Building with OpenSSL libraries that have OPENSSL_NO_ENGINE set in openssl/opensslconf.h fail. > --- ssl_engine_config.slo --- > ssl_engine_config.c:618:13: warning: call to undeclared function 'ENGINE_get_first'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration] > e = ENGINE_get_first(); > ^ > ssl_engine_config.c:618:11: error: incompatible integer to pointer conversion assigning to 'ENGINE *' (aka 'struct engine_st *') from 'int' [-Wint-conversion] > e = ENGINE_get_first(); > ^ ~~~~~~~~~~~~~~~~~~ > ssl_engine_config.c:624:17: warning: call to undeclared function 'ENGINE_get_next'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration] > e = ENGINE_get_next(e); > ^ > ssl_engine_config.c:624:15: error: incompatible integer to pointer conversion assigning to 'ENGINE *' (aka 'struct engine_st *') from 'int' [-Wint-conversion] > e = ENGINE_get_next(e); > ^ ~~~~~~~~~~~~~~~~~~ > 2 warnings and 2 errors generated. Full build log https://brnrd.eu/poudriere/data/140libre-default/2023-11-04_19h07m11s/logs/errors/apache24-2.4.58_1.log Apache 2.4.58 FreeBSD 14.0-RC4 LibreSSL 3.8.2 apr 1.7.3 apr-utils 1.6.3 clang version 16.0.6 autoconf 2.71 Context from https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.8.1-relnotes.txt > - ENGINE support was removed and OPENSSL_NO_ENGINE is set. In spite > of this, some stub functions are provided to avoid patching some > applications that do not honor OPENSSL_NO_ENGINE. which unfortunately fails. Workaround is to set ac_cv_func_ENGINE_init=no in configure environment, see https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/ports/www/apache-httpd/Makefile?rev=1.126.2.2&content-type=text/plain
Created attachment 39346 [details] unified diff for acinclude.m4 Check for OPENSSL_NO_ENGINE flag before running other engine checks in autoconf. tested with * LibreSSL 3.8.2 * OpenSSL 3.0.12 `Configure enable-engine` * OpenSSL 3.0.12 `Configure disable-engine` (sets OPENSSL_NO_ENGINE)
Created attachment 39349 [details] Unset MODSSL_HAVE_ENGINE_API for OPENSSL_NO_ENGINE I'm wondering if we still want to allow for "SSLCryptoDevice builtin" when OPENSSL_NO_ENGINE is set. I don't know how much this setting is used nor if we should care, but given that "builtin" is the same as no SSLCryptoDevice maybe we could still let httpd start even if it's built against openssl >= 3 or OPENSSL_NO_ENGINE. The ENGINE api is deprecated in openssl >= 3 so in r1908537 we defined/used MODSSL_HAVE_ENGINE_API to compile out any code using it, maybe we could do that too for OPENSSL_NO_ENGINE like in the this patch? Does it work for your case?
(In reply to Yann Ylavic from comment #2) > Created attachment 39349 [details] > Unset MODSSL_HAVE_ENGINE_API for OPENSSL_NO_ENGINE +1 > I'm wondering if we still want to allow for "SSLCryptoDevice builtin" when > OPENSSL_NO_ENGINE is set. I don't know how much this setting is used nor if > we should care, but given that "builtin" is the same as no SSLCryptoDevice > maybe we could still let httpd start even if it's built against openssl >= 3 > or OPENSSL_NO_ENGINE. +1, and removing the: #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) should do it? > The ENGINE api is deprecated in openssl >= 3 so in r1908537 we defined/used > MODSSL_HAVE_ENGINE_API to compile out any code using it, maybe we could do > that too for OPENSSL_NO_ENGINE like in the this patch? Does it work for your > case?
Created attachment 39370 [details] allow SSLCryptoDevice builtin to be configured w/o any ENGINE support in openSSL
(In reply to Yann Ylavic from comment #2) > Created attachment 39349 [details] > Unset MODSSL_HAVE_ENGINE_API for OPENSSL_NO_ENGINE > > I'm wondering if we still want to allow for "SSLCryptoDevice builtin" when > OPENSSL_NO_ENGINE is set. I don't know how much this setting is used nor if > we should care, but given that "builtin" is the same as no SSLCryptoDevice > maybe we could still let httpd start even if it's built against openssl >= 3 > or OPENSSL_NO_ENGINE. > The ENGINE api is deprecated in openssl >= 3 so in r1908537 we defined/used > MODSSL_HAVE_ENGINE_API to compile out any code using it, maybe we could do > that too for OPENSSL_NO_ENGINE like in the this patch? Does it work for your > case? The 2.4.x branch does not have MODSSL_HAVE_ENGINE_API at all, any hint on what branch to test that is similar to what I can expect to see as 2.4.59? I'm trying to create a patch for the FreeBSD port (I'm part of the apache team in FreeBSD ports). May well go with OpenBSD's solution: settubg ac_cv_func_ENGINE_init=no in configure's env. (https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/ports/www/apache-httpd/Makefile?rev=1.126.2.2&content-type=text/plain).
(In reply to Bernard Spil from comment #5) > (In reply to Yann Ylavic from comment #2) > > Created attachment 39349 [details] > > Unset MODSSL_HAVE_ENGINE_API for OPENSSL_NO_ENGINE > > > > I'm wondering if we still want to allow for "SSLCryptoDevice builtin" when > > OPENSSL_NO_ENGINE is set. I don't know how much this setting is used nor if > > we should care, but given that "builtin" is the same as no SSLCryptoDevice > > maybe we could still let httpd start even if it's built against openssl >= 3 > > or OPENSSL_NO_ENGINE. > > The ENGINE api is deprecated in openssl >= 3 so in r1908537 we defined/used > > MODSSL_HAVE_ENGINE_API to compile out any code using it, maybe we could do > > that too for OPENSSL_NO_ENGINE like in the this patch? Does it work for your > > case? > > The 2.4.x branch does not have MODSSL_HAVE_ENGINE_API at all, any hint on > what branch to test that is similar to what I can expect to see as 2.4.59? There is https://github.com/apache/httpd/pull/381 which is a backport I plan to propose for the next release.
(In reply to Joe Orton from comment #4) > Created attachment 39370 [details] > allow SSLCryptoDevice builtin to be configured w/o any ENGINE support in > openSSL Thanks Joe, I pushed the whole in r1913815.
> There is https://github.com/apache/httpd/pull/381 which is a backport I plan > to propose for the next release. r1913815 is now included in this PR, so the full patch would be: https://patch-diff.githubusercontent.com/raw/apache/httpd/pull/381.diff
Proposed for backport to 2.4.x (r1913834).
Backported to v2.4.59.