Reported by Delicates on IRC: ``` # /etc/init.d/apache2 stop * Stopping apache2 ... apache2: Syntax error on line 125 of /etc/apache2/httpd.conf: Cannot load modules/mod_ssl.so into server: /usr/lib64/apache2/modules/mod_ssl.so: undefined symbol: ERR_GET_FUNC [ !! ] * ERROR: apache2 failed to stop ``` This seems like a somewhat standard failure where weak definitions are permitted (because it's a module) but it never ended up getting resolved. Upstream thread: https://www.mail-archive.com/dev@httpd.apache.org/msg75604.html Upstream patch: https://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?r1=1891138&r2=1891137&pathrev=1891138 I've also attached the patch the user submitted to me, which looks like a cleaned up version of the linked one.
Created attachment 739075 [details, diff] ssl_engine_init.c.patch
Notably, Fedora has a far larger patch: https://src.fedoraproject.org/rpms/httpd/c/aee92c2c6a96e3d21560bdd5de702534dd68e323?branch=rawhide, but this looks like it might fix a lot of deprecated usage rather than being _strictly_ necessary for now. (See https://github.com/apache/httpd/pull/258).
I'm very hesitant to add patches like this. It is very easy to miss additional security issues this way and introduce an insecure version. I would strongly prefer that we follow the upstream httpd releases with this. The patch has been applied to apache 2.5 trunk only and not to 2.4 and we can't tell why that has not happened yet (e.g. because it would introduce other security-related issues).
Apache 2.4.52 includes this patch and the changelog notes OpenSSL 3 compatibility: https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?view=markup&pathrev=1895868
(In reply to Craig Andrews from comment #4) > Apache 2.4.52 includes this patch and the changelog notes OpenSSL 3 > compatibility: > https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/ > CHANGES?view=markup&pathrev=1895868 Thanks!