You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rj...@apache.org on 2020/03/23 13:33:22 UTC
svn commit: r1875544 - /httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Author: rjung
Date: Mon Mar 23 13:33:22 2020
New Revision: 1875544
URL: http://svn.apache.org/viewvc?rev=1875544&view=rev
Log:
Fix compilation breakage with OpenSSL 1.1.0 up to 1.1.0f.
SSL_CTX_get_min_proto_version() and
SSL_CTX_get_max_proto_version() were only introduced in
1.1.0g.
Modified:
httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1875544&r1=1875543&r2=1875544&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Mon Mar 23 13:33:22 2020
@@ -2535,7 +2535,7 @@ static int ssl_find_vhost(void *serverna
* from the ctx by hand
*/
SSL_set_options(ssl, SSL_CTX_get_options(ctx));
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L \
+#if OPENSSL_VERSION_NUMBER >= 0x1010007fL \
&& (!defined(LIBRESSL_VERSION_NUMBER) \
|| LIBRESSL_VERSION_NUMBER >= 0x20800000L)
/*
Re: svn commit: r1875544 - /httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Posted by Yann Ylavic <yl...@gmail.com>.
On Mon, Mar 23, 2020 at 4:21 PM Rainer Jung <ra...@kippdata.de> wrote:
>
> Thanks for the feedback. Proposed for 2.4.x a minute ago.
Thanks Rainer, backported now.
Regards,
Yann.
Re: svn commit: r1875544 -
/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Posted by Rainer Jung <ra...@kippdata.de>.
Thanks for the feedback. Proposed for 2.4.x a minute ago.
Am 23.03.2020 um 14:48 schrieb Ruediger Pluem:
>
>
> On 3/23/20 2:44 PM, Rainer Jung wrote:
>> The dependency on SSL_CTX_get_min_proto_version() and SSL_CTX_get_max_proto_version() was introduced in October by Yann's
>> "r1868645 mod_ssl: negotiate the TLS protocol version per name based vhost configuration".
>>
>> Although the set variants are available in 1.1.0, the set were added later in 1.1.0g.
>>
>> Not sure, whether adjusting the version check as done now is the right fix. At least it unbreaks building httpd against OpenSSL
>> 1.1.0-1.1.0f.
>>
>> The original change has been backported to 2.4.x, so building that for the above OpenSSL versions is currently broken.
>
> IMHO we should backport it then once clarified that this is the correct thing to do and ensure that it gets in 2.4.43.
> I think this is a release blocker.
>
> Regards
>
> Rüdiger
Re: svn commit: r1875544 - /httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Posted by Yann Ylavic <yl...@gmail.com>.
On Mon, Mar 23, 2020 at 6:11 PM Ruediger Pluem <rp...@apache.org> wrote:
>
> On 3/23/20 2:48 PM, Ruediger Pluem wrote:
> >
> >
> > On 3/23/20 2:44 PM, Rainer Jung wrote:
> >> The dependency on SSL_CTX_get_min_proto_version() and SSL_CTX_get_max_proto_version() was introduced in October by Yann's
> >> "r1868645 mod_ssl: negotiate the TLS protocol version per name based vhost configuration".
> >>
> >> Although the set variants are available in 1.1.0, the set were added later in 1.1.0g.
> >>
> >> Not sure, whether adjusting the version check as done now is the right fix. At least it unbreaks building httpd against OpenSSL
> >> 1.1.0-1.1.0f.
> >>
> >> The original change has been backported to 2.4.x, so building that for the above OpenSSL versions is currently broken.
> >
> > IMHO we should backport it then once clarified that this is the correct thing to do and ensure that it gets in 2.4.43.
> > I think this is a release blocker.
+1
>
> Question is if we should increase the Openssl version number to the same level for the #if around
> ssl_callback_ClientHello and the respective callback registering code.
I think we should be good with Rainer's patch,
ssl_callback_ClientHello() depends on OpenSSL >= 1.1.1 already.
Regards,
Yann.
Re: svn commit: r1875544 -
/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Posted by Ruediger Pluem <rp...@apache.org>.
On 3/23/20 2:48 PM, Ruediger Pluem wrote:
>
>
> On 3/23/20 2:44 PM, Rainer Jung wrote:
>> The dependency on SSL_CTX_get_min_proto_version() and SSL_CTX_get_max_proto_version() was introduced in October by Yann's
>> "r1868645 mod_ssl: negotiate the TLS protocol version per name based vhost configuration".
>>
>> Although the set variants are available in 1.1.0, the set were added later in 1.1.0g.
>>
>> Not sure, whether adjusting the version check as done now is the right fix. At least it unbreaks building httpd against OpenSSL
>> 1.1.0-1.1.0f.
>>
>> The original change has been backported to 2.4.x, so building that for the above OpenSSL versions is currently broken.
>
> IMHO we should backport it then once clarified that this is the correct thing to do and ensure that it gets in 2.4.43.
> I think this is a release blocker.
Question is if we should increase the Openssl version number to the same level for the #if around
ssl_callback_ClientHello and the respective callback registering code.
Regards
Rüdiger
Re: svn commit: r1875544 -
/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Posted by Ruediger Pluem <rp...@apache.org>.
On 3/23/20 2:44 PM, Rainer Jung wrote:
> The dependency on SSL_CTX_get_min_proto_version() and SSL_CTX_get_max_proto_version() was introduced in October by Yann's
> "r1868645 mod_ssl: negotiate the TLS protocol version per name based vhost configuration".
>
> Although the set variants are available in 1.1.0, the set were added later in 1.1.0g.
>
> Not sure, whether adjusting the version check as done now is the right fix. At least it unbreaks building httpd against OpenSSL
> 1.1.0-1.1.0f.
>
> The original change has been backported to 2.4.x, so building that for the above OpenSSL versions is currently broken.
IMHO we should backport it then once clarified that this is the correct thing to do and ensure that it gets in 2.4.43.
I think this is a release blocker.
Regards
Rüdiger
Re: svn commit: r1875544 -
/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Posted by Rainer Jung <ra...@kippdata.de>.
The dependency on SSL_CTX_get_min_proto_version() and
SSL_CTX_get_max_proto_version() was introduced in October by Yann's
"r1868645 mod_ssl: negotiate the TLS protocol version per name based
vhost configuration".
Although the set variants are available in 1.1.0, the set were added
later in 1.1.0g.
Not sure, whether adjusting the version check as done now is the right
fix. At least it unbreaks building httpd against OpenSSL 1.1.0-1.1.0f.
The original change has been backported to 2.4.x, so building that for
the above OpenSSL versions is currently broken.
Regards,
Rainer
Am 23.03.2020 um 14:33 schrieb rjung@apache.org:
> Author: rjung
> Date: Mon Mar 23 13:33:22 2020
> New Revision: 1875544
>
> URL: http://svn.apache.org/viewvc?rev=1875544&view=rev
> Log:
> Fix compilation breakage with OpenSSL 1.1.0 up to 1.1.0f.
> SSL_CTX_get_min_proto_version() and
> SSL_CTX_get_max_proto_version() were only introduced in
> 1.1.0g.
>
> Modified:
> httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1875544&r1=1875543&r2=1875544&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Mon Mar 23 13:33:22 2020
> @@ -2535,7 +2535,7 @@ static int ssl_find_vhost(void *serverna
> * from the ctx by hand
> */
> SSL_set_options(ssl, SSL_CTX_get_options(ctx));
> -#if OPENSSL_VERSION_NUMBER >= 0x10100000L \
> +#if OPENSSL_VERSION_NUMBER >= 0x1010007fL \
> && (!defined(LIBRESSL_VERSION_NUMBER) \
> || LIBRESSL_VERSION_NUMBER >= 0x20800000L)
> /*
>
>
--
kippdata
informationstechnologie GmbH Tel: 0228 98549 -0
Bornheimer Str. 33a Fax: 0228 98549 -50
53111 Bonn www.kippdata.de
HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417
Geschäftsführer: Dr. Thomas Höfer, Rainer Jung, Sven Maurmann