Re: [Update] Support for OpenSSL 1.1.0

2016-03-23 Thread Rainer Jung 

not before 2.4.19 -> not before 2.4.20 ...

Am 23.03.2016 um 15:18 schrieb Rainer Jung:

OpenSSL 1.1.0 pre 4 = Beta 1 is out.

I did another round of compatibility updates for mod_ssl. Apart form
fixing Bugs, the OpenSSL 1.1.0 API is supposed to stay stable now. So I
hope mod_ssl can stabilize now.

The current code runs the test suite with 1.0.2 and with 1.1.0 without
any ssl related failures.

I'll let it settle a bit before suggesting backport to 2.4, definitely
not before 2.4.19.

More critical eyes on the 1.1.0 specific code paths very welcome!

Re: [Update] Support for OpenSSL 1.1.0

2016-03-23 Thread Rainer Jung 

OpenSSL 1.1.0 pre 4 = Beta 1 is out.

I did another round of compatibility updates for mod_ssl. Apart form 
fixing Bugs, the OpenSSL 1.1.0 API is supposed to stay stable now. So I 
hope mod_ssl can stabilize now.


The current code runs the test suite with 1.0.2 and with 1.1.0 without 
any ssl related failures.


I'll let it settle a bit before suggesting backport to 2.4, definitely 
not before 2.4.19.


More critical eyes on the 1.1.0 specific code paths very welcome!

Regards,

Rainer

Re: [Update] Support for OpenSSL 1.1.0

2016-02-14 Thread Rainer Jung 
The nice people at OpenSSL have already committed the two patches 
(renegotiation with ECDHE ciphers, detecting HTTP-on-HTTPS) and I think 
I found an easy way to trigger renegotiation without polling (using 
SSL_peek).


The current code runs the test suite with 1.0.2 and with 1.1.0 without 
any ssl related failures.


I'll let it settle a bit and test again once OpenSSL 1.1.0pre3 is out 
before suggesting backport to 2.4. I also need to set up the test suite 
environment for 2.4 with support for OpenSSL 0.9.8 to check against 
regressions.


Regards,

Rainer

[Update] Support for OpenSSL 1.1.0

2016-02-13 Thread Rainer Jung 
I have send a candidate patch for the "talking http on https" patch to 
the OpenSSL project. Using this patch and another fix I applied to trunk 
for reneg handling in the proxy client case (mod_proxy talking https to 
a backend), I'm now down to one remaining test suite failure.


More precisely the following points are open

- reneg for ECDHE and maybe other ciphers
  IMHO broken in OpenSSL itself. Opened a case there, because I can 
reproduce with openssl command s_server and s_client, ie. without any 
Apache involvement. Steve has already taken the ticket there.


  https://rt.openssl.org/Ticket/Display.html?id=4303

- "talking http on https": The patch for OpenSSL is not big and mostly 
consists of the older OpenSSL 1.0.2 code but they have to check, whether 
I have put it at the right place. I verified it works by running the 
Apache test suite, which contains tests using the "talking http on 
https" feature.


  https://rt.openssl.org/Ticket/Display.html?id=4304

- Test suite failure test 3 in t/security/CVE-2009-3555.t. The test 
sends two requests pipelined, where the first one needs a reneg. 
Pre-1.1.0 the first requests succeeds and then the connection is closed. 
Using 1.1.0 the reneg fails, the first request get a 403 and the 
connection is closed. For this there's still some analysis needed on our 
side.


All other tests succeed, some non-SSL tests fails for prefork and 
worker, but they did before the changes and they fail with OpenSSL 1.0.2 
also.


Once the last test breakage is fixed, I plan to go through the changes 
in order to remove pre-1.1.0 OpenSSL specific code where these versions 
can use the newer as well. Currently pre-1.1.0 OpenSSL versions use the 
exact same code path as before the changes.



If you want to do tests on your own, what you need is:

- OpenSSL 1.1.0pre2 plus two patches:


https://github.com/openssl/openssl/commit/311f27852a18fb9c10f0c1283b639f12eea06de2

  https://rt.openssl.org/Ticket/Attachment/62645/38635/http-on-https.patch

- Fix to use a non-ECDHE cipher in the test suite

--- t/conf/ssl/ssl.conf.in  2016-02-12 17:21:44.857749000 +0100
+++ t/conf/ssl/ssl.conf.in2016-02-12 23:15:18.493357000 +0100
@@ -33,7 +33,8 @@
 CustomLog logs/ssl_request_log ssl
 

-SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+SSLCipherSuite 
AES128-SHA256:ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

+SSLHonorCipherOrder On

 
 SSLPassPhraseDialog 
exec:@ServerRoot@/conf/ssl/httpd-passphrase.pl



- Depending on how you link apr-util crypto build also against OpenSSL 
1.1.0. apr trunk but also apr-util 1.5.x head supports this.


Regards,

Rainer