Bug 61184

Summary: [PATCH] Fix build with LibreSSL in 2.4.26-dev
Product: Apache httpd-2 Reporter: Bernard Spil <brnrd>
Component: mod_sslAssignee: Apache HTTPD Bugs Mailing List <bugs>
Severity: normal CC: admwiggin+bzapache, bz.apache.org
Priority: P2 Keywords: FixedInTrunk, PatchAvailable
Version: 2.4-HEAD   
Target Milestone: ---   
Hardware: PC   
OS: FreeBSD   
Attachments: unified diff for httpd 2.4.26-dev
Build log FreeBSD 11.0-p9
unified diff for httpd 2.4.26-dev
Build log FreeBSD 11.0-p9
unified diff for Apache 2.4.26
Build log FreeBSD 11.0-p9
unified diff for Apache 2.4.26

Description Bernard Spil 2017-06-13 20:07:13 UTC
Created attachment 35052 [details]
unified diff for httpd 2.4.26-dev


Just tried building httpd 2.4.26-dev with LibreSSL and ran into some compile failures. These failures are related to the added OpenSSL 1.1 support in 2.4.26.

LibreSSL defines OPENSSL_VERSION_NUMBER as 0x20000000L whereas it does not implement all post-1.0.1f (point of forking) features. LibreSSL added LIBRESSL_VERSION_NUMBER allowing checks.

Attached patches touch mod_ssl and ab. Adding checks for defined(LIBRESSL_VERSION_NUMBER).

Hope you can still include these in the release.


Bernard Spil
Maintainer of OpenSSL and LibreSSL ports in FreeBSD.
Comment 1 Bernard Spil 2017-06-13 20:38:28 UTC
Created attachment 35053 [details]
Build log FreeBSD 11.0-p9

Poudriere logs on FreeBSD 11.0-p9 with LibreSSL replacing OpenSSL in base.
Comment 2 Bernard Spil 2017-06-13 21:08:10 UTC
Created attachment 35054 [details]
unified diff for httpd 2.4.26-dev

Replace patches, were incomplete. Built OK but still warnings.
This patch-set stopped all compile warnings.
Comment 3 Bernard Spil 2017-06-13 21:12:59 UTC
Created attachment 35055 [details]
Build log FreeBSD 11.0-p9

Built with new patch-set
Comment 4 Stefan Eissing 2017-06-15 11:08:34 UTC
Hmm. This looks ugly. Would it make more sense to re#define Libressl's sense of superiority? Something like

#define OPENSSL_VERSION_NUMBER 0x1000200eL

Or whatever version it currently is closest to? You know better than me.

Regarding the release: how would the impact be, if you need to patch that yourself for debian? I am not sure if we want to restart the already late release only for this. If something else comes up, we can take it in of course.
Comment 5 Stefan Eissing 2017-06-15 11:09:53 UTC
What I mean was

Comment 6 Bernard Spil 2017-06-20 20:13:02 UTC
Created attachment 35062 [details]
unified diff for Apache 2.4.26
Comment 7 Bernard Spil 2017-06-20 20:16:29 UTC
Created attachment 35063 [details]
Build log FreeBSD 11.0-p9

I went through the code more rigorously checking diff between 2.4.25 and 2.4.26 for changes that I needed to tend to. Further to that I verified method availability in LibreSSL 2.5.4.

Please do review this thoroughly!


Comment 8 Bernard Spil 2017-06-23 08:28:37 UTC
Created attachment 35070 [details]
unified diff for Apache 2.4.26

Updated patch for support/ab.c
"next release of LibreSSL (2.6.x) will contain SSL_CTX_set_{min,max}_proto_version() and it is already available in -current." see https://github.com/libressl-portable/openbsd/commit/56f107201baefb5533486d665a58d8f57fd3aeda
Comment 9 Yann Ylavic 2017-06-24 11:36:24 UTC
(In reply to Bernard Spil from comment #8)
> "next release of LibreSSL (2.6.x) will contain
> SSL_CTX_set_{min,max}_proto_version() and it is already available in
> -current."

So wouldn't somethig like:
    #if defined(LIBRESSL_VERSION_NUMBER) \
or:     && !defined(SSL_CTX_set_min/max_proto_version)
be relevant right now?

Also, instead of:
    #if OPENSSL_VERSION_NUMBER < 0x10100000L \
        || defined(LIBRESSL_VERSION_NUMBER)
all over the place, couldn't we:
    #if OPENSSL_VERSION_NUMBER >= 0x10100000L \
        && !defined(LIBRESSL_VERSION_NUMBER)
    #define MODSSL_HAVE_SSL_1_1_API 1
and test this instead (maybe with a better name)?

Thanks for the patch anyway! I plan to commit it but wanted your/team's feedbacks on this change before.
Comment 10 Christian Schmidt 2017-06-29 06:31:59 UTC
I think you also need to change ssl_engine_vars.c line 117-121.

        md = EVP_get_digestbynid(OBJ_obj2nid(x->sig_alg->algorithm));
        md = EVP_get_digestbynid(X509_get_signature_nid(x));

Otherwise, I get the following error when starting the server:

httpd: Syntax error on line 139 of /usr/local/apache2/conf/httpd.conf: Cannot load modules/mod_ssl.so into server: Error relocating /usr/local/apache2/modules/mod_ssl.so: X509_get_signature_nid: symbol not found
Comment 11 Yann Ylavic 2017-07-29 23:34:16 UTC
Committed to trunk in r1803396 and proposed for backport to 2.4.x.
Comment 12 Yann Ylavic 2017-10-03 12:02:41 UTC
Backported to 2.4.28 in r1807734.