Concerning the failures with OpenSSL 3.0.0 in t/ssl/proxy.t, this should
be gone with the next alpha or beta of OpenSSL 3.0.0.
The culprit is indeed:
> [ssl:info] [pid 9162:tid 140326166714128] [remote 127.0.0.1:8532]
> AH02276: Certificate Verification: Error (3): unable to get certificate
> CRL [subject:
>
emailAddress=test-...@httpd.apache.org,CN=localhost,OU=httpd-test/rsa-test,O=ASF,L=San
> Francisco,ST=California,C=US / issuer:
> emailAddress=test-...@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San
> Francisco,ST=California,C=US / serial: 0C / notbefore: Jul 30 23:29:05
> 2020 GMT / notafter: Jul 30 23:29:05 2021 GMT]
The reason is, that lib/Apache/TestSSLCA.pm does not use the injected
"APACHE_TEST_OPENSSL_CMD" in one line, where it uses "`openssl ...`"
instead of "`$openssl ...`". And this happens exactly when the hash file
for ca-bundle.crt gets created. So instead of the older 1.1.1 openssl I
inject during configure, the new 3.0.0 gets used to create the hash
file. That would be fine, but OpenSSL 3.0.0 has a bug just fixed very
recently (not yet released), that "openssl crl" can not read from STDIN.
Which is what we do.
I'll commit the "$openssl" instead of "openssl" in backticks for
lib/Apache/TestSSLCA.pm to make its behavior more consistent.
Concerning the failures when the test client uses OpenSSL 0.9.8 I was
able to provide OpenSSL 3.0.0 in the server with a auto-loaded
openssl.cnf which contained the lines to load the legacy provider. The
provider got loaded, but still the handshakes with the old OpenSSL fail.
Don't know why. Probably not the biggest problem, because 0.9.8 based
clients should really not matter when thinking about 3.0.0 support in
the server.
Regards,
Rainer
Am 01.08.2020 um 17:44 schrieb Rainer Jung:
Hi there,
during release testing for 2.4.45 I also built and tested using OpenSSL
3.0.0alpha5 on the server. Overall first results are pretty good:
- a few deprecation warnings during compilation:
modules/ssl/ssl_engine_config.c:610:5: warning: 'ENGINE_by_id' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_config.c:612:9: warning: 'ENGINE_free' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_config.c:617:9: warning: 'ENGINE_get_first' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_config.c:619:13: warning: 'ENGINE_get_id' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_config.c:620:42: warning: 'ENGINE_get_name' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_config.c:623:13: warning: 'ENGINE_get_next' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_init.c:457:9: warning: 'ENGINE_by_id' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_init.c:467:13: warning: 'ENGINE_ctrl' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_init.c:471:9: warning: 'ENGINE_set_default' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_init.c:482:9: warning: 'ENGINE_free' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_kernel.c:2611:9: warning: 'HMAC_Init_ex' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_kernel.c:2632:9: warning: 'HMAC_Init_ex' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_log.c:90:5: warning: 'ERR_peek_error_line_data'
is deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_pphrase.c:856:5: warning: 'ENGINE_by_id' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_pphrase.c:864:5: warning: 'ENGINE_init' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_pphrase.c:877:9: warning:
'ENGINE_ctrl_cmd_string' is deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_pphrase.c:886:9: warning: 'ENGINE_ctrl_cmd' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_pphrase.c:896:5: warning:
'ENGINE_load_private_key' is deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_pphrase.c:904:5: warning: 'ENGINE_finish' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_pphrase.c:905:5: warning: 'ENGINE_free' is
deprecated [-Wdeprecated-declarations]
- a few const warnings
modules/ssl/ssl_engine_kernel.c:608:55: warning: passing argument 2 of
'sk_SSL_CIPHER_find' discards 'const' qualifier from pointer target type
[-Wdiscarded-qualifiers]
modules/ssl/ssl_engine_kernel.c:627:61: warning: passing argument 2 of
'sk_SSL_CIPHER_find' discards 'const' qualifier from pointer target type
[-Wdiscarded-qualifiers]
modules/ssl/ssl_engine_kernel.c:638:57: warning: passing argument 2 of
'sk_SSL_CIPHER_find' discards 'const' qualifier from pointer target type
[-Wdiscarded-qualifiers]
modules/ssl/ssl_engine_kernel.c:1039:49: warning: passing argument 2 of
'sk_SSL_CIPHER_find' discards 'const' qualifier from pointer target type
[-Wdiscarded-qualifiers]
and unit tests show two problems, one will be fixed in OpenSSL itself:
- during unit test preparation, our test