On Sat, Oct 29, 2016 at 11:04:33AM +0300, Christos Trochalakis wrote:
> On Tue, Oct 11, 2016 at 10:41:01AM +0300, Christos Trochalakis wrote:
> > On Fri, Sep 02, 2016 at 10:52:15PM +0200, Kurt Roeckx wrote:
> > > Hi,
> > > 
> > > It seems the version in experimental needs this patch to build
> > > nginx itself:
> > > http://hg.nginx.org/nginx/rev/1891b2892b68
> > > 
> > > You might also want this one:
> > > http://hg.nginx.org/nginx/rev/3eb1a92a2f05
> > > 
> > > But then there some files in debian/modules that have minor
> > > problems.
> > > 
> > > For nginx-lua see:
> > > https://github.com/openresty/lua-nginx-module/pull/761
> > > 
> > > nginx-upstream-fair also has a problem with the reference
> > > counters.
> > > 
> > > 
> > > Kurt
> > > 
> > 
> > To recap, the following patches are needed to compile nginx stable (1.10.1) 
> > against
> > OpenSSL 1.1.0, note that the situation is a bit different than 
> > experimental, we build
> > 1.11.x releases there.:
> > 
> > nginx: backport "SSL: adopted session ticket handling for OpenSSL 1.1.0." 
> > (3eb1a92a2f05)
> > nginx: backport "SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in 
> > OpenSSL 1.1.0." (1891b2892b68)
> > upstream-fair: https://github.com/gnosek/nginx-upstream-fair/pull/22 (not 
> > merged upstream)
> > nginx-lua: https://github.com/openresty/lua-nginx-module/pull/761 (not 
> > merged upstream)
> > 
> > We should also fix ngx_ssl_dhparam() by either:
> > 
> > nginx: backport "SSL: removed default DH parameters" (1aa9650a8154)
> > or
> > by applying the user patch
> > https://trac.nginx.org/nginx/attachment/ticket/860/nginx-openssl110pre5.patch
> > which is less intrusive and is what a user expects from nginx 1.10 (1.11
> > dropped default DH params). See also my latest comment (#14) & reply on
> > https://trac.nginx.org/nginx/attachment/ticket/860.
> > 
> > Pending
> > =======
> > 
> > Lua v0.10.6 introduces a new regression as reported in:
> > https://github.com/openresty/lua-nginx-module/issues/757#issuecomment-247567447
> > 
> > Kurt, can you evaluate the patch regarding ngx_ssl_dhparam and help us with 
> > the
> > lua v0.10.6 issue?
> 
> We have some good news, nginx 1.10.2 includes all the changes needed for
> building against OpenSSL 1.1.0.
> 
> Modules:
> upstream-fair: https://github.com/gnosek/nginx-upstream-fair/pull/22
> nginx-lua: https://github.com/openresty/lua-nginx-module/pull/761 +
> https://github.com/wikimedia/operations-software-nginx/commit/e6785d912c992cae676593a8bd266e8c486b098d
> 
> I am not sure if the first lua patch is safe (regarding the
> "ssl_conn->tlsext_status_expected = 1;" removal).
> 
> I have forced-pushed a new stretch-openssl-1.1 that builds successfully.
> 

I had a quick look at the patch from
https://trac.nginx.org/nginx/attachment/ticket/860/nginx-openssl110pre5.patch

Not having seen the full source, I think this is wrong:
         DH_free(dh);
+#if OPENSSL_VERSION_NUMBER >= 0x10100005L
+        BN_free(p);
+        BN_free(g);
+#endif

If DH_set0_pqg() has been succesfully called with p and g, dh is
now the owner of those pointers. Calling DH_free(dh) will free
them, and so you'll have a double free.


Kurt

Reply via email to