Concerning the failures with OpenSSL 3.0.0 in t/ssl/proxy.t, this should
be gone with the next alpha or beta of OpenSSL 3.0.0.
The culprit is indeed:
> [ssl:info] [pid 9162:tid 140326166714128] [remote 127.0.0.1:8532]
> AH02276: Certificate Verification: Error (3): unable to get certificate
> CRL [subject:
>
emailAddress=test-...@httpd.apache.org,CN=localhost,OU=httpd-test/rsa-test,O=ASF,L=San
> Francisco,ST=California,C=US / issuer:
> emailAddress=test-...@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San
> Francisco,ST=California,C=US / serial: 0C / notbefore: Jul 30 23:29:05
> 2020 GMT / notafter: Jul 30 23:29:05 2021 GMT]
The reason is, that lib/Apache/TestSSLCA.pm does not use the injected
"APACHE_TEST_OPENSSL_CMD" in one line, where it uses "`openssl ...`"
instead of "`$openssl ...`". And this happens exactly when the hash file
for ca-bundle.crt gets created. So instead of the older 1.1.1 openssl I
inject during configure, the new 3.0.0 gets used to create the hash
file. That would be fine, but OpenSSL 3.0.0 has a bug just fixed very
recently (not yet released), that "openssl crl" can not read from STDIN.
Which is what we do.
I'll commit the "$openssl" instead of "openssl" in backticks for
lib/Apache/TestSSLCA.pm to make its behavior more consistent.
Concerning the failures when the test client uses OpenSSL 0.9.8 I was
able to provide OpenSSL 3.0.0 in the server with a auto-loaded
openssl.cnf which contained the lines to load the legacy provider. The
provider got loaded, but still the handshakes with the old OpenSSL fail.
Don't know why. Probably not the biggest problem, because 0.9.8 based
clients should really not matter when thinking about 3.0.0 support in
the server.
Regards,
Rainer
Am 01.08.2020 um 17:44 schrieb Rainer Jung:
Hi there,
during release testing for 2.4.45 I also built and tested using OpenSSL
3.0.0alpha5 on the server. Overall first results are pretty good:
- a few deprecation warnings during compilation:
modules/ssl/ssl_engine_config.c:610:5: warning: 'ENGINE_by_id' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_config.c:612:9: warning: 'ENGINE_free' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_config.c:617:9: warning: 'ENGINE_get_first' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_config.c:619:13: warning: 'ENGINE_get_id' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_config.c:620:42: warning: 'ENGINE_get_name' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_config.c:623:13: warning: 'ENGINE_get_next' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_init.c:457:9: warning: 'ENGINE_by_id' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_init.c:467:13: warning: 'ENGINE_ctrl' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_init.c:471:9: warning: 'ENGINE_set_default' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_init.c:482:9: warning: 'ENGINE_free' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_kernel.c:2611:9: warning: 'HMAC_Init_ex' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_kernel.c:2632:9: warning: 'HMAC_Init_ex' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_log.c:90:5: warning: 'ERR_peek_error_line_data'
is deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_pphrase.c:856:5: warning: 'ENGINE_by_id' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_pphrase.c:864:5: warning: 'ENGINE_init' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_pphrase.c:877:9: warning:
'ENGINE_ctrl_cmd_string' is deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_pphrase.c:886:9: warning: 'ENGINE_ctrl_cmd' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_pphrase.c:896:5: warning:
'ENGINE_load_private_key' is deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_pphrase.c:904:5: warning: 'ENGINE_finish' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_pphrase.c:905:5: warning: 'ENGINE_free' is
deprecated [-Wdeprecated-declarations]
- a few const warnings
modules/ssl/ssl_engine_kernel.c:608:55: warning: passing argument 2 of
'sk_SSL_CIPHER_find' discards 'const' qualifier from pointer target type
[-Wdiscarded-qualifiers]
modules/ssl/ssl_engine_kernel.c:627:61: warning: passing argument 2 of
'sk_SSL_CIPHER_find' discards 'const' qualifier from pointer target type
[-Wdiscarded-qualifiers]
modules/ssl/ssl_engine_kernel.c:638:57: warning: passing argument 2 of
'sk_SSL_CIPHER_find' discards 'const' qualifier from pointer target type
[-Wdiscarded-qualifiers]
modules/ssl/ssl_engine_kernel.c:1039:49: warning: passing argument 2 of
'sk_SSL_CIPHER_find' discards 'const' qualifier from pointer target type
[-Wdiscarded-qualifiers]
and unit tests show two problems, one will be fixed in OpenSSL itself:
- during unit test preparation, our test script create a PKCS12 store
with default encoding params. That's known to be broken in alpha5. So
the "-configure" step of "t/TEST" should be run before the actual
testing with a stable version of OpenSSL.
https://github.com/openssl/openssl/pull/12540
https://github.com/openssl/openssl/issues/11672
- independent of OpenSSL 3.0.0: to work around the previous observation
I tried using the env var "APACHE_TEST_OPENSSL_CMD". Unfortunately this
is slightly broken, because it tests for the existence using the "which"
function in TestConfig.pm and that function is broken when used for a
command containing a path component. I temporarily fixed it using:
@@ -1782,6 +1782,11 @@
return undef unless $program;
+ # No need to search PATH components
+ # if $program already contains a path
+ return $program if !OSX and !WINFU and
+ $program =~ /\// and -f $program and -x $program;
+
my @dirs = File::Spec->path();
require Config;
- when testing with client >= OpenSSL 1.1.0 against 3.0.0alpha5, only
t/ssl/proxy.t shows failures, especially in eat_post but already during
TLS handshake:
[ssl:info] [pid 9162:tid 140326149928720] [client 127.0.0.1:56312]
AH01964: Connection to child 82 established (server localhost:8532)
[ssl:info] [pid 9162:tid 140326166714128] [remote 127.0.0.1:8532]
AH02276: Certificate Verification: Error (3): unable to get certificate
CRL [subject:
emailAddress=test-...@httpd.apache.org,CN=localhost,OU=httpd-test/rsa-test,O=ASF,L=San
Francisco,ST=California,C=US / issuer:
emailAddress=test-...@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San
Francisco,ST=California,C=US / serial: 0C / notbefore: Jul 30 23:29:05
2020 GMT / notafter: Jul 30 23:29:05 2021 GMT]
[ssl:info] [pid 9162:tid 140326149928720] [client 127.0.0.1:56312]
AH02008: SSL library error 1 in handshake (server localhost:8532)
[ssl:info] [pid 9162:tid 140326149928720] SSL Library Error:
error:0A000418:SSL routines::tlsv1 alert unknown ca (SSL alert number 48)
[ssl:info] [pid 9162:tid 140326149928720] [client 127.0.0.1:56312]
AH01998: Connection closed to child 82 with abortive shutdown (server
localhost:8532)
[example_hooks:notice] [pid 9162:tid 140326149928720] x_create_request()
[ssl:info] [pid 9162:tid 140326166714128] [remote 127.0.0.1:8532]
AH02003: SSL Proxy connect failed
[ssl:info] [pid 9162:tid 140326166714128] SSL Library Error:
error:0A000086:SSL routines::certificate verify failed
[ssl:info] [pid 9162:tid 140326166714128] [remote 127.0.0.1:8532]
AH01998: Connection closed to child 0 with abortive shutdown (server
localhost:8563)
[ssl:info] [pid 9162:tid 140326166714128] [remote 127.0.0.1:8532]
AH01997: SSL handshake failed: sending 502
[proxy:error] [pid 9162:tid 140326166714128] (20014)Internal error
(specific information not available): [client 127.0.0.1:49283] AH01084:
pass request body failed to [::1]:8532 (localhost)
[proxy:error] [pid 9162:tid 140326166714128] [client 127.0.0.1:49283]
AH00898: Error during SSL Handshake with remote server returned by
/eat_post
[proxy_http:error] [pid 9162:tid 140326166714128] [client
127.0.0.1:49283] AH01097: pass request body failed to [::1]:8532
(localhost) from 127.0.0.1 ()
- when testing with OpenSSL 0.9.8zh as a client, mostly all TLS tests
fail. I guess, one would have to load the legacy provider for the server
side OpenSSL to allow handshakes with the old version of TLS supported
by 0.9.8. I have not verified this yet.
Regards,
Rainer
