You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by sh...@apache.org on 2015/02/10 01:12:17 UTC
trafficserver git commit: TS-3380: Add configure time constant to
enable openssl 1.0.2 changes to compile with libressl
Repository: trafficserver
Updated Branches:
refs/heads/master fddd7c743 -> 2dbdd9c26
TS-3380: Add configure time constant to enable openssl 1.0.2 changes to compile with libressl
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/2dbdd9c2
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/2dbdd9c2
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/2dbdd9c2
Branch: refs/heads/master
Commit: 2dbdd9c266a2ed663116ec275c686d7ae809dfd7
Parents: fddd7c7
Author: shinrich <sh...@yahoo-inc.com>
Authored: Mon Feb 9 17:59:05 2015 -0600
Committer: shinrich <sh...@yahoo-inc.com>
Committed: Mon Feb 9 18:11:42 2015 -0600
----------------------------------------------------------------------
CHANGES | 2 +
build/crypto.m4 | 83 +++++++++++++++++++++++++++++++++++++++++-
configure.ac | 8 ++++
iocore/net/SSLInternal.cc | 7 ++++
iocore/net/SSLUtils.cc | 4 +-
lib/ts/ink_config.h.in | 2 +
6 files changed, 103 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2dbdd9c2/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index a23d522..4a80d57 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
-*- coding: utf-8 -*-
Changes with Apache Traffic Server 5.3.0
+ *) [TS-3380] Fix the detection of new openssl calls to enable compilation against libressl.
+
*) [TS-3364] Add command line config validation support to traffic_server
*) [TS-3377] Fix bad file descriptor handling that caused disks in
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2dbdd9c2/build/crypto.m4
----------------------------------------------------------------------
diff --git a/build/crypto.m4 b/build/crypto.m4
index 32276a2..2c83793 100644
--- a/build/crypto.m4
+++ b/build/crypto.m4
@@ -89,7 +89,12 @@ AC_DEFUN([TS_CHECK_CRYPTO_SNI], [
enable_tls_sni=yes
TS_ADDTO(LIBS, [$OPENSSL_LIBS])
- AC_CHECK_HEADERS(openssl/tls1.h openssl/ssl.h openssl/ts.h)
+ AC_CHECK_HEADERS(openssl/ssl.h openssl/ts.h)
+ AC_CHECK_HEADERS(openssl/tls1.h, [], [],
+[ #ifdef HEADER_SSL_H
+#include <openssl/tls1.h>
+#endif ])
+
# We are looking for SSL_CTX_set_tlsext_servername_callback, but it's a
# macro, so AC_CHECK_FUNCS is not going to do the business.
AC_MSG_CHECKING([for SSL_CTX_set_tlsext_servername_callback])
@@ -122,3 +127,79 @@ AC_DEFUN([TS_CHECK_CRYPTO_SNI], [
TS_ARG_ENABLE_VAR([use], [tls-sni])
AC_SUBST(use_tls_sni)
])
+
+AC_DEFUN([TS_CHECK_CRYPTO_CERT_CB], [
+ _cert_saved_LIBS=$LIBS
+ enable_cert_cb=yes
+
+ TS_ADDTO(LIBS, [$OPENSSL_LIBS])
+ AC_CHECK_HEADERS(openssl/ssl.h openssl/ts.h)
+
+ # We are looking for SSL_CTX_set_tlsext_servername_callback, but it's a
+ # macro, so AC_CHECK_FUNCS is not going to do the business.
+ AC_MSG_CHECKING([for SSL_CTX_set_cert_cb])
+ AC_LINK_IFELSE(
+ [
+ AC_LANG_PROGRAM([[
+#if HAVE_OPENSSL_SSL_H
+#include <openssl/ssl.h>
+#endif
+#if HAVE_OPENSSL_TLS1_H
+#include <openssl/tls1.h>
+#endif
+ ]],
+ [[SSL_CTX_set_cert_cb(NULL, NULL, NULL);]])
+ ],
+ [
+ AC_MSG_RESULT([yes])
+ ],
+ [
+ AC_MSG_RESULT([no])
+ enable_cert_cb=no
+ ])
+
+ LIBS=$_cert_saved_LIBS
+
+ AC_MSG_CHECKING(whether to enable Certificate callback support)
+ AC_MSG_RESULT([$enable_cert_cb])
+ TS_ARG_ENABLE_VAR([use], [cert-cb])
+ AC_SUBST(use_cert_cb)
+])
+
+AC_DEFUN([TS_CHECK_CRYPTO_SET_RBIO], [
+ _rbio_saved_LIBS=$LIBS
+ enable_set_rbio=yes
+
+ TS_ADDTO(LIBS, [$OPENSSL_LIBS])
+ AC_CHECK_HEADERS(openssl/ssl.h openssl/ts.h)
+
+ # We are looking for SSL_CTX_set_tlsext_servername_callback, but it's a
+ # macro, so AC_CHECK_FUNCS is not going to do the business.
+ AC_MSG_CHECKING([for SSL_set_rbio])
+ AC_LINK_IFELSE(
+ [
+ AC_LANG_PROGRAM([[
+#if HAVE_OPENSSL_SSL_H
+#include <openssl/ssl.h>
+#endif
+#if HAVE_OPENSSL_TLS1_H
+#include <openssl/tls1.h>
+#endif
+ ]],
+ [[SSL_set_rbio(NULL, NULL);]])
+ ],
+ [
+ AC_MSG_RESULT([yes])
+ ],
+ [
+ AC_MSG_RESULT([no])
+ enable_set_rbio=no
+ ])
+
+ LIBS=$_rbio_saved_LIBS
+
+ AC_MSG_CHECKING(whether to enable set rbio)
+ AC_MSG_RESULT([$enable_set_rbio])
+ TS_ARG_ENABLE_VAR([use], [set-rbio])
+ AC_SUBST(use_set_rbio)
+])
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2dbdd9c2/configure.ac
----------------------------------------------------------------------
diff --git a/configure.ac b/configure.ac
index 63071f7..3001043 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1120,6 +1120,14 @@ TS_CHECK_CRYPTO_EC_KEYS
# Check for ServerNameIndication TLS extension support.
TS_CHECK_CRYPTO_SNI
+#
+# Check for the presense of the certificate callback in the ssl library
+TS_CHECK_CRYPTO_CERT_CB
+
+#
+# Check for SSL_set_rbio call
+TS_CHECK_CRYPTO_SET_RBIO
+
#
# Check for zlib presence and usability
TS_CHECK_ZLIB
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2dbdd9c2/iocore/net/SSLInternal.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLInternal.cc b/iocore/net/SSLInternal.cc
index b6d657a..bccf2b5 100644
--- a/iocore/net/SSLInternal.cc
+++ b/iocore/net/SSLInternal.cc
@@ -21,6 +21,11 @@
See the License for the specific language governing permissions and
limitations under the License.
*/
+#include <ink_config.h>
+#if TS_USE_SET_RBIO
+// No need to do anything, this version of openssl provides the SSL_set_rbio function
+#else
+
#ifdef OPENSSL_NO_SSL_INTERN
#undef OPENSSL_NO_SSL_INTERN
#endif
@@ -37,3 +42,5 @@ SSL_set_rbio(SSLNetVConnection *sslvc, BIO *rbio)
}
sslvc->ssl->rbio = rbio;
}
+
+#endif
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2dbdd9c2/iocore/net/SSLUtils.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index f0265c6..638b7ab 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -333,7 +333,7 @@ done:
// Use the certificate callback for openssl 1.0.2 and greater
// otherwise use the SNI callback
-#if OPENSSL_VERSION_NUMBER >= 0x1000200fL
+#if TS_USE_CERT_CB
/**
* Called before either the server or the client certificate is used
* Return 1 on success, 0 on error, or -1 to pause
@@ -1677,7 +1677,7 @@ static void
ssl_set_handshake_callbacks(SSL_CTX *ctx) {
#if TS_USE_TLS_SNI
// Make sure the callbacks are set
-#if OPENSSL_VERSION_NUMBER >= 0x1000200fL
+#if TS_USE_CERT_CB
SSL_CTX_set_cert_cb(ctx, ssl_cert_callback, NULL);
#else
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_callback);
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2dbdd9c2/lib/ts/ink_config.h.in
----------------------------------------------------------------------
diff --git a/lib/ts/ink_config.h.in b/lib/ts/ink_config.h.in
index 9f07825..68364dd 100644
--- a/lib/ts/ink_config.h.in
+++ b/lib/ts/ink_config.h.in
@@ -70,6 +70,8 @@
#define TS_USE_TLS_NPN @use_tls_npn@
#define TS_USE_TLS_ALPN @use_tls_alpn@
#define TS_USE_TLS_SNI @use_tls_sni@
+#define TS_USE_CERT_CB @use_cert_cb@
+#define TS_USE_SET_RBIO @use_set_rbio@
#define TS_USE_TLS_ECKEY @use_tls_eckey@
#define TS_USE_LINUX_NATIVE_AIO @use_linux_native_aio@
#define TS_USE_INTERIM_CACHE @has_interim_cache@
Re: trafficserver git commit: TS-3380: Add configure time constant
to enable openssl 1.0.2 changes to compile with libressl
Posted by Susan Hinrichs <sh...@network-geographics.com>.
On 2/9/2015 9:05 PM, Susan Hinrichs wrote:
>
>>> On Feb 9, 2015, at 4:12 PM, shinrich@apache.org wrote:
>>>
>>>
>> [snip]
>
[snip]
>>
>>> +
>>> # We are looking for SSL_CTX_set_tlsext_servername_callback, but
>>> it's a
>>> # macro, so AC_CHECK_FUNCS is not going to do the business.
>>> AC_MSG_CHECKING([for SSL_CTX_set_tlsext_servername_callback])
>>> @@ -122,3 +127,79 @@ AC_DEFUN([TS_CHECK_CRYPTO_SNI], [
>>> TS_ARG_ENABLE_VAR([use], [tls-sni])
>>> AC_SUBST(use_tls_sni)
>>> ])
>>> +
>>> +AC_DEFUN([TS_CHECK_CRYPTO_CERT_CB], [
>> SSL_CTX_set_cert_cb is a function, so you should just be able to use
>> AC_SEARCH_LIBS here ...
>
> Cool. Still figuring out auto tools. Will try the AC_SEARCH_LIBS
Fought with AC_SEARCH_LIBS for a bit. Since I think the relative order
of the -lssl and -lcrypto libraries is important, the AC_SERACH_LIBS
tests were not working. So will still with AC_LINK_IFELSE for now.
>
>>
>> [snip]
>>> +
>>> +AC_DEFUN([TS_CHECK_CRYPTO_SET_RBIO], [
>>> + _rbio_saved_LIBS=$LIBS
>>> + enable_set_rbio=yes
>> Can you explain this one to me? SSL_set_rbio is not an OpenSSL API
>> ... is it planned for a future version?
>
> Yes, this was just added to openssl master for 1.1. Added in
> preparation for TS-3372.
>
>>
>> thanks,
>> James
>>
>
Re: trafficserver git commit: TS-3380: Add configure time constant to enable openssl 1.0.2 changes to compile with libressl
Posted by James Peach <jp...@apache.org>.
> On Feb 9, 2015, at 7:05 PM, Susan Hinrichs <sh...@network-geographics.com> wrote:
>
>>>
>>> On Feb 9, 2015, at 4:12 PM, shinrich@apache.org wrote:
>>>
>>>
>> [snip]
>>> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2dbdd9c2/build/crypto.m4
>>> ----------------------------------------------------------------------
>>> diff --git a/build/crypto.m4 b/build/crypto.m4
>>> index 32276a2..2c83793 100644
>>> --- a/build/crypto.m4
>>> +++ b/build/crypto.m4
>>> @@ -89,7 +89,12 @@ AC_DEFUN([TS_CHECK_CRYPTO_SNI], [
>>> enable_tls_sni=yes
>>>
>>> TS_ADDTO(LIBS, [$OPENSSL_LIBS])
>>> - AC_CHECK_HEADERS(openssl/tls1.h openssl/ssl.h openssl/ts.h)
>>> + AC_CHECK_HEADERS(openssl/ssl.h openssl/ts.h)
>>> + AC_CHECK_HEADERS(openssl/tls1.h, [], [],
>>> +[ #ifdef HEADER_SSL_H
>>> +#include <openssl/tls1.h>
>>> +#endif ])
>> Where does HEADER_SSL_H come from? The previous check for <openssl/tls1.h> works on my systems ... what configuration was this change for?
>
> Without this change I was seeing the following when compiling against openssl 1.0.2
>
> checking openssl/tls1.h presence... yes
> configure: WARNING: openssl/tls1.h: present but cannot be compiled
> configure: WARNING: openssl/tls1.h: check for missing prerequisite headers?
> configure: WARNING: openssl/tls1.h: see the Autoconf documentation
> configure: WARNING: openssl/tls1.h: section "Present But Cannot Be Compiled"
> configure: WARNING: openssl/tls1.h: proceeding with the compiler's result
Ah, I see. Does HEADER_SSL_H come from openssl? The more conventional expression would be to use HAVE_OPENSSL_SSL_H as defined by autoconf ...
J
Re: trafficserver git commit: TS-3380: Add configure time constant
to enable openssl 1.0.2 changes to compile with libressl
Posted by Susan Hinrichs <sh...@network-geographics.com>.
>> On Feb 9, 2015, at 4:12 PM, shinrich@apache.org wrote:
>>
>>
> [snip]
>> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2dbdd9c2/build/crypto.m4
>> ----------------------------------------------------------------------
>> diff --git a/build/crypto.m4 b/build/crypto.m4
>> index 32276a2..2c83793 100644
>> --- a/build/crypto.m4
>> +++ b/build/crypto.m4
>> @@ -89,7 +89,12 @@ AC_DEFUN([TS_CHECK_CRYPTO_SNI], [
>> enable_tls_sni=yes
>>
>> TS_ADDTO(LIBS, [$OPENSSL_LIBS])
>> - AC_CHECK_HEADERS(openssl/tls1.h openssl/ssl.h openssl/ts.h)
>> + AC_CHECK_HEADERS(openssl/ssl.h openssl/ts.h)
>> + AC_CHECK_HEADERS(openssl/tls1.h, [], [],
>> +[ #ifdef HEADER_SSL_H
>> +#include <openssl/tls1.h>
>> +#endif ])
> Where does HEADER_SSL_H come from? The previous check for <openssl/tls1.h> works on my systems ... what configuration was this change for?
Without this change I was seeing the following when compiling against
openssl 1.0.2
checking openssl/tls1.h presence... yes
configure: WARNING: openssl/tls1.h: present but cannot be compiled
configure: WARNING: openssl/tls1.h: check for missing prerequisite headers?
configure: WARNING: openssl/tls1.h: see the Autoconf documentation
configure: WARNING: openssl/tls1.h: section "Present But Cannot Be Compiled"
configure: WARNING: openssl/tls1.h: proceeding with the compiler's result
>
>> +
>> # We are looking for SSL_CTX_set_tlsext_servername_callback, but it's a
>> # macro, so AC_CHECK_FUNCS is not going to do the business.
>> AC_MSG_CHECKING([for SSL_CTX_set_tlsext_servername_callback])
>> @@ -122,3 +127,79 @@ AC_DEFUN([TS_CHECK_CRYPTO_SNI], [
>> TS_ARG_ENABLE_VAR([use], [tls-sni])
>> AC_SUBST(use_tls_sni)
>> ])
>> +
>> +AC_DEFUN([TS_CHECK_CRYPTO_CERT_CB], [
> SSL_CTX_set_cert_cb is a function, so you should just be able to use AC_SEARCH_LIBS here ...
Cool. Still figuring out auto tools. Will try the AC_SEARCH_LIBS
>
> [snip]
>> +
>> +AC_DEFUN([TS_CHECK_CRYPTO_SET_RBIO], [
>> + _rbio_saved_LIBS=$LIBS
>> + enable_set_rbio=yes
> Can you explain this one to me? SSL_set_rbio is not an OpenSSL API ... is it planned for a future version?
Yes, this was just added to openssl master for 1.1. Added in
preparation for TS-3372.
>
> thanks,
> James
>
Re: trafficserver git commit: TS-3380: Add configure time constant to enable openssl 1.0.2 changes to compile with libressl
Posted by James Peach <jp...@apache.org>.
> On Feb 9, 2015, at 4:12 PM, shinrich@apache.org wrote:
>
>
[snip]
> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2dbdd9c2/build/crypto.m4
> ----------------------------------------------------------------------
> diff --git a/build/crypto.m4 b/build/crypto.m4
> index 32276a2..2c83793 100644
> --- a/build/crypto.m4
> +++ b/build/crypto.m4
> @@ -89,7 +89,12 @@ AC_DEFUN([TS_CHECK_CRYPTO_SNI], [
> enable_tls_sni=yes
>
> TS_ADDTO(LIBS, [$OPENSSL_LIBS])
> - AC_CHECK_HEADERS(openssl/tls1.h openssl/ssl.h openssl/ts.h)
> + AC_CHECK_HEADERS(openssl/ssl.h openssl/ts.h)
> + AC_CHECK_HEADERS(openssl/tls1.h, [], [],
> +[ #ifdef HEADER_SSL_H
> +#include <openssl/tls1.h>
> +#endif ])
Where does HEADER_SSL_H come from? The previous check for <openssl/tls1.h> works on my systems ... what configuration was this change for?
> +
> # We are looking for SSL_CTX_set_tlsext_servername_callback, but it's a
> # macro, so AC_CHECK_FUNCS is not going to do the business.
> AC_MSG_CHECKING([for SSL_CTX_set_tlsext_servername_callback])
> @@ -122,3 +127,79 @@ AC_DEFUN([TS_CHECK_CRYPTO_SNI], [
> TS_ARG_ENABLE_VAR([use], [tls-sni])
> AC_SUBST(use_tls_sni)
> ])
> +
> +AC_DEFUN([TS_CHECK_CRYPTO_CERT_CB], [
SSL_CTX_set_cert_cb is a function, so you should just be able to use AC_SEARCH_LIBS here ...
[snip]
> +
> +AC_DEFUN([TS_CHECK_CRYPTO_SET_RBIO], [
> + _rbio_saved_LIBS=$LIBS
> + enable_set_rbio=yes
Can you explain this one to me? SSL_set_rbio is not an OpenSSL API ... is it planned for a future version?
thanks,
James
Re: trafficserver git commit: TS-3380: Add configure time constant to enable openssl 1.0.2 changes to compile with libressl
Posted by James Peach <jp...@apache.org>.
> On Feb 9, 2015, at 4:12 PM, shinrich@apache.org wrote:
>
>
[snip]
> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2dbdd9c2/build/crypto.m4
> ----------------------------------------------------------------------
> diff --git a/build/crypto.m4 b/build/crypto.m4
> index 32276a2..2c83793 100644
> --- a/build/crypto.m4
> +++ b/build/crypto.m4
> @@ -89,7 +89,12 @@ AC_DEFUN([TS_CHECK_CRYPTO_SNI], [
> enable_tls_sni=yes
>
> TS_ADDTO(LIBS, [$OPENSSL_LIBS])
> - AC_CHECK_HEADERS(openssl/tls1.h openssl/ssl.h openssl/ts.h)
> + AC_CHECK_HEADERS(openssl/ssl.h openssl/ts.h)
> + AC_CHECK_HEADERS(openssl/tls1.h, [], [],
> +[ #ifdef HEADER_SSL_H
> +#include <openssl/tls1.h>
> +#endif ])
Where does HEADER_SSL_H come from? The previous check for <openssl/tls1.h> works on my systems ... what configuration was this change for?
> +
> # We are looking for SSL_CTX_set_tlsext_servername_callback, but it's a
> # macro, so AC_CHECK_FUNCS is not going to do the business.
> AC_MSG_CHECKING([for SSL_CTX_set_tlsext_servername_callback])
> @@ -122,3 +127,79 @@ AC_DEFUN([TS_CHECK_CRYPTO_SNI], [
> TS_ARG_ENABLE_VAR([use], [tls-sni])
> AC_SUBST(use_tls_sni)
> ])
> +
> +AC_DEFUN([TS_CHECK_CRYPTO_CERT_CB], [
SSL_CTX_set_cert_cb is a function, so you should just be able to use AC_SEARCH_LIBS here ...
[snip]
> +
> +AC_DEFUN([TS_CHECK_CRYPTO_SET_RBIO], [
> + _rbio_saved_LIBS=$LIBS
> + enable_set_rbio=yes
Can you explain this one to me? SSL_set_rbio is not an OpenSSL API ... is it planned for a future version?
thanks,
James