You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Rainer Jung <ra...@kippdata.de> on 2018/03/16 11:21:18 UTC

mod_md OpenSSL version requirement 1.0.0

It seems mod_md (trunk and 2.4, currently identical) needs OpenSSL 1.0.2 
(for ASN1_TIME_diff), but with a small change (using the already 
existing LIBRESSL alternative code) it only needs 1.0.0.

Since we still support 0.9.8a+ for 2.4.x and trunk, I think we need to 
add a version check to modules/md/config2.m4, maybe by allowing the 
requested version as an argument to APACHE_CHECK_OPENSSL which is 
already used there. Currently APACHE_CHECK_OPENSSL uses a hard-coded 
0.9.8a check.

Regards,

Rainer

Re: mod_md OpenSSL version requirement 1.0.0

Posted by Ruediger Pluem <rp...@apache.org>.


On 03/16/2018 01:33 PM, Yann Ylavic wrote:
> On Fri, Mar 16, 2018 at 1:11 PM, Eric Covener <co...@gmail.com> wrote:
>> On Fri, Mar 16, 2018 at 7:57 AM, Stefan Eissing
>> <st...@greenbytes.de> wrote:
>>> Hi Rainer,
>>>
>>> thanks for solving this issue. The version check indeed was missing. I do not think supporting ACME on servers with such old OpenSSL is really something to strive for. I'd have settled for a check von 1.0.2 even. If your changed check makes it working for 1.0.1 also, that's fine.
>>>
>>> My (a tad philosophical) point of view is that security on the public network is only achievable and *maintainable* by ever moving forward to the lastest, best efforts of the community. If you stick on version, even if that worked fine at the time, you'll get owned.
>>>
>>> Again, 2.4.x promises support for 0.9.8a+, so the check was missing. Maybe this is a reason for a 2.6.x that is a re-vamped 2.4.x but with a revisited baseline? Without mpm-prefork, http/0.9 and other cruft? A man can dream...
>>
>> 2.6 aside, should we just pick a date that openssl < 1.0.1 (or
>> whatever) compat will be dropped from 2.4 and add it to the
>> announcement template/website?  I don't think we're ultimately doing
>> anyone favors here.
> 
> +1, and while at it I think I think we should even require 1.0.2 (if
> possible) since 1.0.1 in no longer supported at OpenSSL.
> 

-0.5. You still have supported versions of Openssl 1.0.1 out there (at least the packages delivered with RedHat / CentOS 6).
Increasing the requirement to 1.0.1 seems fine though.

Regards

Rüdiger

Re: mod_md OpenSSL version requirement 1.0.0

Posted by Stefan Eissing <st...@greenbytes.de>.


> Am 16.03.2018 um 13:33 schrieb Yann Ylavic <yl...@gmail.com>:
> 
> On Fri, Mar 16, 2018 at 1:11 PM, Eric Covener <co...@gmail.com> wrote:
>> On Fri, Mar 16, 2018 at 7:57 AM, Stefan Eissing
>> <st...@greenbytes.de> wrote:
>>> Hi Rainer,
>>> 
>>> thanks for solving this issue. The version check indeed was missing. I do not think supporting ACME on servers with such old OpenSSL is really something to strive for. I'd have settled for a check von 1.0.2 even. If your changed check makes it working for 1.0.1 also, that's fine.
>>> 
>>> My (a tad philosophical) point of view is that security on the public network is only achievable and *maintainable* by ever moving forward to the lastest, best efforts of the community. If you stick on version, even if that worked fine at the time, you'll get owned.
>>> 
>>> Again, 2.4.x promises support for 0.9.8a+, so the check was missing. Maybe this is a reason for a 2.6.x that is a re-vamped 2.4.x but with a revisited baseline? Without mpm-prefork, http/0.9 and other cruft? A man can dream...
>> 
>> 2.6 aside, should we just pick a date that openssl < 1.0.1 (or
>> whatever) compat will be dropped from 2.4 and add it to the
>> announcement template/website?  I don't think we're ultimately doing
>> anyone favors here.
> 
> +1, and while at it I think I think we should even require 1.0.2 (if
> possible) since 1.0.1 in no longer supported at OpenSSL.

+1

Re: mod_md OpenSSL version requirement 1.0.0

Posted by Yann Ylavic <yl...@gmail.com>.

On Fri, Mar 16, 2018 at 1:11 PM, Eric Covener <co...@gmail.com> wrote:
> On Fri, Mar 16, 2018 at 7:57 AM, Stefan Eissing
> <st...@greenbytes.de> wrote:
>> Hi Rainer,
>>
>> thanks for solving this issue. The version check indeed was missing. I do not think supporting ACME on servers with such old OpenSSL is really something to strive for. I'd have settled for a check von 1.0.2 even. If your changed check makes it working for 1.0.1 also, that's fine.
>>
>> My (a tad philosophical) point of view is that security on the public network is only achievable and *maintainable* by ever moving forward to the lastest, best efforts of the community. If you stick on version, even if that worked fine at the time, you'll get owned.
>>
>> Again, 2.4.x promises support for 0.9.8a+, so the check was missing. Maybe this is a reason for a 2.6.x that is a re-vamped 2.4.x but with a revisited baseline? Without mpm-prefork, http/0.9 and other cruft? A man can dream...
>
> 2.6 aside, should we just pick a date that openssl < 1.0.1 (or
> whatever) compat will be dropped from 2.4 and add it to the
> announcement template/website?  I don't think we're ultimately doing
> anyone favors here.

+1, and while at it I think I think we should even require 1.0.2 (if
possible) since 1.0.1 in no longer supported at OpenSSL.

Re: mod_md OpenSSL version requirement 1.0.0

Posted by Eric Covener <co...@gmail.com>.

On Fri, Mar 16, 2018 at 7:57 AM, Stefan Eissing
<st...@greenbytes.de> wrote:
> Hi Rainer,
>
> thanks for solving this issue. The version check indeed was missing. I do not think supporting ACME on servers with such old OpenSSL is really something to strive for. I'd have settled for a check von 1.0.2 even. If your changed check makes it working for 1.0.1 also, that's fine.
>
> My (a tad philosophical) point of view is that security on the public network is only achievable and *maintainable* by ever moving forward to the lastest, best efforts of the community. If you stick on version, even if that worked fine at the time, you'll get owned.
>
> Again, 2.4.x promises support for 0.9.8a+, so the check was missing. Maybe this is a reason for a 2.6.x that is a re-vamped 2.4.x but with a revisited baseline? Without mpm-prefork, http/0.9 and other cruft? A man can dream...

2.6 aside, should we just pick a date that openssl < 1.0.1 (or
whatever) compat will be dropped from 2.4 and add it to the
announcement template/website?  I don't think we're ultimately doing
anyone favors here.

Re: mod_md OpenSSL version requirement 1.0.0

Posted by Stefan Eissing <st...@greenbytes.de>.

Hi Rainer,

thanks for solving this issue. The version check indeed was missing. I do not think supporting ACME on servers with such old OpenSSL is really something to strive for. I'd have settled for a check von 1.0.2 even. If your changed check makes it working for 1.0.1 also, that's fine.

My (a tad philosophical) point of view is that security on the public network is only achievable and *maintainable* by ever moving forward to the lastest, best efforts of the community. If you stick on version, even if that worked fine at the time, you'll get owned.

Again, 2.4.x promises support for 0.9.8a+, so the check was missing. Maybe this is a reason for a 2.6.x that is a re-vamped 2.4.x but with a revisited baseline? Without mpm-prefork, http/0.9 and other cruft? A man can dream...

Cheers,

Stefan


> Am 16.03.2018 um 12:41 schrieb Rainer Jung <ra...@kippdata.de>:
> 
> Am 16.03.2018 um 12:21 schrieb Rainer Jung:
>> It seems mod_md (trunk and 2.4, currently identical) needs OpenSSL 1.0.2 (for ASN1_TIME_diff), but with a small change (using the already existing LIBRESSL alternative code) it only needs 1.0.0.
>> Since we still support 0.9.8a+ for 2.4.x and trunk, I think we need to add a version check to modules/md/config2.m4, maybe by allowing the requested version as an argument to APACHE_CHECK_OPENSSL which is already used there. Currently APACHE_CHECK_OPENSSL uses a hard-coded 0.9.8a check.
> 
> I have hopefully fixed the 1.0.2 dependency by 1826973 and proposed it for backport. About the 1.0.0 dependency, adding version requirementds as parameters to APACHE_CHECK_OPENSSL is non-trivial, because APACHE_CHECK_OPENSSL uses caching for its result which would then depend on the version. Instead I suggest the following (yet untested):
> 
> Index: modules/md/config2.m4
> ===================================================================
> --- modules/md/config2.m4       (revision 1826930)
> +++ modules/md/config2.m4       (working copy)
> @@ -270,6 +270,18 @@
> dnl # hook module into the Autoconf mechanism (--enable-md)
> APACHE_MODULE(md, [Managed Domain handling], $md_objs, , most, [
>     APACHE_CHECK_OPENSSL
> +    AC_MSG_CHECKING([for OpenSSL version >= 1.0.1])
> +    AC_TRY_COMPILE([#include <openssl/opensslv.h>],[
> +#if !defined(OPENSSL_VERSION_NUMBER)
> +#error "Missing OpenSSL version"
> +#endif
> +#if OPENSSL_VERSION_NUMBER < 0x10001000L
> +#error "Unsupported OpenSSL version " OPENSSL_VERSION_TEXT
> +#endif],
> +      [AC_MSG_RESULT(OK),
> +      [AC_MSG_RESULT(FAILED)
> +       ac_cv_openssl=no])
> +
>     if test "x$ac_cv_openssl" = "xno" ; then
>         AC_MSG_WARN([libssl (or compatible) not found])
>         enable_md=no
> 
> @Stefan: is this dependency on OpenSSL 1.0.0 expected or unexpected?
> 
> Regards,
> 
> Rainer

Re: mod_md OpenSSL version requirement 1.0.0

Posted by Rainer Jung <ra...@kippdata.de>.

Am 16.03.2018 um 12:21 schrieb Rainer Jung:
> It seems mod_md (trunk and 2.4, currently identical) needs OpenSSL 1.0.2 
> (for ASN1_TIME_diff), but with a small change (using the already 
> existing LIBRESSL alternative code) it only needs 1.0.0.
> 
> Since we still support 0.9.8a+ for 2.4.x and trunk, I think we need to 
> add a version check to modules/md/config2.m4, maybe by allowing the 
> requested version as an argument to APACHE_CHECK_OPENSSL which is 
> already used there. Currently APACHE_CHECK_OPENSSL uses a hard-coded 
> 0.9.8a check.

I have hopefully fixed the 1.0.2 dependency by 1826973 and proposed it 
for backport. About the 1.0.0 dependency, adding version requirementds 
as parameters to APACHE_CHECK_OPENSSL is non-trivial, because 
APACHE_CHECK_OPENSSL uses caching for its result which would then depend 
on the version. Instead I suggest the following (yet untested):

Index: modules/md/config2.m4
===================================================================
--- modules/md/config2.m4       (revision 1826930)
+++ modules/md/config2.m4       (working copy)
@@ -270,6 +270,18 @@
  dnl # hook module into the Autoconf mechanism (--enable-md)
  APACHE_MODULE(md, [Managed Domain handling], $md_objs, , most, [
      APACHE_CHECK_OPENSSL
+    AC_MSG_CHECKING([for OpenSSL version >= 1.0.1])
+    AC_TRY_COMPILE([#include <openssl/opensslv.h>],[
+#if !defined(OPENSSL_VERSION_NUMBER)
+#error "Missing OpenSSL version"
+#endif
+#if OPENSSL_VERSION_NUMBER < 0x10001000L
+#error "Unsupported OpenSSL version " OPENSSL_VERSION_TEXT
+#endif],
+      [AC_MSG_RESULT(OK),
+      [AC_MSG_RESULT(FAILED)
+       ac_cv_openssl=no])
+
      if test "x$ac_cv_openssl" = "xno" ; then
          AC_MSG_WARN([libssl (or compatible) not found])
          enable_md=no

@Stefan: is this dependency on OpenSSL 1.0.0 expected or unexpected?

Regards,

Rainer