Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 812859

Summary: www-servers/apache: fails to start mod_ssl with OpenSSL 3 (mod_ssl.so: undefined symbol: ERR_GET_FUNC)
Product: Gentoo Linux Reporter: Sam James <sam>
Component: Current packagesAssignee: Apache Team - Bugzilla Reports <apache-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: hydrapolic, ole+gentoo, reuben-gentoo-bugzilla
Priority: Normal Keywords: PATCH
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 797325    
Attachments: ssl_engine_init.c.patch

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-09-13 03:00:36 UTC 
Reported by Delicates on IRC:

```
# /etc/init.d/apache2 stop
* Stopping apache2 ...
apache2: Syntax error on line 125 of /etc/apache2/httpd.conf: Cannot load modules/mod_ssl.so into server: /usr/lib64/apache2/modules/mod_ssl.so: undefined symbol: ERR_GET_FUNC                                                                                                                                                                                                                                         [ !! ]
* ERROR: apache2 failed to stop
```

This seems like a somewhat standard failure where weak definitions are permitted (because it's a module) but it never ended up getting resolved.

Upstream thread: https://www.mail-archive.com/dev@httpd.apache.org/msg75604.html
Upstream patch: https://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?r1=1891138&r2=1891137&pathrev=1891138

I've also attached the patch the user submitted to me, which looks like a cleaned up version of the linked one.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-09-13 03:01:01 UTC 
Created attachment 739075 [details, diff]
ssl_engine_init.c.patch
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-09-13 03:10:21 UTC 
Notably, Fedora has a far larger patch: https://src.fedoraproject.org/rpms/httpd/c/aee92c2c6a96e3d21560bdd5de702534dd68e323?branch=rawhide, but this looks like it might fix a lot of deprecated usage rather than being _strictly_ necessary for now.

(See https://github.com/apache/httpd/pull/258).
Comment 3 Hans de Graaff gentoo-dev Security 2021-09-19 07:40:40 UTC 
I'm very hesitant to add patches like this. It is very easy to miss additional security issues this way and introduce an insecure version. I would strongly prefer that we follow the upstream httpd releases with this. The patch has been applied to apache 2.5 trunk only and not to 2.4 and we can't tell why that has not happened yet (e.g. because it would introduce other security-related issues).
Comment 4 Craig Andrews gentoo-dev 2022-11-01 17:48:56 UTC 
Apache 2.4.52 includes this patch and the changelog notes OpenSSL 3 compatibility: https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?view=markup&pathrev=1895868
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-11-01 22:47:51 UTC 
(In reply to Craig Andrews from comment #4)
> Apache 2.4.52 includes this patch and the changelog notes OpenSSL 3
> compatibility:
> https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/
> CHANGES?view=markup&pathrev=1895868

Thanks!