Hi Rainer, thanks for solving this issue. The version check indeed was missing. I do not think supporting ACME on servers with such old OpenSSL is really something to strive for. I'd have settled for a check von 1.0.2 even. If your changed check makes it working for 1.0.1 also, that's fine.
My (a tad philosophical) point of view is that security on the public network is only achievable and *maintainable* by ever moving forward to the lastest, best efforts of the community. If you stick on version, even if that worked fine at the time, you'll get owned. Again, 2.4.x promises support for 0.9.8a+, so the check was missing. Maybe this is a reason for a 2.6.x that is a re-vamped 2.4.x but with a revisited baseline? Without mpm-prefork, http/0.9 and other cruft? A man can dream... Cheers, Stefan > Am 16.03.2018 um 12:41 schrieb Rainer Jung <[email protected]>: > > Am 16.03.2018 um 12:21 schrieb Rainer Jung: >> It seems mod_md (trunk and 2.4, currently identical) needs OpenSSL 1.0.2 >> (for ASN1_TIME_diff), but with a small change (using the already existing >> LIBRESSL alternative code) it only needs 1.0.0. >> Since we still support 0.9.8a+ for 2.4.x and trunk, I think we need to add a >> version check to modules/md/config2.m4, maybe by allowing the requested >> version as an argument to APACHE_CHECK_OPENSSL which is already used there. >> Currently APACHE_CHECK_OPENSSL uses a hard-coded 0.9.8a check. > > I have hopefully fixed the 1.0.2 dependency by 1826973 and proposed it for > backport. About the 1.0.0 dependency, adding version requirementds as > parameters to APACHE_CHECK_OPENSSL is non-trivial, because > APACHE_CHECK_OPENSSL uses caching for its result which would then depend on > the version. Instead I suggest the following (yet untested): > > Index: modules/md/config2.m4 > =================================================================== > --- modules/md/config2.m4 (revision 1826930) > +++ modules/md/config2.m4 (working copy) > @@ -270,6 +270,18 @@ > dnl # hook module into the Autoconf mechanism (--enable-md) > APACHE_MODULE(md, [Managed Domain handling], $md_objs, , most, [ > APACHE_CHECK_OPENSSL > + AC_MSG_CHECKING([for OpenSSL version >= 1.0.1]) > + AC_TRY_COMPILE([#include <openssl/opensslv.h>],[ > +#if !defined(OPENSSL_VERSION_NUMBER) > +#error "Missing OpenSSL version" > +#endif > +#if OPENSSL_VERSION_NUMBER < 0x10001000L > +#error "Unsupported OpenSSL version " OPENSSL_VERSION_TEXT > +#endif], > + [AC_MSG_RESULT(OK), > + [AC_MSG_RESULT(FAILED) > + ac_cv_openssl=no]) > + > if test "x$ac_cv_openssl" = "xno" ; then > AC_MSG_WARN([libssl (or compatible) not found]) > enable_md=no > > @Stefan: is this dependency on OpenSSL 1.0.0 expected or unexpected? > > Regards, > > Rainer
