Created attachment 35052 [details] unified diff for httpd 2.4.26-dev Hi, Just tried building httpd 2.4.26-dev with LibreSSL and ran into some compile failures. These failures are related to the added OpenSSL 1.1 support in 2.4.26. LibreSSL defines OPENSSL_VERSION_NUMBER as 0x20000000L whereas it does not implement all post-1.0.1f (point of forking) features. LibreSSL added LIBRESSL_VERSION_NUMBER allowing checks. Attached patches touch mod_ssl and ab. Adding checks for defined(LIBRESSL_VERSION_NUMBER). Hope you can still include these in the release. Thanks, Bernard Spil Maintainer of OpenSSL and LibreSSL ports in FreeBSD.
Created attachment 35053 [details] Build log FreeBSD 11.0-p9 Poudriere logs on FreeBSD 11.0-p9 with LibreSSL replacing OpenSSL in base.
Created attachment 35054 [details] unified diff for httpd 2.4.26-dev Replace patches, were incomplete. Built OK but still warnings. This patch-set stopped all compile warnings.
Created attachment 35055 [details] Build log FreeBSD 11.0-p9 Built with new patch-set
Hmm. This looks ugly. Would it make more sense to re#define Libressl's sense of superiority? Something like #if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x20000000L #undef OPENSSL_VERSION_NUMBER #define OPENSSL_VERSION_NUMBER 0x1000200eL #endif Or whatever version it currently is closest to? You know better than me. Regarding the release: how would the impact be, if you need to patch that yourself for debian? I am not sure if we want to restart the already late release only for this. If something else comes up, we can take it in of course.
What I mean was #if defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x20000000L ...
Created attachment 35062 [details] unified diff for Apache 2.4.26
Created attachment 35063 [details] Build log FreeBSD 11.0-p9 I went through the code more rigorously checking diff between 2.4.25 and 2.4.26 for changes that I needed to tend to. Further to that I verified method availability in LibreSSL 2.5.4. Please do review this thoroughly! Thanks, Bernard.
Created attachment 35070 [details] unified diff for Apache 2.4.26 Updated patch for support/ab.c "next release of LibreSSL (2.6.x) will contain SSL_CTX_set_{min,max}_proto_version() and it is already available in -current." see https://github.com/libressl-portable/openbsd/commit/56f107201baefb5533486d665a58d8f57fd3aeda
(In reply to Bernard Spil from comment #8) > > "next release of LibreSSL (2.6.x) will contain > SSL_CTX_set_{min,max}_proto_version() and it is already available in > -current." So wouldn't somethig like: #if defined(LIBRESSL_VERSION_NUMBER) \ && !defined(SSL_CTRL_SET_MIN/MAX_PROTO_VERSION) or: && !defined(SSL_CTX_set_min/max_proto_version) be relevant right now? Also, instead of: #if OPENSSL_VERSION_NUMBER < 0x10100000L \ || defined(LIBRESSL_VERSION_NUMBER) all over the place, couldn't we: #if OPENSSL_VERSION_NUMBER >= 0x10100000L \ && !defined(LIBRESSL_VERSION_NUMBER) #define MODSSL_HAVE_SSL_1_1_API 1 #endif and test this instead (maybe with a better name)? Thanks for the patch anyway! I plan to commit it but wanted your/team's feedbacks on this change before.
I think you also need to change ssl_engine_vars.c line 117-121. #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) md = EVP_get_digestbynid(OBJ_obj2nid(x->sig_alg->algorithm)); #else md = EVP_get_digestbynid(X509_get_signature_nid(x)); #endif Otherwise, I get the following error when starting the server: httpd: Syntax error on line 139 of /usr/local/apache2/conf/httpd.conf: Cannot load modules/mod_ssl.so into server: Error relocating /usr/local/apache2/modules/mod_ssl.so: X509_get_signature_nid: symbol not found
Committed to trunk in r1803396 and proposed for backport to 2.4.x.
Backported to 2.4.28 in r1807734.