I started adding support for OpenSSL 1.1.0 in trunk.
As some might know, the OpenSSL API changes and especially many
structures have been made opaque.
I resolved all the stuff that could be done on a local/formal level, but
some items remain, where I'm not sure how to proceed. I have marked all
of them with "XXX: OpenSSL 1.1.0:" in the sources.
I tested a straight backport to 2.4 against OpenSSL 1.1.0pre2 plus patch
https://github.com/openssl/openssl/commit/311f27852a18fb9c10f0c1283b639f12eea06de2
and there were only 7 ssl test failures.
Open problems:
1) HTTP on HTTPS
OpenSSL 1.1.0 currently doesn't support the "HTTP spoken on HTTPS port"
error. The code to detect HTTP was removed due to a major rewrite of the
state engine. The OpenSSL project is willing to review patches for
reintroducing the feature there but currently doesn't plan to work on it
themselves.
2) Renegotiation
It needs to be implemented differently. The OpenSSL project suggest to
try reading application data until the renegotiation has finished. I
committed some rather ugly code that does loop waiting for reneg, but it
has a couple of problems:
a) it will not work for EC or DH ciphers. Some opaque structure element
in the ssl struct is already set and confuses the state machine. I hope
to get some helpful feedback from the OpenSSL project for this.
b) the loop impl currently assumes we wait for client certs during the
reneg. It will hang for the full loop duration when only the cipher
changed but no certs will be send. We need a better loop end check.
3) ssl_engine_ocsp.c
In modssl_verify_ocsp() the following code accesses the struct member
"valid", for which currently no accessor function exists in 1.1.0:
268 else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) {
269 /* don't do OCSP checking for valid self-issued certs */
270 ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
271 "Skipping OCSP check for valid self-issued cert");
272 X509_STORE_CTX_set_error(ctx, X509_V_OK);
273 return 1;
274 }
4) ssl_util_stapling.c
In ssl_stapling_init_cert() there's a compiler warning:
"passing argument 1 of 'sk_value' from incompatible pointer type
expected 'const struct _STACK *' but argument is of type
'struct stack_st_OPENSSL_STRING *'":
179 cinf->uri = apr_pstrdup(p, sk_OPENSSL_STRING_value(aia, 0));
5) ssl_engine_kernel.c
In ssl_callback_Info() the explicit state constants
SSL3_ST_SR_CLNT_HELLO_A and SSL23_ST_SR_CLNT_HELLO_A are used which no
longer exist. I can't find obvious replacements in the list of new state
constants:
2100 int state = SSL_get_state((SSL *)ssl);
2101
2102 if (state == SSL3_ST_SR_CLNT_HELLO_A
2103 || state == SSL23_ST_SR_CLNT_HELLO_A) {
2104 scr->reneg_state = RENEG_ABORT;
2105 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042)
2106 "rejecting client initiated renegotiation");
2107 }
Regards,
Rainer
