> Looking at mod_ssl_openssl.h and the comment in #828330, > I'd suggest the change below to add a dependency on libssl1.0-dev > to apache2-dev.
And that exactly happens meaning that PHP 7.0 can no longer be built unless all it's build-depends (including PHP 7.0) and rdepends move to libssl1.0-dev as well. So a nice deadlock, right? To be honest I would rather have a slightly less tested apache2 with OpenSSL 1.1.0 and iron out the bugs as we go than revert all the work I have done. I reviewed the patch Kurt has provided and I don't see any strong reason why anything should break. ~~~ ssl_engine_io_init() is called but return value is not checked although it might obviously fail as the function can return 0 on failure. ~~~ This bit looks suspicious as it changes the existing behavior: - /* XXX: Should replace setting state with SSL_renegotiate(ssl); - * However, this causes failures in perl-framework currently, - * perhaps pre-test if we have already negotiated? - */ -#ifdef OPENSSL_NO_SSL_INTERN - SSL_set_state(ssl, SSL_ST_ACCEPT); -#else - ssl->state = SSL_ST_ACCEPT; -#endif + /* XXX: Why is this done twice? */ + SSL_renegotiate(ssl); + /* XXX: Return value ignored, uses SSL_get_state instead? */ but it might be correct... ~~~ There also seem to be some changes unrelated to OpenSSL 1.1.0 as: - RAND_pseudo_bytes(iv, EVP_MAX_IV_LENGTH); + /* XXX: Return value not checked. */ + RAND_bytes(iv, EVP_MAX_IV_LENGTH); or adding: + SRP_user_pwd_free(u); I think this should be in separate patch. ~~~ Kurt, can you confirm this doesn't change behavior of the code? - else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) { + else if (X509_check_issued(cert, cert) == X509_V_OK) { ~~~ Wrong ws here: - nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->key->algor->algorithm)); + X509_PUBKEY *pubkey = X509_get_X509_PUBKEY(xs); + X509_ALGOR *algor; + X509_PUBKEY_get0_param(NULL, NULL, NULL, &algor, pubkey); + nid = OBJ_obj2nid(algor->algorithm); and here: @@ -398,7 +403,9 @@ static int stapling_check_response(serve if (bio) { int n; - if ((i2a_ASN1_INTEGER(bio, cinf->cid->serialNumber) != -1) && + ASN1_INTEGER *serial; + OCSP_id_get0_info(NULL, NULL, NULL, &serial, cinf->cid); + if ((i2a_ASN1_INTEGER(bio, serial) != -1) && ((n = BIO_read(bio, snum, sizeof snum - 1)) > 0)) snum[n] = '\0'; BIO_free(bio); Cheers, -- Ondřej Surý <ond...@sury.org> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware, fast DNS(SEC) resolver Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro pečení chleba všeho druhu On Sun, Nov 13, 2016, at 13:36, Debian Bug Tracking System wrote: > Your message dated Sun, 13 Nov 2016 12:34:03 +0000 > with message-id <e1c5tz1-000gfb...@fasolo.debian.org> > and subject line Bug#844160: fixed in apache2 2.4.23-7 > has caused the Debian Bug report #844160, > regarding apache2-dev should depend on libssl1.0-dev > to be marked as done. > > This means that you claim that the problem has been dealt with. > If this is not the case it is now your responsibility to reopen the > Bug report if necessary, and/or fix the problem forthwith. > > (NB: If you are a system administrator and have no idea what this > message is talking about, this may indicate a serious mail system > misconfiguration somewhere. Please contact ow...@bugs.debian.org > immediately.) > > > -- > 844160: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844160 > Debian Bug Tracking System > Contact ow...@bugs.debian.org with problems > Email had 2 attachments: > + apache2-dev should depend on libssl1.0-dev > 3k (message/rfc822) > + Bug#844160: fixed in apache2 2.4.23-7 > 8k (message/rfc822)