You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Rainer Jung <ra...@kippdata.de> on 2018/09/24 12:42:06 UTC

Minimum OpenSSL requirements for mod_md

Hi all,

it seems our relatively new module mod_md needs at last OpenSSL 1.0.0 
initial release. When building against latest 0.9.8zh I get linking 
errors due to missing symbols:

modules/md/md_crypt.c: In function 'gen_rsa':
modules/md/md_crypt.c:445:5: error: unknown type name 'EVP_PKEY_CTX'; 
did you mean 'EVP_PKEY_DSA'?
      EVP_PKEY_CTX *ctx = NULL;
      ^~~~~~~~~~~~
      EVP_PKEY_DSA
modules/md/md_crypt.c:449:11: warning: implicit declaration of function 
'EVP_PKEY_CTX_new_id'; did you mean 'EVP_PKEY_new'? 
[-Wimplicit-function-declaration]
      ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
            ^~~~~~~~~~~~~~~~~~~
            EVP_PKEY_new
modules/md/md_crypt.c:449:9: warning: assignment to 'int *' from 'int' 
makes pointer from integer without a cast [-Wint-conversion]
      ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
          ^
modules/md/md_crypt.c:451:12: warning: implicit declaration of function 
'EVP_PKEY_keygen_init'; did you mean 'EVP_PKEY_get_attr'? 
[-Wimplicit-function-declaration]
          && EVP_PKEY_keygen_init(ctx) >= 0
             ^~~~~~~~~~~~~~~~~~~~
             EVP_PKEY_get_attr
modules/md/md_crypt.c:452:12: warning: implicit declaration of function 
'EVP_PKEY_CTX_set_rsa_keygen_bits'; did you mean 
'EVP_CIPHER_CTX_set_key_length'? [-Wimplicit-function-declaration]
          && EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, (int)bits) >= 0
             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
             EVP_CIPHER_CTX_set_key_length
modules/md/md_crypt.c:453:12: warning: implicit declaration of function 
'EVP_PKEY_keygen'; did you mean 'EVP_PKEY_type'? 
[-Wimplicit-function-declaration]
          && EVP_PKEY_keygen(ctx, &(*ppkey)->pkey) >= 0) {
             ^~~~~~~~~~~~~~~
             EVP_PKEY_type
modules/md/md_crypt.c:463:9: warning: implicit declaration of function 
'EVP_PKEY_CTX_free'; did you mean 'EVP_PKEY_free'? 
[-Wimplicit-function-declaration]
          EVP_PKEY_CTX_free(ctx);
          ^~~~~~~~~~~~~~~~~
          EVP_PKEY_free
modules/md/md_crypt.c: In function 'md_cert_self_sign':
modules/md/md_crypt.c:1294:31: warning: implicit declaration of function 
'ASN1_TIME_adj'; did you mean 'ASN1_TIME_set'? 
[-Wimplicit-function-declaration]
      if (!X509_set_notAfter(x, ASN1_TIME_adj(NULL, time(NULL), days, 0))) {
                                ^~~~~~~~~~~~~
                                ASN1_TIME_set
modules/md/md_crypt.c:1294:31: warning: passing argument 2 of 
'X509_set_notAfter' makes pointer from integer without a cast 
[-Wint-conversion]
      if (!X509_set_notAfter(x, ASN1_TIME_adj(NULL, time(NULL), days, 0))) {
                                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from /path/to/include/openssl/pem.h:70,
                  from modules/md/md_crypt.c:28:
/path/to/include/openssl/x509.h:998:45: note: expected 'ASN1_TIME *' 
{aka 'struct asn1_string_st *'} but argument is of type 'int'
  int   X509_set_notAfter(X509 *x, ASN1_TIME *tm);
                                   ~~~~~~~~~~~^~

Looking at the header files coming with OpenSSL 1.0.0 it looks like 
atleast those symbols are there, so mod_md might work with it.

Should we document that requirement somehow, because our non-mod_md 
OpenSSL requirement is still at 0.9.8a. IMHO there's no need to "fix" 
the higher requirement in mod_md, because it is pretty fresh and 
probably there's no need to support it with ancient OpenSSL.

Regards,

Rainer

Re: Minimum OpenSSL requirements for mod_md

Posted by Stefan Eissing <st...@greenbytes.de>.


> Am 24.09.2018 um 14:58 schrieb Astrid Malo <ke...@kess-net.de>:
> 
> On Mon, 24 Sep 2018 14:42:06 +0200
> Rainer Jung <ra...@kippdata.de> wrote:
> 
>> Should we document that requirement somehow, because our non-mod_md 
>> OpenSSL requirement is still at 0.9.8a. IMHO there's no need to "fix" 
>> the higher requirement in mod_md, because it is pretty fresh and 
>> probably there's no need to support it with ancient OpenSSL.
> 
> Yes, of course. Requirements differing from the general ones have to be
> added to the documentation. This should be no big deal. Just make it
> prominent somewhere where people read if before the installation :-)
> 
> kess

+1

Re: Minimum OpenSSL requirements for mod_md

Posted by Astrid Malo <ke...@kess-net.de>.

On Mon, 24 Sep 2018 14:42:06 +0200
Rainer Jung <ra...@kippdata.de> wrote:

> Should we document that requirement somehow, because our non-mod_md 
> OpenSSL requirement is still at 0.9.8a. IMHO there's no need to "fix" 
> the higher requirement in mod_md, because it is pretty fresh and 
> probably there's no need to support it with ancient OpenSSL.

Yes, of course. Requirements differing from the general ones have to be
added to the documentation. This should be no big deal. Just make it
prominent somewhere where people read if before the installation :-)

 kess