apache (stable) does not build with newer libressl: - build OK: apache-2.4.27-r1 + libressl-2.7.4 - build FAILS: apache-2.4.35 + libressl-2.7.4 - build FAILS: apache-2.4.35 + libressl-2.8.0 - build OK: apache-2.4.35 + libressl-2.6.5 Reevant build log: > ssl_engine_init.c:54:12: error: static declaration of 'DH_set0_pqg' follows non-static declaration > In file included from /usr/include/openssl/dsa.h:83, > from /usr/include/openssl/x509.h:99, > from /usr/include/openssl/pem.h:71, > from /usr/include/openssl/ssl.h:150, > from ssl_private.h:90, > from ssl_engine_init.c:29: > /usr/include/openssl/dh.h:195:5: note: previous declaration of 'DH_set0_pqg' was here The issue is known: https://bz.apache.org/bugzilla/show_bug.cgi?id=62346 And patched: https://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?r1=1828222&r2=1828221&pathrev=1828222 Hopefully Gentoo will patch, too (libressl-2.6.x has serious libtls issues). Reproducible: Always
With apache 2.4.37 (and still libressl 2.7.4) the above mentioned build error is gone. However, when apache starts, the ssl module fails to load: Cannot load modules/mod_ssl.so into server: /usr/lib64/apache2/modules/mod_ssl.so: undefined symbol: SSL_CTX_set_post_handshake_auth FYI: My USE flags for apache: +apache2_modules_authn_core +apache2_modules_authz_core +apache2_modules_authz_host +apache2_modules_dir +apache2_modules_mime +apache2_modules_socache_shmcb +apache2_modules_unixd +libressl +ssl +threads
FYI: The mod_ssl issue of apache remains even with current libressl-2.7.5. See my previous comment for details.
This issue is still there with apache-2.4.38: - When apache is started, mod_ssl cannot be loaded. Probably the subject of this bug report should be updated accordingly, too.
This issue is still there. Tested with with apache-2.4.38 against stable libressl-2.8.3. Apache fails to start: mod_ssl cannot be loaded. It's getting nasty. Let me know if I can help fixing this.
Created attachment 565842 [details] patch 1, comment follows
Created attachment 565844 [details] patch 2, comment follows
The following patches make mod_ssl load and apache start again. I have created two patches in /etc/portage/patches/www-servers/apache-2.4.38/: (1) httpd-free-compression-methods-undef-symbol.patch (2) disable-post-handshake-auth.patch Notes on patch (1): Patch (1) avoids calling the function SSL_COMP_free_compression_methods() which is a missing symbol in newer libressl. That function is deprecated anyway according to this openssl specification: https://www.openssl.org/docs/man1.1.0/man3/SSL_COMP_free_compression_methods.html Code before the patch: #if OPENSSL_VERSION_NUMBER >= 0x1000200fL #ifndef OPENSSL_NO_COMP SSL_COMP_free_compression_methods(); #endif #endif Code after the patch: #if OPENSSL_VERSION_NUMBER >= 0x1000200fL && OPENSSL_VERSION_NUMBER < 0x10100000L #ifndef OPENSSL_NO_COMP SSL_COMP_free_compression_methods(); #endif #endif NOTE: It seems that OPENSSL_NO_COMP was inserted previously to fix some similar issues with the deprecated function, but I am not sure if defining OPENSSL_NO_COMP has side effects. Simply not calling the function should be ok. ALSO NOTE: I am not 100% sure if 0x10100000L is the exact version to apply. But that works for me against libressl-2.8.3. Notes on patch (2): Patch (2) disables this code in modules/ssl/ssl_engine_init.c #if OPENSSL_VERSION_NUMBER >= 0x1010100fL /* For OpenSSL >=1.1.1, turn on client cert support which is * otherwise turned off by default (by design). * https://github.com/openssl/openssl/issues/6933 */ SSL_CTX_set_post_handshake_auth(mctx->ssl_ctx, 1); #endif by adding "&& 0": #if OPENSSL_VERSION_NUMBER >= 0x1010100fL && 0 /* For OpenSSL >=1.1.1, turn on client cert support which is * otherwise turned off by default (by design). * https://github.com/openssl/openssl/issues/6933 */ SSL_CTX_set_post_handshake_auth(mctx->ssl_ctx, 1); #endif In the mentioned github link, there is a deeper discussion on this post handshake authentication (PHA). I cannot judge whether disabling this does harm, so there might be a SECURITY RISK. However, it seems that authentication is still being used even when turned off: "tmshort commented Sep 10, 2018: That's still the case. PHA is a TLSv1.3-specific feature. Certificate authentication during the handshake will still occur if PHA is not turned on. If PHA is enabled, then certificate authentication is moved to after the handshake." Cheers, Felix
*** Bug 682112 has been marked as a duplicate of this bug. ***
Same issue with apache-2.4.39. The above patches can be applied, though, and fix that.
@ libressl project: Please review and acknowledge patches.
FYI: As with apache-2.4.39, apache-2.4.41 has the same issues. The above mentioned patches can be applied though, and work around that.
Thanks for the report and for the patches. Unfortunately the first patch is not needed, the second one is not correct. I have submitted the fix upstream: https://github.com/apache/httpd/pull/64
Created attachment 588414 [details, diff] apache-2.4.41-libressl.patch
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c6c5718a40db2adb0084150bf5fb30b4d29e53d5 commit c6c5718a40db2adb0084150bf5fb30b4d29e53d5 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2019-09-04 07:03:37 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2019-09-04 07:16:39 +0000 www-servers/apache: Added libressl patch Thanks-to: Stefan Strogin <steils@gentoo.org> Closes: https://bugs.gentoo.org/668060 Package-Manager: Portage-2.3.75, Repoman-2.3.17 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> www-servers/apache/apache-2.4.41.ebuild | 4 ++++ .../apache/files/apache-2.4.41-libressl.patch | 27 ++++++++++++++++++++++ 2 files changed, 31 insertions(+)