Bug 669584

Summary:	www-servers/apache-2.4.37 not starting with SSL SSL_CTX_set_post_handshake_auth
Product:	Gentoo Linux	Reporter:	Joerg Neikes <j.m.neikes>
Component:	Current packages	Assignee:	Apache Team - Bugzilla Reports <apache-bugs>
Status:	UNCONFIRMED ---
Severity:	normal	CC:	hydrapolic, j0inty, reuben-gentoo-bugzilla, strites
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	libressl.patch

Description Joerg Neikes 2018-10-25 15:11:10 UTC

www-servers/apache-2.4.37 not starting with SSL SSL_CTX_set_post_handshake_auth

works with =www-servers/apache-2.4.35


systemctl start apache2

systemctl status apache2

● apache2.service - The Apache HTTP Server
   Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Thu 2018-10-25 16:45:16 CEST; 9s ago
  Process: 15475 ExecStart=/usr/sbin/apache2 $APACHE2_OPTS -DFOREGROUND (code=exited, status=1/FAILURE)
 Main PID: 15475 (code=exited, status=1/FAILURE)


Reproducible: Always

Steps to Reproduce:
1.systemctl start apache2
2.systemctl status apache2
3.failed to start 



emerge --info

Portage 2.3.51 (python 3.5.5-final-0, default/linux/amd64/17.0/systemd, gcc-7.3.0, glibc-2.27-r6, 4.18.14-gentoo-xen-dom0-blktap x86_64)
=================================================================
System uname: Linux-4.18.14-gentoo-xen-dom0-blktap-x86_64-Intel-R-_Core-TM-_i3-6300_CPU_@_3.80GHz-with-gentoo-2.6
KiB Mem:     8055540 total,    559928 free
KiB Swap:    8380412 total,   8378100 free
Timestamp of repository gentoo: Thu, 25 Oct 2018 10:30:01 +0000
Head commit of repository gentoo: 9cf23f251eb8ec46714eae800a325fc6e43b3bab
sh bash 4.4_p23
ld GNU ld (Gentoo 2.30 p5) 2.30.0
app-shells/bash:          4.4_p23::gentoo
dev-lang/perl:            5.26.2::gentoo
dev-lang/python:          2.7.15::gentoo, 3.5.5-r1::gentoo
dev-util/cmake:           3.12.3::gentoo
dev-util/pkgconfig:       0.29.2::gentoo
sys-apps/baselayout:      2.6-r1::gentoo
sys-apps/sandbox:         2.13::gentoo
sys-devel/autoconf:       2.69-r4::gentoo
sys-devel/automake:       1.15.1-r2::gentoo, 1.16.1-r1::gentoo
sys-devel/binutils:       2.30-r4::gentoo, 2.31.1-r1::gentoo
sys-devel/gcc:            6.4.0-r4::gentoo, 7.3.0-r5::gentoo, 8.2.0-r3::gentoo
sys-devel/gcc-config:     2.0::gentoo
sys-devel/libtool:        2.4.6-r5::gentoo
sys-devel/make:           4.2.1-r4::gentoo
sys-kernel/linux-headers: 4.19::gentoo (virtual/os-headers)
sys-libs/glibc:           2.27-r6::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000
    sync-rsync-verify-metamanifest: yes
    sync-rsync-verify-jobs: 1
    sync-rsync-verify-max-age: 24
    sync-rsync-extra-opts: 

libressl
    location: /var/lib/layman/libressl
    masters: gentoo
    priority: 1

pentoo
    location: /var/lib/layman/pentoo
    masters: gentoo
    priority: 2

xpol
    location: /var/lib/layman/xpol-overlay
    masters: gentoo
    priority: 3

ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -U_FORTIFY_SOURCE"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/easy-rsa /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/php/apache2-php7.0/ext-active/ /etc/php/apache2-php7.1/ext-active/ /etc/php/apache2-php7.2/ext-active/ /etc/php/cgi-php7.0/ext-active/ /etc/php/cgi-php7.1/ext-active/ /etc/php/cgi-php7.2/ext-active/ /etc/php/cli-php7.0/ext-active/ /etc/php/cli-php7.1/ext-active/ /etc/php/cli-php7.2/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe -U_FORTIFY_SOURCE"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--keep-going y -t"
ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="de_DE.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="de dk fi jp it tr nl fr"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="acl amd64 apache apache2 bcmath berkdb branding bzip2 bzlib calendar cli crypt ctype curl curlwrappers cxx dba dbase dbx dio dri dvd emacs encode exif fam flatfile fortran ftp gd gdbm gmp gudev iconv idn imap ipv6 jpeg ldap libressl libtirpc mad maildir mhash mime mmx mng mssql multilib mysql mysqli ncurses nls nptl nptlonly openmp pam pcre pdf pdflib php pic png posix readline samba seccomp session sharedext simplexml soap sockets spell sse sse2 ssl static-libs systemd sysvipc tcpd tidy tiff truetype udev unicode upcall usb vhost xattr xen xml2 xmlrpc xpm xsl zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias authn_core ratelimit socache_shmcb slotmem_shm mysqli access_compat authz_core unixd mpm-prefork suexec" APACHE2_MPMS="prefork" CALLIGRA_FEATURES="karbon plan sheets stage words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6 php7-1 php7-2" POSTGRES_TARGETS="postgres9_5 postgres10" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="jython2_7 python2_7 jython3_5 python3_5" RUBY_TARGETS="ruby23" USERLAND="GNU" VIDEO_CARDS="vesa vga" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 1 Joerg Neikes 2018-10-26 11:30:15 UTC

By the way i read in the changelogs:

  *) mod_ssl: Add support for OpenSSL 1.1.1 and TLSv1.3.  TLSv1.3 has
     behavioural changes compared to v1.2 and earlier; client and
     configuration changes should be expected.  SSLCipherSuite is
     enhanced for TLSv1.3 ciphers, but applies at vhost level only.
     [Stefan Eissing, Yann Ylavic, Ruediger Pluem, Joe Orton]

I use libressl. I think TLSv1.3 was not possible till now.
Using dev-libs/libressl-2.6.5.

Comment 2 Steffen 'j0inty' Stollfuß 2018-10-27 10:23:19 UTC

Hi,

the following error message I found in my /var/log/apache2/startuperror.log.

[snip]
apache2: Syntax error on line 137 of /etc/apache2/httpd.conf: Cannot load modules/mod_ssl.so into server: /usr/lib64/apache2/modules/mod_ssl.so: undefined symbol: SSL_CTX_set_post_handshake_auth
[/snap]

A downgrade to previous 2.4.35 let me start my apache again.


megatron ~ # qlist -Iv apache libressl

app-admin/apache-tools-2.4.35
app-crypt/certbot-apache-0.27.1
dev-libs/libressl-2.6.5
www-apache/mod_evasive-1.10.1-r1
www-servers/apache-2.4.35

Comment 3 Reuben Farrelly 2018-10-31 23:00:04 UTC

There is a patch in Void Linux Github which fixes this problem:

https://github.com/void-linux/void-packages/blob/master/srcpkgs/apache/patches/libressl.patch

Perhaps the fix could be picked up by Gentoo as well.

Comment 4 Joerg Neikes 2018-11-05 14:19:26 UTC

Created attachment 554134 [details, diff]
libressl.patch

libressl patch for apache-2.4.37

Comment 5 Joerg Neikes 2018-11-05 14:22:25 UTC

(In reply to Reuben Farrelly from comment #3)
> There is a patch in Void Linux Github which fixes this problem:
> 
> https://github.com/void-linux/void-packages/blob/master/srcpkgs/apache/
> patches/libressl.patch
> 
> Perhaps the fix could be picked up by Gentoo as well.

Thanks Reuben.

Added the patch to this bug report.

Testet it on live Server.

Works now.


This is what i have done:

mkdir /etc/portage/patches/www-servers/apache-2.4.37 -p
cd /etc/portage/patches/www-servers/apache-2.4.37

wget https://669584.bugs.gentoo.org/attachment.cgi?id=554134 -O libressl.patch


emerge app-admin/apache-tools  www-servers/apache