Community Packages

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#64050 - [openntpd] build against libressl

Attached to Project: Community Packages
Opened by nl6720 (nl6720) - Monday, 07 October 2019, 09:56 GMT
Last edited by David Runge (dvzrv) - Sunday, 03 November 2019, 11:28 GMT
Task Type Feature Request
Category Packages
Status Assigned
Assigned To Levente Polyak (anthraxx)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 5
Private No


OpenNTPD's "constraint" feature requires it being built against LibreSSL.
Since libressl will be moved to community (at the time of writing it is in community-testing), please build openntpd against libressl.

Additional info:
* package version(s)
* config and/or log files etc.
* link to upstream bug report, if any
openntpd 6.2p3-3

Steps to reproduce:
This task depends upon

Comment by mysta (mysta) - Sunday, 24 May 2020, 15:19 GMT
Anyone still considering this?

The default ntpd.conf in the Arch package uses the "constraints" feature, but it doesn't work with OpenSSL.
Comment by Pekka Helenius (Fincer) - Saturday, 15 August 2020, 10:09 GMT
This is a valid bug.

Correct CFLAGS for LibreSSL support on Arch Linux systems are (PKGBUILD's build() section):

CFLAGS+=' -fcommon -L/usr/lib/libressl/ -Wl,-rpath,/usr/lib/libressl/'

Obviously, 'openssl' dependency should be replaced with 'libressl'.

Unfortunately, another issue may still arise in certificate validation process during constraint checks: OpenBSD kernel implements functions 'unveil' and 'pledge' which are used in OpenNTPD to ease very strict daemon process permissions. Since Linux hasn't such functions, easing permissions does not happen. However, this is still required for reading certificate file (/etc/ssl/cert.pem), needed by OpenNTPD constraint checks. Ultimately, reading the certificate file fails on Linux systems because needed permissions (read) couldn't be altered (due to missing kernel functionality/OpenNTPD code implementation), and therefore constraint checks fail even if OpenNTPD is successfully linked against LibreSSL library.


I have implemented an experimental OpenSSL support to OpenNTPD, and circumvented failed CA checks. For details, see:

Short blog post:
Comment by mysta (mysta) - Saturday, 15 August 2020, 14:29 GMT
It may be worth asking the OpenNTPD portable maintainer (Brent Cook) about a newer release. The code in OpenBSD has changed significantly since the last portable release. The situation you describe may be better or may need a different workaround now.
Comment by Pekka Helenius (Fincer) - Saturday, 15 August 2020, 15:05 GMT
Yeah, might be worth it. The code has changed in some parts, I agree.

OpenNTPD internal code structure (src/constraint.c) has never had implementation for OpenSSL, so Arch Linux openssl dependency is simply misleading and invalid.

If the certificate read permission issue I mentioned is valid on Linux, I think it is something Brent Cook might have a word for. And actual solution.

My PKGBUILD (on linked GitHub repo above) fetches and compiles git sources for portable OpenNTPD version. If you want to use the latest & official portable OpenNTPD version but without my patches, just delete all my patch stuff in PKGBUILD, delete #commit hash from source array and compile OpenNTPD using mentioned LibreSSL CFLAGS, and it should be ok.