-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Rainer,
On 8/1/20 11:44, Rainer Jung wrote: > Sorry, wrong dev list. I thought it was interesting anyway :) How about libtcnative built against OpenSSL 3.0.0? - -chris > Am 01.08.2020 um 12:07 schrieb Rainer Jung: >> Hi there, >> >> during release testing for 2.4.45 I also built and tested using >> OpenSSL 3.0.0alpha5 on the server. Overall first results are >> pretty good: >> >> - a few deprecation warnings during compilation: >> >> modules/ssl/ssl_engine_config.c:610:5: warning: 'ENGINE_by_id' >> is deprecated [-Wdeprecated-declarations] >> modules/ssl/ssl_engine_config.c:612:9: warning: 'ENGINE_free' is >> deprecated [-Wdeprecated-declarations] >> modules/ssl/ssl_engine_config.c:617:9: warning: >> 'ENGINE_get_first' is deprecated [-Wdeprecated-declarations] >> modules/ssl/ssl_engine_config.c:619:13: warning: 'ENGINE_get_id' >> is deprecated [-Wdeprecated-declarations] >> modules/ssl/ssl_engine_config.c:620:42: warning: >> 'ENGINE_get_name' is deprecated [-Wdeprecated-declarations] >> modules/ssl/ssl_engine_config.c:623:13: warning: >> 'ENGINE_get_next' is deprecated [-Wdeprecated-declarations] >> modules/ssl/ssl_engine_init.c:457:9: warning: 'ENGINE_by_id' is >> deprecated [-Wdeprecated-declarations] >> modules/ssl/ssl_engine_init.c:467:13: warning: 'ENGINE_ctrl' is >> deprecated [-Wdeprecated-declarations] >> modules/ssl/ssl_engine_init.c:471:9: warning: >> 'ENGINE_set_default' is deprecated [-Wdeprecated-declarations] >> modules/ssl/ssl_engine_init.c:482:9: warning: 'ENGINE_free' is >> deprecated [-Wdeprecated-declarations] >> modules/ssl/ssl_engine_kernel.c:2611:9: warning: 'HMAC_Init_ex' >> is deprecated [-Wdeprecated-declarations] >> modules/ssl/ssl_engine_kernel.c:2632:9: warning: 'HMAC_Init_ex' >> is deprecated [-Wdeprecated-declarations] >> modules/ssl/ssl_engine_log.c:90:5: warning: >> 'ERR_peek_error_line_data' is deprecated >> [-Wdeprecated-declarations] >> modules/ssl/ssl_engine_pphrase.c:856:5: warning: 'ENGINE_by_id' >> is deprecated [-Wdeprecated-declarations] >> modules/ssl/ssl_engine_pphrase.c:864:5: warning: 'ENGINE_init' >> is deprecated [-Wdeprecated-declarations] >> modules/ssl/ssl_engine_pphrase.c:877:9: warning: >> 'ENGINE_ctrl_cmd_string' is deprecated >> [-Wdeprecated-declarations] >> modules/ssl/ssl_engine_pphrase.c:886:9: warning: >> 'ENGINE_ctrl_cmd' is deprecated [-Wdeprecated-declarations] >> modules/ssl/ssl_engine_pphrase.c:896:5: warning: >> 'ENGINE_load_private_key' is deprecated >> [-Wdeprecated-declarations] >> modules/ssl/ssl_engine_pphrase.c:904:5: warning: 'ENGINE_finish' >> is deprecated [-Wdeprecated-declarations] >> modules/ssl/ssl_engine_pphrase.c:905:5: warning: 'ENGINE_free' >> is deprecated [-Wdeprecated-declarations] >> >> - a few const warnings >> >> modules/ssl/ssl_engine_kernel.c:608:55: warning: passing argument >> 2 of 'sk_SSL_CIPHER_find' discards 'const' qualifier from pointer >> target type [-Wdiscarded-qualifiers] >> modules/ssl/ssl_engine_kernel.c:627:61: warning: passing argument >> 2 of 'sk_SSL_CIPHER_find' discards 'const' qualifier from pointer >> target type [-Wdiscarded-qualifiers] >> modules/ssl/ssl_engine_kernel.c:638:57: warning: passing argument >> 2 of 'sk_SSL_CIPHER_find' discards 'const' qualifier from pointer >> target type [-Wdiscarded-qualifiers] >> modules/ssl/ssl_engine_kernel.c:1039:49: warning: passing >> argument 2 of 'sk_SSL_CIPHER_find' discards 'const' qualifier >> from pointer target type [-Wdiscarded-qualifiers] >> >> and unit tests show two problems, one will be fixed in OpenSSL >> itself: >> >> - during unit test preparation, our test script create a PKCS12 >> store with default encoding params. That's known to be broken in >> alpha5. So the "-configure" step of "t/TEST" should be run before >> the actual testing with a stable version of OpenSSL. >> https://github.com/openssl/openssl/pull/12540 >> https://github.com/openssl/openssl/issues/11672 >> >> - independent of OpenSSL 3.0.0: to work around the previous >> observation I tried using the env var "APACHE_TEST_OPENSSL_CMD". >> Unfortunately this is slightly broken, because it tests for the >> existence using the "which" function in TestConfig.pm and that >> function is broken when used for a command containing a path >> component. I temporarily fixed it using: >> >> @@ -1782,6 +1782,11 @@ >> >> return undef unless $program; >> >> + # No need to search PATH components + # if $program >> already contains a path + return $program if !OSX and !WINFU >> and + $program =~ /\// and -f $program and -x $program; + >> my @dirs = File::Spec->path(); >> >> require Config; >> >> >> - when testing with client >= OpenSSL 1.1.0 against 3.0.0alpha5, >> only t/ssl/proxy.t shows failures, especially in eat_post but >> already during TLS handshake: >> >> [ssl:info] [pid 9162:tid 140326149928720] [client >> 127.0.0.1:56312] AH01964: Connection to child 82 established >> (server localhost:8532) >> >> [ssl:info] [pid 9162:tid 140326166714128] [remote >> 127.0.0.1:8532] AH02276: Certificate Verification: Error (3): >> unable to get certificate CRL [subject: >> emailAddress=test-...@httpd.apache.org,CN=localhost,OU=httpd-test/rsa - -test,O=ASF,L=San >> >> Francisco,ST=California,C=US / issuer: >> emailAddress=test-...@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=Sa n >> >> Francisco,ST=California,C=US / serial: 0C / notbefore: Jul 30 23:29:05 >> 2020 GMT / notafter: Jul 30 23:29:05 2021 GMT] >> >> [ssl:info] [pid 9162:tid 140326149928720] [client >> 127.0.0.1:56312] AH02008: SSL library error 1 in handshake >> (server localhost:8532) >> >> [ssl:info] [pid 9162:tid 140326149928720] SSL Library Error: >> error:0A000418:SSL routines::tlsv1 alert unknown ca (SSL alert >> number 48) >> >> [ssl:info] [pid 9162:tid 140326149928720] [client >> 127.0.0.1:56312] AH01998: Connection closed to child 82 with >> abortive shutdown (server localhost:8532) >> >> [example_hooks:notice] [pid 9162:tid 140326149928720] >> x_create_request() [ssl:info] [pid 9162:tid 140326166714128] >> [remote 127.0.0.1:8532] AH02003: SSL Proxy connect failed >> >> [ssl:info] [pid 9162:tid 140326166714128] SSL Library Error: >> error:0A000086:SSL routines::certificate verify failed >> >> [ssl:info] [pid 9162:tid 140326166714128] [remote >> 127.0.0.1:8532] AH01998: Connection closed to child 0 with >> abortive shutdown (server localhost:8563) >> >> [ssl:info] [pid 9162:tid 140326166714128] [remote >> 127.0.0.1:8532] AH01997: SSL handshake failed: sending 502 >> >> [proxy:error] [pid 9162:tid 140326166714128] (20014)Internal >> error (specific information not available): [client >> 127.0.0.1:49283] AH01084: pass request body failed to [::1]:8532 >> (localhost) >> >> [proxy:error] [pid 9162:tid 140326166714128] [client >> 127.0.0.1:49283] AH00898: Error during SSL Handshake with remote >> server returned by /eat_post >> >> [proxy_http:error] [pid 9162:tid 140326166714128] [client >> 127.0.0.1:49283] AH01097: pass request body failed to [::1]:8532 >> (localhost) from 127.0.0.1 () >> >> >> - when testing with OpenSSL 0.9.8zh as a client, mostly all TLS >> tests fail. I guess, one would have to load the legacy provider >> for the server side OpenSSL to allow handshakes with the old >> version of TLS supported by 0.9.8. I have not verified this yet. >> >> >> Regards, >> >> Rainer > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8lonoACgkQHPApP6U8 pFhOuQ/9H9C5stAuwK+XFg/hzFw5vv/tw9EAoztZh5PJxLTfBQhhjKVA30jAGodQ e0fkjxvbJ/CZM2kAc5LHy28WK7O2NNDeqdhKlmZ+fOcuXBvm7+pHbV18YsLs8cg6 ohUYMjRK7ekfe8RjkoYeq7PxIuks9P81EN3BRpNFr1X2HmfuFncnuAB0oe6qHCDy rMwIxRzxypTbkcWRnSRge+jLN86RRpWfEg2Dc8XSIfEsH55i8SIRIejCCdZ9W5qz 18d5dP9Y1+Wa9+GiCFsst3/YZXTKXg0ICBVe50jUj+Qtp4wxdu3zwOSACGjNPI46 GPVKc8h/nMHYvSmjSVUfdJFm1tm8Y10Ah1wC6IyTONMdXu15aBMG72wd/0NU1h76 6qd2xil40mnD0i++LOilb8FRtZkzq7lJyohQdIWFFLhXUsfLCZWC0A19k02hEnai KrHuj69F5AOlU+gQrTr1P7uv6rgxGYUO1xeqhQo6GcHiunIfLDrz4prYnfL7X8bl X4sV67zH5tBbJizTkhj0TFFE2KBx8RaWmSdstk1Dpp5HaVZ6g0eBgwbydIvd6Wf2 JdhbqrbG7sjIANOPazhtPyK9TOEHcBobW+MFEu25GFGjH6Hg+llaY6FfVcSRCKDV TD0bKItaFYmq8im6CEEA0SLGyulYvK10wqzvcpfNqXbTf0dkz6U= =M/O3 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
