[Bug 61184] New: [PATCH] Fix build with LibreSSL in 2.4.26-dev

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 61184] New: [PATCH] Fix build with LibreSSL in 2.4.26-dev

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61184

            Bug ID: 61184
           Summary: [PATCH] Fix build with LibreSSL in 2.4.26-dev
           Product: Apache httpd-2
           Version: 2.4-HEAD
          Hardware: PC
                OS: FreeBSD
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

Created attachment 35052
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=35052&action=edit
unified diff for httpd 2.4.26-dev

Hi,

Just tried building httpd 2.4.26-dev with LibreSSL and ran into some compile
failures. These failures are related to the added OpenSSL 1.1 support in
2.4.26.

LibreSSL defines OPENSSL_VERSION_NUMBER as 0x20000000L whereas it does not
implement all post-1.0.1f (point of forking) features. LibreSSL added
LIBRESSL_VERSION_NUMBER allowing checks.

Attached patches touch mod_ssl and ab. Adding checks for
defined(LIBRESSL_VERSION_NUMBER).

Hope you can still include these in the release.

Thanks,

Bernard Spil
Maintainer of OpenSSL and LibreSSL ports in FreeBSD.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61184] [PATCH] Fix build with LibreSSL in 2.4.26-dev

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61184

William A. Rowe Jr. <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |PatchAvailable

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61184] [PATCH] Fix build with LibreSSL in 2.4.26-dev

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61184

--- Comment #1 from Bernard Spil <[hidden email]> ---
Created attachment 35053
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=35053&action=edit
Build log FreeBSD 11.0-p9

Poudriere logs on FreeBSD 11.0-p9 with LibreSSL replacing OpenSSL in base.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61184] [PATCH] Fix build with LibreSSL in 2.4.26-dev

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61184

Bernard Spil <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #35052|0                           |1
        is obsolete|                            |

--- Comment #2 from Bernard Spil <[hidden email]> ---
Created attachment 35054
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=35054&action=edit
unified diff for httpd 2.4.26-dev

Replace patches, were incomplete. Built OK but still warnings.
This patch-set stopped all compile warnings.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61184] [PATCH] Fix build with LibreSSL in 2.4.26-dev

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61184

Bernard Spil <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #35053|0                           |1
        is obsolete|                            |

--- Comment #3 from Bernard Spil <[hidden email]> ---
Created attachment 35055
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=35055&action=edit
Build log FreeBSD 11.0-p9

Built with new patch-set

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61184] [PATCH] Fix build with LibreSSL in 2.4.26-dev

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61184

--- Comment #4 from Stefan Eissing <[hidden email]> ---
Hmm. This looks ugly. Would it make more sense to re#define Libressl's sense of
superiority? Something like

#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x20000000L
#undef OPENSSL_VERSION_NUMBER
#define OPENSSL_VERSION_NUMBER 0x1000200eL
#endif

Or whatever version it currently is closest to? You know better than me.

Regarding the release: how would the impact be, if you need to patch that
yourself for debian? I am not sure if we want to restart the already late
release only for this. If something else comes up, we can take it in of course.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61184] [PATCH] Fix build with LibreSSL in 2.4.26-dev

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61184

--- Comment #5 from Stefan Eissing <[hidden email]> ---
What I mean was

#if defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x20000000L
...

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61184] [PATCH] Fix build with LibreSSL in 2.4.26-dev

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61184

Bernard Spil <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #35054|0                           |1
        is obsolete|                            |

--- Comment #6 from Bernard Spil <[hidden email]> ---
Created attachment 35062
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=35062&action=edit
unified diff for Apache 2.4.26

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61184] [PATCH] Fix build with LibreSSL in 2.4.26-dev

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61184

Bernard Spil <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #35055|0                           |1
        is obsolete|                            |

--- Comment #7 from Bernard Spil <[hidden email]> ---
Created attachment 35063
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=35063&action=edit
Build log FreeBSD 11.0-p9

I went through the code more rigorously checking diff between 2.4.25 and 2.4.26
for changes that I needed to tend to. Further to that I verified method
availability in LibreSSL 2.5.4.

Please do review this thoroughly!

Thanks,

Bernard.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61184] [PATCH] Fix build with LibreSSL in 2.4.26-dev

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61184

Bernard Spil <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #35062|0                           |1
        is obsolete|                            |

--- Comment #8 from Bernard Spil <[hidden email]> ---
Created attachment 35070
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=35070&action=edit
unified diff for Apache 2.4.26

Updated patch for support/ab.c
"next release of LibreSSL (2.6.x) will contain
SSL_CTX_set_{min,max}_proto_version() and it is already available in -current."
see
https://github.com/libressl-portable/openbsd/commit/56f107201baefb5533486d665a58d8f57fd3aeda

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61184] [PATCH] Fix build with LibreSSL in 2.4.26-dev

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61184

--- Comment #9 from Yann Ylavic <[hidden email]> ---
(In reply to Bernard Spil from comment #8)
>
> "next release of LibreSSL (2.6.x) will contain
> SSL_CTX_set_{min,max}_proto_version() and it is already available in
> -current."

So wouldn't somethig like:
    #if defined(LIBRESSL_VERSION_NUMBER) \
        && !defined(SSL_CTRL_SET_MIN/MAX_PROTO_VERSION)
or:     && !defined(SSL_CTX_set_min/max_proto_version)
be relevant right now?

Also, instead of:
    #if OPENSSL_VERSION_NUMBER < 0x10100000L \
        || defined(LIBRESSL_VERSION_NUMBER)
all over the place, couldn't we:
    #if OPENSSL_VERSION_NUMBER >= 0x10100000L \
        && !defined(LIBRESSL_VERSION_NUMBER)
    #define MODSSL_HAVE_SSL_1_1_API 1
    #endif
and test this instead (maybe with a better name)?


Thanks for the patch anyway! I plan to commit it but wanted your/team's
feedbacks on this change before.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61184] [PATCH] Fix build with LibreSSL in 2.4.26-dev

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61184

--- Comment #10 from Christian Schmidt <[hidden email]> ---
I think you also need to change ssl_engine_vars.c line 117-121.

#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
        md = EVP_get_digestbynid(OBJ_obj2nid(x->sig_alg->algorithm));
#else
        md = EVP_get_digestbynid(X509_get_signature_nid(x));
#endif


Otherwise, I get the following error when starting the server:

httpd: Syntax error on line 139 of /usr/local/apache2/conf/httpd.conf: Cannot
load modules/mod_ssl.so into server: Error relocating
/usr/local/apache2/modules/mod_ssl.so: X509_get_signature_nid: symbol not found

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61184] [PATCH] Fix build with LibreSSL in 2.4.26-dev

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61184

Christian Schmidt <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61184] [PATCH] Fix build with LibreSSL in 2.4.26-dev

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61184

Tianon <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]
                   |                            |m

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61184] [PATCH] Fix build with LibreSSL in 2.4.26-dev

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61184

Yann Ylavic <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |FixedInTrunk

--- Comment #11 from Yann Ylavic <[hidden email]> ---
Committed to trunk in r1803396 and proposed for backport to 2.4.x.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61184] [PATCH] Fix build with LibreSSL in 2.4.26-dev

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61184

Yann Ylavic <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #12 from Yann Ylavic <[hidden email]> ---
Backported to 2.4.28 in r1807734.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]