Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 812859 - www-servers/apache: fails to start mod_ssl with OpenSSL 3 (mod_ssl.so: undefined symbol: ERR_GET_FUNC)
Summary: www-servers/apache: fails to start mod_ssl with OpenSSL 3 (mod_ssl.so: undefi...
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Apache Team - Bugzilla Reports
URL:
Whiteboard:
Keywords: PATCH
Depends on:
Blocks: openssl-3.0
  Show dependency tree
 
Reported: 2021-09-13 03:00 UTC by Sam James
Modified: 2021-09-20 06:38 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
ssl_engine_init.c.patch (file_812859.txt,1.73 KB, patch)
2021-09-13 03:01 UTC, Sam James
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-09-13 03:00:36 UTC
Reported by Delicates on IRC:

```
# /etc/init.d/apache2 stop
* Stopping apache2 ...
apache2: Syntax error on line 125 of /etc/apache2/httpd.conf: Cannot load modules/mod_ssl.so into server: /usr/lib64/apache2/modules/mod_ssl.so: undefined symbol: ERR_GET_FUNC                                                                                                                                                                                                                                         [ !! ]
* ERROR: apache2 failed to stop
```

This seems like a somewhat standard failure where weak definitions are permitted (because it's a module) but it never ended up getting resolved.

Upstream thread: https://www.mail-archive.com/dev@httpd.apache.org/msg75604.html
Upstream patch: https://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?r1=1891138&r2=1891137&pathrev=1891138

I've also attached the patch the user submitted to me, which looks like a cleaned up version of the linked one.
Comment 1 Sam James archtester gentoo-dev Security 2021-09-13 03:01:01 UTC
Created attachment 739075 [details, diff]
ssl_engine_init.c.patch
Comment 2 Sam James archtester gentoo-dev Security 2021-09-13 03:10:21 UTC
Notably, Fedora has a far larger patch: https://src.fedoraproject.org/rpms/httpd/c/aee92c2c6a96e3d21560bdd5de702534dd68e323?branch=rawhide, but this looks like it might fix a lot of deprecated usage rather than being _strictly_ necessary for now.

(See https://github.com/apache/httpd/pull/258).
Comment 3 Hans de Graaff gentoo-dev 2021-09-19 07:40:40 UTC
I'm very hesitant to add patches like this. It is very easy to miss additional security issues this way and introduce an insecure version. I would strongly prefer that we follow the upstream httpd releases with this. The patch has been applied to apache 2.5 trunk only and not to 2.4 and we can't tell why that has not happened yet (e.g. because it would introduce other security-related issues).