[
https://issues.apache.org/jira/browse/IMPALA-14217?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18004866#comment-18004866
]
ASF subversion and git services commented on IMPALA-14217:
----------------------------------------------------------
Commit 90508b45596052c377415e673bb55dae116dc522 in impala's branch
refs/heads/master from jasonmfehr
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=90508b455 ]
IMPALA-14217: Fixes Incompatibility with OpenSSL 1.0
A new function `ValidatePemBundle` was introduced in openssl-utl.cc
under IMPALA-13237. This function used the X509_get0_notBefore and
X509_get0_notAfter functions which were introduced in OpenSSL 1.1.0.
Fixes compilation errors with OpenSSL 1.0.x by reverting to the older
X509_get_notBefore and X509_get_notAfter functions. These functions
were deprecated in OpenSSL 1.1.1 but are drop-in replacements for
X509_get0_notBefore and X509_get0_notAfter differing only in the
function return being mutable vs const.
Fixes flaky tests failing because different versions of OpenSSL set
different error codes in the BIO_new_mem_buf() function.
Tested locally by compiling and running openssl-util-test ctests.
Also built and ran tests using Jenkins on RHEL 8.6 and CentOS 7.4.
Change-Id: If58a12f14a5509d62b7cfe291372b53b440da511
Reviewed-on: http://gerrit.cloudera.org:8080/23161
Reviewed-by: Impala Public Jenkins <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
> X509_get0_notBefore and X509_get0_notAfter Compile Error with OpenSSL 1.0
> -------------------------------------------------------------------------
>
> Key: IMPALA-14217
> URL: https://issues.apache.org/jira/browse/IMPALA-14217
> Project: IMPALA
> Issue Type: Bug
> Affects Versions: Impala 4.5.0
> Reporter: Jason Fehr
> Assignee: Jason Fehr
> Priority: Major
> Labels: OpenSSL, backend, broken-build
>
> IMPALA-13237 introduced code
> [here|https://gerrit.cloudera.org/c/23097/19/be/src/util/openssl-util.cc#182]
> and
> [here|https://gerrit.cloudera.org/c/23097/19/be/src/util/openssl-util.cc#186]
> that uses the X509_get0_notBefore and X509_get0_notAfter OpenSSL functions
> available in OpenSSL 1.1.1 and later versions. Thus, when compiling against
> OpenSSL 1.0.x, the compilation fails.
> The [OpenSSL
> doc|https://docs.openssl.org/3.0/man3/X509_get0_notBefore/#history] states
> the `X509_get_notBefore` and `X509_get_notAfter` functions were first
> deprecated in OpenSSL 1.1.0. Digging into the OpenSSL code, the 1.0.x
> function definitions are
> [here|https://github.com/openssl/openssl/blob/d9e048ceac64d3f2cfa8b153271acd309e6a5edb/crypto/x509/x509.h#L612-L613].
> In OpenSSL 1.1.0 and later, a macro is used to map the deprecated functions
> to the non-deprecated functions `X509_getm_notBefore` and
> `X509_getm_notAfter`
> [here|https://github.com/openssl/openssl/blob/8253b58d60eec11fdb5e5dbf9cc61f78a9b7095d/include/openssl/x509.h.in#L678-L679].
> The only difference between the `X509_get0_` and `X509_getm_` functions is
> the former returns a `const ASN1_TIME*` while the latter returns a mutable
> `ASN1_TIME*`. Thus, it is safe to switch to the deprecated `X509_get_`
> functions.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
