENSSLDIR = $(SRCDIR)/../compat/openssl-1.1.1
   180    180   OPENSSLINCDIR = $(OPENSSLDIR)/include
   181    181   OPENSSLLIBDIR = $(OPENSSLDIR)
   182    182   
   183    183   #### Either the directory where the Tcl library is installed or the Tcl
   184    184   #    source code directory resides (depending on the value of the macro
   185    185   #    FOSSIL_TCL_SOURCE).  If this points to the Tcl install directory,
   186    186   #    this directory must have "include" and "lib" sub-directories.  If

Changes to win/Makefile.mingw.mistachkin.

   156    156   else
   157    157   SSLCONFIG = mingw64
   158    158   ZLIBCONFIG =
   159    159   ZLIBTARGETS =
   160    160   endif
   161    161   
   162    162   #### Disable creation of the OpenSSL shared libraries.  Also, disable support
   163         -#    for both SSLv2 and SSLv3 (i.e. thereby forcing the use of TLS).
          163  +#    for SSLv3 (i.e. thereby forcing the use of TLS).
   164    164   #
   165         -SSLCONFIG += no-ssl2 no-ssl3 no-weak-ssl-ciphers no-shared
          165  +SSLCONFIG += no-ssl3 no-weak-ssl-ciphers no-shared
   166    166   
   167    167   #### When using zlib, make sure that OpenSSL is configured to use the zlib
   168    168   #    that Fossil knows about (i.e. the one within the source tree).
   169    169   #
   170    170   ifndef FOSSIL_ENABLE_MINIZ
   171    171   SSLCONFIG +=  --with-zlib-lib=$(PWD)/$(ZLIBDIR) --with-zlib-include=$(PWD)/$(ZLIBDIR) zlib
   172    172   endif
   173    173   
   174    174   #### The directories where the OpenSSL include and library files are located.
   175    175   #    The recommended usage here is to use the Sysinternals junction tool
   176    176   #    to create a hard link between an "openssl-1.x" sub-directory of the
   177    177   #    Fossil source code directory and the target OpenSSL source directory.
   178    178   #
   179         -OPENSSLDIR = $(SRCDIR)/../compat/openssl-1.0.2p
          179  +OPENSSLDIR = $(SRCDIR)/../compat/openssl-1.1.1
   180    180   OPENSSLINCDIR = $(OPENSSLDIR)/include
   181    181   OPENSSLLIBDIR = $(OPENSSLDIR)
   182    182   
   183    183   #### Either the directory where the Tcl library is installed or the Tcl
   184    184   #    source code directory resides (depending on the value of the macro
   185    185   #    FOSSIL_TCL_SOURCE).  If this points to the Tcl install directory,
   186    186   #    this directory must have "include" and "lib" sub-directories.  If

Changes to win/Makefile.msc.

    96     96   
    97     97   # Enable support for the SQLite Encryption Extension?
    98     98   !ifndef USE_SEE
    99     99   USE_SEE = 0
   100    100   !endif
   101    101   
   102    102   !if $(FOSSIL_ENABLE_SSL)!=0
   103         -SSLDIR    = $(B)\compat\openssl-1.0.2p
          103  +SSLDIR    = $(B)\compat\openssl-1.1.1
   104    104   SSLINCDIR = $(SSLDIR)\inc32
   105    105   !if $(FOSSIL_DYNAMIC_BUILD)!=0
   106    106   SSLLIBDIR = $(SSLDIR)\out32dll
   107    107   !else
   108    108   SSLLIBDIR = $(SSLDIR)\out32
   109    109   !endif
   110    110   SSLLFLAGS = /nologo /opt:ref /debug
   111    111   SSLLIB    = ssleay32.lib libeay32.lib user32.lib gdi32.lib crypt32.lib
   112    112   !if "$(PLATFORM)"=="amd64" || "$(PLATFORM)"=="x64"
   113    113   !message Using 'x64' platform for OpenSSL...
   114    114   # BUGBUG (OpenSSL): Using "no-ssl*" here breaks the build.
   115         -# SSLCONFIG = VC-WIN64A no-asm no-ssl2 no-ssl3 no-weak-ssl-ciphers
          115  +# SSLCONFIG = VC-WIN64A no-asm no-ssl3 no-weak-ssl-ciphers
   116    116   SSLCONFIG = VC-WIN64A no-asm
   117    117   !if $(FOSSIL_DYNAMIC_BUILD)!=0
   118    118   SSLCONFIG = $(SSLCONFIG) shared
   119    119   !else
   120    120   SSLCONFIG = $(SSLCONFIG) no-shared
   121    121   !endif
   122    122   SSLSETUP  = ms\do_win64a.bat
................................................................................
   123    123   !if $(FOSSIL_DYNAMIC_BUILD)!=0
   124    124   SSLNMAKE  = ms\ntdll.mak all
   125    125   !else
   126    126   SSLNMAKE  = ms\nt.mak all
   127    127   !endif
   128    128   # BUGBUG (OpenSSL): Using "OPENSSL_NO_SSL*" here breaks dynamic builds.
   129    129   !if $(FOSSIL_DYNAMIC_BUILD)==0
   130         -SSLCFLAGS = -DOPENSSL_NO_SSL2 -DOPENSSL_NO_SSL3 -DOPENSSL_NO_WEAK_SSL_CIPHERS
          130  +SSLCFLAGS = -DOPENSSL_NO_SSL3 -DOPENSSL_NO_WEAK_SSL_CIPHERS
   131    131   !endif
   132    132   !elseif "$(PLATFORM)"=="ia64"
   133    133   !message Using 'ia64' platform for OpenSSL...
   134    134   # BUGBUG (OpenSSL): Using "no-ssl*" here breaks the build.
   135         -# SSLCONFIG = VC-WIN64I no-asm no-ssl2 no-ssl3 no-weak-ssl-ciphers
          135  +# SSLCONFIG = VC-WIN64I no-asm no-ssl3 no-weak-ssl-ciphers
   136    136   SSLCONFIG = VC-WIN64I no-asm
   137    137   !if $(FOSSIL_DYNAMIC_BUILD)!=0
   138    138   SSLCONFIG = $(SSLCONFIG) shared
   139    139   !else
   140    140   SSLCONFIG = $(SSLCONFIG) no-shared
   141    141   !endif
   142    142   SSLSETUP  = ms\do_win64i.bat
................................................................................
   143    143   !if $(FOSSIL_DYNAMIC_BUILD)!=0
   144    144   SSLNMAKE  = ms\ntdll.mak all
   145    145   !else
   146    146   SSLNMAKE  = ms\nt.mak all
   147    147   !endif
   148    148   # BUGBUG (OpenSSL): Using "OPENSSL_NO_SSL*" here breaks dynamic builds.
   149    149   !if $(FOSSIL_DYNAMIC_BUILD)==0
   150         -SSLCFLAGS = -DOPENSSL_NO_SSL2 -DOPENSSL_NO_SSL3 -DOPENSSL_NO_WEAK_SSL_CIPHERS
          150  +SSLCFLAGS = -DOPENSSL_NO_SSL3 -DOPENSSL_NO_WEAK_SSL_CIPHERS
   151    151   !endif
   152    152   !else
   153    153   !message Assuming 'x86' platform for OpenSSL...
   154    154   # BUGBUG (OpenSSL): Using "no-ssl*" here breaks the build.
   155         -# SSLCONFIG = VC-WIN32 no-asm no-ssl2 no-ssl3 no-weak-ssl-ciphers
          155  +# SSLCONFIG = VC-WIN32 no-asm no-ssl3 no-weak-ssl-ciphers
   156    156   SSLCONFIG = VC-WIN32 no-asm
   157    157   !if $(FOSSIL_DYNAMIC_BUILD)!=0
   158    158   SSLCONFIG = $(SSLCONFIG) shared
   159    159   !else
   160    160   SSLCONFIG = $(SSLCONFIG) no-shared
   161    161   !endif
   162    162   SSLSETUP  = ms\do_ms.bat
................................................................................
   163    163   !if $(FOSSIL_DYNAMIC_BUILD)!=0
   164    164   SSLNMAKE  = ms\ntdll.mak all
   165    165   !else
   166    166   SSLNMAKE  = ms\nt.mak all
   167    167   !endif
   168    168   # BUGBUG (OpenSSL): Using "OPENSSL_NO_SSL*" here breaks dynamic builds.
   169    169   !if $(FOSSIL_DYNAMIC_BUILD)==0
   170         -SSLCFLAGS = -DOPENSSL_NO_SSL2 -DOPENSSL_NO_SSL3 -DOPENSSL_NO_WEAK_SSL_CIPHERS
          170  +SSLCFLAGS = -DOPENSSL_NO_SSL3 -DOPENSSL_NO_WEAK_SSL_CIPHERS
   171    171   !endif
   172    172   !endif
   173    173   !endif
   174    174   
   175    175   !if $(FOSSIL_ENABLE_TCL)!=0
   176    176   TCLDIR    = $(B)\compat\tcl-8.6
   177    177   TCLSRCDIR = $(TCLDIR)

Changes to www/build.wiki.

   134    134   file "<b>win\buildmsvc.bat</b>" may be used and it will attempt to
   135    135   detect and use the latest installed version of MSVC.<br><br>To enable
   136    136   the optional <a href="https://www.openssl.org/">OpenSSL</a> support,
   137    137   first <a href="https://www.openssl.org/source/">download the official
   138    138   source code for OpenSSL</a> and extract it to an appropriately named
   139    139   "<b>openssl-X.Y.ZA</b>" subdirectory within the local
   140    140   [/tree?ci=trunk&name=compat | compat] directory (e.g.
   141         -"<b>compat/openssl-1.0.2p</b>"), then make sure that some recent
          141  +"<b>compat/openssl-1.1.1</b>"), then make sure that some recent
   142    142   <a href="http://www.perl.org/">Perl</a> binaries are installed locally,
   143    143   and finally run one of the following commands:
   144    144   <blockquote><pre>
   145    145   nmake /f Makefile.msc FOSSIL_ENABLE_SSL=1 FOSSIL_BUILD_SSL=1 PERLDIR=C:\full\path\to\Perl\bin
   146    146   </pre></blockquote>
   147    147   <blockquote><pre>
   148    148   buildmsvc.bat FOSSIL_ENABLE_SSL=1 FOSSIL_BUILD_SSL=1 PERLDIR=C:\full\path\to\Perl\bin