security/openvpn[-mbedtls] upstream update to OpenVPN 2.4.8

This upstream release integrated two FreeBSD patches by Kyle Evans and me,
which are herewith dropped from the port.

Upstream release banner
"This is primarily a maintenance release with minor bugfixes and improvements."

High-level changes:
<https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst#version-248>

Manually filtered FreeBSD-related excerpt from Git log: v2.4.7..v2.4.8:
-  mbedtls: fix segfault by calling mbedtls_cipher_free() in cipher_ctx_free() [Antonio Quartulli]
-  openssl: Fix compilation without deprecated OpenSSL 1.1 APIs [Rosen Penev]
-  Force combinationation of --socks-proxy and --proto UDP to use IPv4. [Gert Doering]
-  Ignore --pull-filter for --mode server [Richard Bonhomme]
-  Fix typo in NTLM proxy debug message [Mykola Baibuz]
-  tests/t_lpback.sh: Switch sed(1) to POSIX-compatible regex. [Kyle Evans]
-  Handle PSS padding in cryptoapicert [Selva Nair]
-  Fix regression, reinstate LibreSSL support. [Matthias Andree]
-  Increase listen() backlog queue to 32 [Gert Doering]
-  Wrong FILETYPE in .rc files [Gisle Vanem]
-  Do not set pkcs11-helper 'safe fork mode' [Hilko Bengen]
-  man: correct the description of --capath and --crl-verify regarding CRLs [Michal Soltys]
-  Fix various compiler warnings [Lev Stipakov]
-  build: Package missing mock_msg.h [David Sommerseth]
-  cmocka: use relative paths [Steffan Karger]
-  docs: Update INSTALL [David Sommerseth]
-  Better error message when script fails due to script-security setting [Selva Nair]
-  Fix documentation of tls-verify script argument [Thomas Quinot]

Detailed changes:
<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.8>

Build tests in poudriere and in a live system succeeded on:
11.2-RELEASE 1102000 arm64.aarch64
11.2-RELEASE 1102000 mips.mips64
11.2-RELEASE-p14     i386
11.3-RELEASE-p3      amd64
12.0-RELEASE-p10     i386
12.0-RELEASE-p6      amd64
12.0-RELEASE-p10     amd64 (live)

MFH:		2019Q4

2 files changed, 0 insertions, 77 deletions

diff --git a/security/openvpn/files/patch-libressl b/security/openvpn/files/patch-libressl
deleted file mode 100644
index d8f9e35cbcdb..000000000000
--- a/security/openvpn/files/patch-libressl
+++ /dev/null
@@ -1,66 +0,0 @@
-commit 5bc848a02665f26e83e5dbe8f4ef95f55e5e19bd
-Author: Matthias Andree <matthias.andree@gmx.de>
-Date:   Mon Aug 12 23:37:52 2019 +0200
-
-    Fix regression, reinstate LibreSSL support.
-    
-    OpenVPN 2.4.6 could be compiled with LibreSSL, 2.4.7 cannot.  This was broken
-    since 9de7fe0a "Add support for tls-ciphersuites for TLS 1.3".
-    
-    This patch avoids using TLS 1.3 directly, be it that OpenSSL was compiled
-    without TLS 1.3 support, or LibreSSL was used.
-    
-    This patch was based on an OpenBSD patch by
-    Jeremie Courreges-Anglas <jca@openbsd.org>, see
-    https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/net/openvpn/patches/patch-src_openvpn_ssl_openssl_c
-    but was revised to be more obvious and check actual feature macros,
-    do not rely on current LibreSSL implementation details alone.
-    
-    Franco Fichtner reports that OPNsense has been a long-time user
-    of LibreSSL without reported breakage, see also:
-    https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238382#c10
-    
-    Signed-off-by: Matthias Andree <matthias.andree@gmx.de>
-
-diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
-index a78dae99..293bb192 100644
---- ./src/openvpn/ssl_openssl.c
-+++ ./src/openvpn/ssl_openssl.c
-@@ -206,7 +206,7 @@ info_callback(INFO_CALLBACK_SSL_CONST SSL *s, int where, int ret)
- int
- tls_version_max(void)
- {
--#if defined(TLS1_3_VERSION)
-+#if defined(TLS1_3_VERSION) && !defined(OPENSSL_NO_TLS1_3)
-     return TLS_VER_1_3;
- #elif defined(TLS1_2_VERSION) || defined(SSL_OP_NO_TLSv1_2)
-     return TLS_VER_1_2;
-@@ -233,7 +233,7 @@ openssl_tls_version(int ver)
-     {
-         return TLS1_2_VERSION;
-     }
--#if defined(TLS1_3_VERSION)
-+#if defined(TLS1_3_VERSION) && !defined(OPENSSL_NO_TLS1_3)
-     else if (ver == TLS_VER_1_3)
-     {
-         return TLS1_3_VERSION;
-@@ -459,8 +459,8 @@ tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
-         return;
-     }
- 
--#if (OPENSSL_VERSION_NUMBER < 0x1010100fL)
--        crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher. "
-+#if (OPENSSL_VERSION_NUMBER < 0x1010100fL) || !defined(TLS1_3_VERSION) || defined(OPENSSL_NO_TLS1_3)
-+        crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher, or without TLS 1.3 support. "
-                        "Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.",
-                         ciphers);
- #else
-@@ -1846,7 +1846,7 @@ show_available_tls_ciphers_list(const char *cipher_list,
-         crypto_msg(M_FATAL, "Cannot create SSL_CTX object");
-     }
- 
--#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL)
-+#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL) && defined(TLS1_3_VERSION) && !defined(OPENSSL_NO_TLS1_3)
-     if (tls13)
-     {
-         SSL_CTX_set_min_proto_version(tls_ctx.ctx, TLS1_3_VERSION);
diff --git a/security/openvpn/files/patch-tests_t__lpback.sh b/security/openvpn/files/patch-tests_t__lpback.sh
deleted file mode 100644
index c92fb42135f3..000000000000
--- a/security/openvpn/files/patch-tests_t__lpback.sh
+++ /dev/null
@@ -1,11 +0,0 @@
---- tests/t_lpback.sh.orig	2019-09-03 13:22:50 UTC
-+++ tests/t_lpback.sh
-@@ -26,7 +26,7 @@ trap "rm -f key.$$ tc-server-key.$$ tc-client-key.$$ l
- 
- # Get list of supported ciphers from openvpn --show-ciphers output
- CIPHERS=$(${top_builddir}/src/openvpn/openvpn --show-ciphers | \
--            sed -e '/The following/,/^$/d' -e s'/ .*//' -e '/^\s*$/d')
-+            sed -e '/The following/,/^$/d' -e s'/ .*//' -e '/^[[:space:]]*$/d')
- 
- # SK, 2014-06-04: currently the DES-EDE3-CFB1 implementation of OpenSSL is
- # broken (see http://rt.openssl.org/Ticket/Display.html?id=2867), so exclude