Forum

OpenBSD -current recently updated mbedtls to the version 2.7 and hiawatha doesn't build with this version.

/usr/obj/ports/hiawatha-10.7/bin/cc  -I. -I/usr/local/include/libxml2 -I/usr/local/include -O2 -Wall -Wextra -O2 -pipe -g -DNDEBUG -MD -MT CMakeFiles/hiawatha.dir/src/tls.c.o -MF CMakeFiles/hiawatha.dir/src/tls.c.o.d -o CMakeFiles/hiawatha.dir/src/tls.c.o   -c /usr/obj/ports/hiawatha-10.7/hiawatha-10.7/src/tls.c
/usr/obj/ports/hiawatha-10.7/hiawatha-10.7/src/tls.c:348:42: error: use of undeclared identifier 'MBEDTLS_DHM_RFC5114_MODP_2048_P'
                mbedtls_ssl_conf_dh_param(*tls_config, MBEDTLS_DHM_RFC5114_MODP_2048_P, MBEDTLS_DHM_RFC5114_MODP_2048_G);

I've changed the port to use the version bundled with hiawatha but I would prefer to use the system lib.

mbedtls 2.7 has deprecated Diffie-Hellman groups from RFC 5114 in https://github.com/ARMmbed/mbedtls/commit/0e6dc84f3ec1e67a93dc3221ccd605da79589da4#diff-12e227586f72d7fc03d416921e47b43a

Replacing DH groups from RFC5114 by those in RFC3526 makes hiawatha build again. Disclaimer: I do not understand DH, as such I'm not sure that it is a good solution. For reference purposes:

--- src/tls.c.orig
+++ src/tls.c
@@ -345,7 +345,7 @@ int tls_set_config(mbedtls_ssl_config **tls_config, t_
 	mbedtls_ssl_conf_own_cert(*tls_config, tls_setup->certificate, tls_setup->private_key);
 
 	if (tls_setup->dh_size == 2048) {
-		mbedtls_ssl_conf_dh_param(*tls_config, MBEDTLS_DHM_RFC5114_MODP_2048_P, MBEDTLS_DHM_RFC5114_MODP_2048_G);
+		mbedtls_ssl_conf_dh_param(*tls_config, MBEDTLS_DHM_RFC3526_MODP_2048_P, MBEDTLS_DHM_RFC3526_MODP_2048_G);
 	} else if (tls_setup->dh_size == 4096) {
 		mbedtls_ssl_conf_dh_param(*tls_config, dhm_4096_P, dhm_4096_G);
 	} else if (tls_setup->dh_size == 8192) {

Thanks for reporting this issue. I was already aware of it and changed it for the next release.