Does Unbound 1.8.0 support compiling with OpenSSL 1.1.1 to gain TLS 1.3 support ?
It does on FreeBSD (tested with poudriere).
jaap
I have compiled ubuntu with OpenSSL 1.1.1,test it by testssl.sh. Yes, it works.
Chris via Unbound-users <unbound-users@nlnetlabs.nl> 于2018年9月19日周三 下午4:17写道:
Awesome ! Thank you for a quick response.
Now I need Cloudflare to support TLS 1.3 RFC Final on its 1.1.1.1 service 
Hmmm.... Im getting some compile errors. Im not a pro at this, so maybe im doing something dumb..
FreeBSD 11.2 OpenSSL 1.1.1 Unbound 1.8.0 All fresh install
Openssl > ./config make install >> No errors
./configure --with-ssl=/usr/local/openssl-1.1.1 --without-pthreads --without-solaris-threads
make
./validator/val_secalgo.c:299:8: error: incomplete definition of type 'struct DSA_SIG_st'
dsasig->r = R;
~~~~~~^
/usr/local/openssl-1.1.1/include/openssl/dsa.h:65:16: note: forward declaration of 'struct DSA_SIG_st'
typedef struct DSA_SIG_st DSA_SIG;
^
./validator/val_secalgo.c:300:8: error: incomplete definition of type 'struct DSA_SIG_st'
dsasig->s = S;
~~~~~~^
/usr/local/openssl-1.1.1/include/openssl/dsa.h:65:16: note: forward declaration of 'struct DSA_SIG_st'
typedef struct DSA_SIG_st DSA_SIG;
^
./validator/val_secalgo.c:443:19: warning: implicit declaration of function 'EVP_dss1' is invalid in C99 [-Wimplicit-function-declaration]
*digest_type = EVP_dss1();
^
./validator/val_secalgo.c:443:17: warning: incompatible integer to pointer conversion assigning to 'const EVP_MD *' (aka 'const struct evp_md_st *') from 'int' [-Wint-conversion]
*digest_type = EVP_dss1();
^ ~~~~~~~~~~
./validator/val_secalgo.c:665:34: error: invalid application of 'sizeof' to an incomplete type 'EVP_MD_CTX' (aka 'struct evp_md_ctx_st')
ctx = (EVP_MD_CTX*)malloc(sizeof(*ctx));
^~~~~~
/usr/local/openssl-1.1.1/include/openssl/ossl_typ.h:92:16: note: forward declaration of 'struct evp_md_ctx_st'
typedef struct evp_md_ctx_st EVP_MD_CTX;
^
./validator/val_secalgo.c:681:3: warning: implicit declaration of function 'EVP_MD_CTX_cleanup' is invalid in C99 [-Wimplicit-function-declaration]
EVP_MD_CTX_cleanup(ctx);
^
./validator/val_secalgo.c:695:3: warning: implicit declaration of function 'EVP_MD_CTX_cleanup' is invalid in C99 [-Wimplicit-function-declaration]
EVP_MD_CTX_cleanup(ctx);
^
./validator/val_secalgo.c:726:2: warning: implicit declaration of function 'EVP_MD_CTX_cleanup' is invalid in C99 [-Wimplicit-function-declaration]
EVP_MD_CTX_cleanup(ctx);
Chris writes:
> Hmmm.... Im getting some compile errors. Im not a pro at this, so maybe
> im doing something dumb..
>
> FreeBSD 11.2 OpenSSL 1.1.1 Unbound 1.8.0 All fresh install
>
> Openssl > ./config make install >> No errors
>
> ./configure --with-ssl=/usr/local/openssl-1.1.1 --without-pthreads
> --without-solaris-threads
This seems FreeBSD ports related.
A similar problem has reported been report atthe FreeBSD bugzilla
<https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231488>\. There is
also a suggested fix which seems to work.
jaap
Chris writes:
> I hate to show that im not a compiling expert, but, where do I change:
>
> -USES= autoreconf cpe libtool ssl
> +USES= autoreconf cpe libtool ssl pkgconfig
It is a one line chanhe in the Makefile of the port (dns/unbound/Makefile).
According to FreeBSD bugzilla list
<https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231488>, there
should by now an updated port be available.
jaap
Thank you for another quick response
I hate to show that im not a compiling expert, but, where do do the below change:
-USES= autoreconf cpe libtool ssl
+USES= autoreconf cpe libtool ssl pkgconfig
Just a FYI. This was a new install of FreeBSD 11.2 AMD64 from the DVD download. I did nothing else except install OpenSSL 1.1.1 and Unbound 1.8.0.. The issue *should* be easy to reproduce. But, of course, who knows.
I will work on this later this evening and report back.
Hmmm... I did what was suggested below. No change in errors and warnings..
Chris writes:
> Hmmm... I am a bit confuzed. I looked thru my Makefile in
> /usr/local/unbound-1.8.0 and the below line is not present. I think your
> referencing the ports collection ? I am not using a port. I wget'ed
> unbound-1.8.0 and am making that. Its a new install of FreeBSD 11.2,
> then wget openssl-1.1.1 then wget unbound.. ./config ./Configure make make..
>
> So I am not using any ports I dont think ?
Looks like you are not using the FreeBSD ports system. You are way
better of using that, see https://www.freebsd.org/ports/index.html
for details.
jaap
Chris writes:
> Hmmm... I did what was suggested below. No change in errors and warnings..
>
> I moved over to FreeBSD 12 Alpha 6 and did the same install and got the
> same errors. FreeBSD 12 Alpha 6 tho comes with Unbound 1.8.0 but is only
> OpenSSL 1.0.2p-freebsd and so does not have TLS 1.3
>
> So.. WHat I did in order.
>
> Install FreeBSD 12 A 6 on a clean HD in a AMD 64 based machine.
> wget OpenSSL-1.1.1
> ./config
> make install
> wget unbound-1.8.0
> ./configure --with-ssl=/usr/local/openssl-1.1.1
Again use the FreeBSD port system, the latest openssl is in the
ports.
jaap
Sorry for my being a noob and asking a lot of questions 
What is a known working method to get TLS 1.3 working on Unbound with steps ?
Without compiling Unbound with ssl directory options, without compiling anything, then I would need to use symlinks ?
Install FreeBSD 12 A 7 or later This comes with Openssl 1.0.x
pkg install openssl111-1.1.1_1
ln -s /usr/local/bin/openssl /usr/bin/openssl ?
ln -s /usr/local/include/openssl /usr/include/openssl ?
pkg install unbound-1.8.0 ?
Or do you want me to:
pkg install openssl111-1.1.1_1
unbound > ./configure --with-ssl=dir > make install
?