Re: [SPAM] Re: Build failure of 1.6 and openssl 0.9.8

2015-10-23 Thread Willy Tarreau 
Hi Marcus,

On Thu, Oct 22, 2015 at 12:14:53PM +0200, Marcus Rueckert wrote:
> On 2015-10-22 09:44:05 +0200, Willy Tarreau wrote:
> > On Thu, Oct 22, 2015 at 10:40:45AM +0300, Dmitry Sivachenko wrote:
> > > 1.6.1 still does not build with OpenSSL < 1.0:
> > > 
> > > src/ssl_sock.o: In function `ssl_sock_do_create_cert':
> > > ssl_sock.c:(.text+0x295b): undefined reference to 
> > > `EVP_PKEY_get_default_digest_nid'
> > > Makefile:760: recipe for target 'haproxy' failed
> > > 
> > > So is it intended behavior?
> > 
> > It's neither intended nor not intended, it's just that I was waiting for
> > Marcus' confirmation that the patch fixed the issue for him, and forgot
> > about this patch while waiting for a response. Can you confirm on your
> > side that the patch fixes the issue for you ? If so I'm willing to merge
> > the fix immediately. I prefer to be careful because on my side openssl
> > 0.9.8 doesn't break so I want to be sure that there isn't a second level
> > of breakage after this one.
> 
> 1. actually send a confirmation that it builds for me with the patch
>from Christopher Faulet.

I'm sorry, I just found your mail and your previous reply in my spambox.
Too bad I missed them before the release :-(

Thanks for having responded quickly!

Willy

Re: Build failure of 1.6 and openssl 0.9.8

2015-10-22 Thread Willy Tarreau 
On Thu, Oct 22, 2015 at 11:31:01AM +0300, Dmitry Sivachenko wrote:
> 
> > On 22 ??. 2015 ??., at 10:44, Willy Tarreau  wrote:
> > 
> > Hello Dmitry,
> > 
> > On Thu, Oct 22, 2015 at 10:40:45AM +0300, Dmitry Sivachenko wrote:
> >> 1.6.1 still does not build with OpenSSL < 1.0:
> >> 
> >> src/ssl_sock.o: In function `ssl_sock_do_create_cert':
> >> ssl_sock.c:(.text+0x295b): undefined reference to 
> >> `EVP_PKEY_get_default_digest_nid'
> >> Makefile:760: recipe for target 'haproxy' failed
> >> 
> >> So is it intended behavior?
> > 
> > It's neither intended nor not intended, it's just that I was waiting for
> > Marcus' confirmation that the patch fixed the issue for him, and forgot
> > about this patch while waiting for a response. Can you confirm on your
> > side that the patch fixes the issue for you ? If so I'm willing to merge
> > the fix immediately. I prefer to be careful because on my side openssl
> > 0.9.8 doesn't break so I want to be sure that there isn't a second level
> > of breakage after this one.
> > 
> 
> 
> Aha, no problem, I thought it is supposed to be fixed before 1.6.1.
> 
> I tried a patch in this thread 
> (0002-BUILD-ssl-fix-build-error-introduced-in-commit-7969a.patch).
> 
> It does fix the build error (FreeBSD-9, OpenSSL 0.9.8q).  Though there is the 
> following warning:
> 
> src/ssl_sock.c: In function 'ssl_sock_load_cert_chain_file':
> src/ssl_sock.c:1623: warning: dereferencing type-punned pointer will break 
> strict-aliasing rules
> src/ssl_sock.c:1636: warning: dereferencing type-punned pointer will break 
> strict-aliasing rules
> src/ssl_sock.c: In function 'ssl_sock_srv_verifycbk':
> src/ssl_sock.c:2264: warning: dereferencing type-punned pointer will break 
> strict-aliasing rules
> src/ssl_sock.c:2278: warning: dereferencing type-punned pointer will break 
> strict-aliasing rules

Do you have other patches applied ? Here these line numbers only match
closing braces so I have no idea what they correspond to :-/

Willy

Re: Build failure of 1.6 and openssl 0.9.8

2015-10-22 Thread Dmitry Sivachenko 

> On 22 окт. 2015 г., at 10:44, Willy Tarreau  wrote:
> 
> Hello Dmitry,
> 
> On Thu, Oct 22, 2015 at 10:40:45AM +0300, Dmitry Sivachenko wrote:
>> 1.6.1 still does not build with OpenSSL < 1.0:
>> 
>> src/ssl_sock.o: In function `ssl_sock_do_create_cert':
>> ssl_sock.c:(.text+0x295b): undefined reference to 
>> `EVP_PKEY_get_default_digest_nid'
>> Makefile:760: recipe for target 'haproxy' failed
>> 
>> So is it intended behavior?
> 
> It's neither intended nor not intended, it's just that I was waiting for
> Marcus' confirmation that the patch fixed the issue for him, and forgot
> about this patch while waiting for a response. Can you confirm on your
> side that the patch fixes the issue for you ? If so I'm willing to merge
> the fix immediately. I prefer to be careful because on my side openssl
> 0.9.8 doesn't break so I want to be sure that there isn't a second level
> of breakage after this one.
> 


Aha, no problem, I thought it is supposed to be fixed before 1.6.1.

I tried a patch in this thread 
(0002-BUILD-ssl-fix-build-error-introduced-in-commit-7969a.patch).

It does fix the build error (FreeBSD-9, OpenSSL 0.9.8q).  Though there is the 
following warning:

src/ssl_sock.c: In function 'ssl_sock_load_cert_chain_file':
src/ssl_sock.c:1623: warning: dereferencing type-punned pointer will break 
strict-aliasing rules
src/ssl_sock.c:1636: warning: dereferencing type-punned pointer will break 
strict-aliasing rules
src/ssl_sock.c: In function 'ssl_sock_srv_verifycbk':
src/ssl_sock.c:2264: warning: dereferencing type-punned pointer will break 
strict-aliasing rules
src/ssl_sock.c:2278: warning: dereferencing type-punned pointer will break 
strict-aliasing rules

Re: Build failure of 1.6 and openssl 0.9.8

2015-10-22 Thread Dmitry Sivachenko 

> On 19 окт. 2015 г., at 17:29, Willy Tarreau  wrote:
> 
> Hi Christopher,
> 
> On Mon, Oct 19, 2015 at 03:05:05PM +0200, Christopher Faulet wrote:
>> Damned! I generated a huge amount of disturbances with my paches! Really 
>> sorry for that.
> 
> Shit happens sometimes. I had my hours of fame with option
> http-send-name-header merged in 1.4-stable years ago, and that was so badly
> designed that it still managed to cause a lot of trouble during 1.6-dev.
> 
>> Add a #ifdef to check the OpenSSL version seems to be a good fix. I 
>> don't know if there is a workaround to do the same than 
>> EVP_PKEY_get_default_digest_nid() for old OpenSSL versions.
> 
> I was unsure how the code was supposed to work given that two blocks
> were replaced by two others and I was unsure whether there was a
> dependence. So as long as we can fall back to the pre-patch behaviour
> I'm perfectly fine.
> 
>> This function is used to get default signature digest associated to the 
>> private key used to sign generated X509 certificates. It is called when 
>> the private key differs than EVP_PKEY_RSA, EVP_PKEY_DSA and EVP_PKEY_EC. 
>> It should be enough for most of cases (maybe all cases ?).
> 
> OK great.
> 
>> By the way, I attached a patch to fix the bug.
> 
> Thank you. Marcus, can you confirm that it's OK for you with this fix so
> that I can merge it ?



Hello,

1.6.1 still does not build with OpenSSL < 1.0:

src/ssl_sock.o: In function `ssl_sock_do_create_cert':
ssl_sock.c:(.text+0x295b): undefined reference to 
`EVP_PKEY_get_default_digest_nid'
Makefile:760: recipe for target 'haproxy' failed


So is it intended behavior?

[SPAM] Re: Build failure of 1.6 and openssl 0.9.8

2015-10-22 Thread Marcus Rueckert 
On 2015-10-22 13:59:09 +0300, Dmitry Sivachenko wrote:
> > On 22 окт. 2015 г., at 13:54, Marcus Rueckert  wrote:
> > 
> > On 2015-10-22 13:38:45 +0300, Dmitry Sivachenko wrote:
> >> I see this warnings with gcc-4.2.1 (shipped with FreeBSD-9), but no 
> >> warnings with clang 3.6.1.
> >> I see a lot of such warnings with gcc48, but it seems expected according 
> >> to comments in Makefile:
> >>  Compiler-specific flags that may be used to disable some negative 
> >> over-
> >> # optimization or to silence some warnings. -fno-strict-aliasing is needed 
> >> with
> >> # gcc >= 4.4.
> > 
> > 4.3.4 on SLES 11 SP 4
> > 4.8.3 on openSUSE 13.2
> > 5.1.1 on openSUSE Tumbleweed
> > 
> > https://build.opensuse.org/package/show/server:http/haproxy (succeeded
> > links on the right side)
> 
> 
> There is  -fno-strict-aliasing option in your build logs.

But it is set by the upstream Makefile. so unless you break the CFLAGS
of the makefile. shouldnt you have that too?

darix

-- 
   openSUSE - SUSE Linux is my linux
   openSUSE is good for you
   www.opensuse.org

[SPAM] Re: Build failure of 1.6 and openssl 0.9.8

2015-10-22 Thread Marcus Rueckert 
On 2015-10-22 14:30:07 +0300, Dmitry Sivachenko wrote:
> I override CFLAGS variable during make invocation (because otherwise
> build system does not respect CFLAGS environment variable), as well as
> CC environment (FreeBSD does not have "gcc" at all).

just set DEBUG_CFLAGS on the make cmdline. see my spec file.

darix

-- 
   openSUSE - SUSE Linux is my linux
   openSUSE is good for you
   www.opensuse.org

Re: Build failure of 1.6 and openssl 0.9.8

2015-10-22 Thread Dmitry Sivachenko 

> On 22 окт. 2015 г., at 13:54, Marcus Rueckert  wrote:
> 
> On 2015-10-22 13:38:45 +0300, Dmitry Sivachenko wrote:
>> I see this warnings with gcc-4.2.1 (shipped with FreeBSD-9), but no warnings 
>> with clang 3.6.1.
>> I see a lot of such warnings with gcc48, but it seems expected according to 
>> comments in Makefile:
>>  Compiler-specific flags that may be used to disable some negative over-
>> # optimization or to silence some warnings. -fno-strict-aliasing is needed 
>> with
>> # gcc >= 4.4.
> 
> 4.3.4 on SLES 11 SP 4
> 4.8.3 on openSUSE 13.2
> 5.1.1 on openSUSE Tumbleweed
> 
> https://build.opensuse.org/package/show/server:http/haproxy (succeeded
> links on the right side)


There is  -fno-strict-aliasing option in your build logs.

[SPAM] Re: Build failure of 1.6 and openssl 0.9.8

2015-10-22 Thread Marcus Rueckert 
On 2015-10-22 13:38:45 +0300, Dmitry Sivachenko wrote:
> I see this warnings with gcc-4.2.1 (shipped with FreeBSD-9), but no warnings 
> with clang 3.6.1.
> I see a lot of such warnings with gcc48, but it seems expected according to 
> comments in Makefile:
>  Compiler-specific flags that may be used to disable some negative over-
> # optimization or to silence some warnings. -fno-strict-aliasing is needed 
> with
> # gcc >= 4.4.

4.3.4 on SLES 11 SP 4
4.8.3 on openSUSE 13.2
5.1.1 on openSUSE Tumbleweed

https://build.opensuse.org/package/show/server:http/haproxy (succeeded
links on the right side)

   darix

-- 
   openSUSE - SUSE Linux is my linux
   openSUSE is good for you
   www.opensuse.org

Re: Build failure of 1.6 and openssl 0.9.8

2015-10-22 Thread Dmitry Sivachenko 

> On 22 окт. 2015 г., at 14:12, Marcus Rueckert  wrote:
> 
> On 2015-10-22 13:59:09 +0300, Dmitry Sivachenko wrote:
>>> On 22 окт. 2015 г., at 13:54, Marcus Rueckert  wrote:
>>> 
>>> On 2015-10-22 13:38:45 +0300, Dmitry Sivachenko wrote:
 I see this warnings with gcc-4.2.1 (shipped with FreeBSD-9), but no 
 warnings with clang 3.6.1.
 I see a lot of such warnings with gcc48, but it seems expected according 
 to comments in Makefile:
  Compiler-specific flags that may be used to disable some negative 
 over-
 # optimization or to silence some warnings. -fno-strict-aliasing is needed 
 with
 # gcc >= 4.4.
>>> 
>>> 4.3.4 on SLES 11 SP 4
>>> 4.8.3 on openSUSE 13.2
>>> 5.1.1 on openSUSE Tumbleweed
>>> 
>>> https://build.opensuse.org/package/show/server:http/haproxy (succeeded
>>> links on the right side)
>> 
>> 
>> There is  -fno-strict-aliasing option in your build logs.
> 
> But it is set by the upstream Makefile. so unless you break the CFLAGS
> of the makefile. shouldnt you have that too?
> 


I override CFLAGS variable during make invocation (because otherwise build 
system does not respect CFLAGS environment variable), as well as CC environment 
(FreeBSD does not have "gcc" at all).

Re: Build failure of 1.6 and openssl 0.9.8

2015-10-22 Thread Willy Tarreau 
On Thu, Oct 22, 2015 at 12:54:00PM +0200, Marcus Rueckert wrote:
> On 2015-10-22 13:38:45 +0300, Dmitry Sivachenko wrote:
> > I see this warnings with gcc-4.2.1 (shipped with FreeBSD-9), but no 
> > warnings with clang 3.6.1.
> > I see a lot of such warnings with gcc48, but it seems expected according to 
> > comments in Makefile:
> >  Compiler-specific flags that may be used to disable some negative over-
> > # optimization or to silence some warnings. -fno-strict-aliasing is needed 
> > with
> > # gcc >= 4.4.
> 
> 4.3.4 on SLES 11 SP 4
> 4.8.3 on openSUSE 13.2
> 5.1.1 on openSUSE Tumbleweed
> 
> https://build.opensuse.org/package/show/server:http/haproxy (succeeded
> links on the right side)

OK thanks guys, I've merged the patch now.

Regarding the warnings, they're indeed caused by the lack of
-fno-strict-aliasing which was added for this reason. When using
gcc, it emits the warning at different places (and not this one).
When using clang, I don't see them at all.

Regards,
Willy

[SPAM] Re: Build failure of 1.6 and openssl 0.9.8

2015-10-22 Thread Marcus Rueckert 
On 2015-10-22 09:44:05 +0200, Willy Tarreau wrote:
> On Thu, Oct 22, 2015 at 10:40:45AM +0300, Dmitry Sivachenko wrote:
> > 1.6.1 still does not build with OpenSSL < 1.0:
> > 
> > src/ssl_sock.o: In function `ssl_sock_do_create_cert':
> > ssl_sock.c:(.text+0x295b): undefined reference to 
> > `EVP_PKEY_get_default_digest_nid'
> > Makefile:760: recipe for target 'haproxy' failed
> > 
> > So is it intended behavior?
> 
> It's neither intended nor not intended, it's just that I was waiting for
> Marcus' confirmation that the patch fixed the issue for him, and forgot
> about this patch while waiting for a response. Can you confirm on your
> side that the patch fixes the issue for you ? If so I'm willing to merge
> the fix immediately. I prefer to be careful because on my side openssl
> 0.9.8 doesn't break so I want to be sure that there isn't a second level
> of breakage after this one.

1. actually send a confirmation that it builds for me with the patch
   from Christopher Faulet.

2. i just tested 1.6.1
   - fails without patch
   - works with the patch

3. i can not reproduce the strict alias warnings.

darix

-- 
   openSUSE - SUSE Linux is my linux
   openSUSE is good for you
   www.opensuse.org

Re: Build failure of 1.6 and openssl 0.9.8

2015-10-22 Thread Dmitry Sivachenko 

> On 22 окт. 2015 г., at 13:14, Marcus Rueckert  wrote:
> 
> 3. i can not reproduce the strict alias warnings.
> 

I see this warnings with gcc-4.2.1 (shipped with FreeBSD-9), but no warnings 
with clang 3.6.1.
I see a lot of such warnings with gcc48, but it seems expected according to 
comments in Makefile:
 Compiler-specific flags that may be used to disable some negative over-
# optimization or to silence some warnings. -fno-strict-aliasing is needed with
# gcc >= 4.4.

Re: Build failure of 1.6 and openssl 0.9.8

2015-10-22 Thread Dmitry Sivachenko 

> On 22 окт. 2015 г., at 11:45, Willy Tarreau  wrote:
> 
> On Thu, Oct 22, 2015 at 11:31:01AM +0300, Dmitry Sivachenko wrote:
>> 
>>> On 22 ??. 2015 ??., at 10:44, Willy Tarreau  wrote:
>>> 
>>> Hello Dmitry,
>>> 
>>> On Thu, Oct 22, 2015 at 10:40:45AM +0300, Dmitry Sivachenko wrote:
 1.6.1 still does not build with OpenSSL < 1.0:
 
 src/ssl_sock.o: In function `ssl_sock_do_create_cert':
 ssl_sock.c:(.text+0x295b): undefined reference to 
 `EVP_PKEY_get_default_digest_nid'
 Makefile:760: recipe for target 'haproxy' failed
 
 So is it intended behavior?
>>> 
>>> It's neither intended nor not intended, it's just that I was waiting for
>>> Marcus' confirmation that the patch fixed the issue for him, and forgot
>>> about this patch while waiting for a response. Can you confirm on your
>>> side that the patch fixes the issue for you ? If so I'm willing to merge
>>> the fix immediately. I prefer to be careful because on my side openssl
>>> 0.9.8 doesn't break so I want to be sure that there isn't a second level
>>> of breakage after this one.
>>> 
>> 
>> 
>> Aha, no problem, I thought it is supposed to be fixed before 1.6.1.
>> 
>> I tried a patch in this thread 
>> (0002-BUILD-ssl-fix-build-error-introduced-in-commit-7969a.patch).
>> 
>> It does fix the build error (FreeBSD-9, OpenSSL 0.9.8q).  Though there is 
>> the following warning:
>> 
>> src/ssl_sock.c: In function 'ssl_sock_load_cert_chain_file':
>> src/ssl_sock.c:1623: warning: dereferencing type-punned pointer will break 
>> strict-aliasing rules
>> src/ssl_sock.c:1636: warning: dereferencing type-punned pointer will break 
>> strict-aliasing rules
>> src/ssl_sock.c: In function 'ssl_sock_srv_verifycbk':
>> src/ssl_sock.c:2264: warning: dereferencing type-punned pointer will break 
>> strict-aliasing rules
>> src/ssl_sock.c:2278: warning: dereferencing type-punned pointer will break 
>> strict-aliasing rules
> 
> Do you have other patches applied ? Here these line numbers only match
> closing braces so I have no idea what they correspond to :-/
> 

No, this is haproxy-1.6.1 tarball + this patch applied.

BTW, by default FreeBSD uses -fno-strict-aliasing, so this warning was here 
before most likely, I just did not see it, I suppose  it is not a problem.

Also:

src/stick_table.c: In function 'smp_to_stkey':
src/stick_table.c:490: warning: dereferencing type-punned pointer will break 
strict-aliasing rules

Re: Build failure of 1.6 and openssl 0.9.8

2015-10-22 Thread Willy Tarreau 
Hello Dmitry,

On Thu, Oct 22, 2015 at 10:40:45AM +0300, Dmitry Sivachenko wrote:
> 1.6.1 still does not build with OpenSSL < 1.0:
> 
> src/ssl_sock.o: In function `ssl_sock_do_create_cert':
> ssl_sock.c:(.text+0x295b): undefined reference to 
> `EVP_PKEY_get_default_digest_nid'
> Makefile:760: recipe for target 'haproxy' failed
> 
> So is it intended behavior?

It's neither intended nor not intended, it's just that I was waiting for
Marcus' confirmation that the patch fixed the issue for him, and forgot
about this patch while waiting for a response. Can you confirm on your
side that the patch fixes the issue for you ? If so I'm willing to merge
the fix immediately. I prefer to be careful because on my side openssl
0.9.8 doesn't break so I want to be sure that there isn't a second level
of breakage after this one.

Thanks,
Willy

Re: Build failure of 1.6 and openssl 0.9.8

2015-10-19 Thread Christopher Faulet 

Le 16/10/2015 22:42, Willy Tarreau a écrit :

Hi Christopher,

Marcus (in CC) reported that 1.6 doesn't build anymore on SuSE 11
(which uses openssl 0.9.8). After some digging, we found that it
is caused by the absence of EVP_PKEY_get_default_digest_nid()
which was introduced in 1.0.0 and which was introduced by this
patch :

   commit 7969a33a01c3a70e48cddf36ea5a66710bd7a995
   Author: Christopher Faulet 
   Date:   Fri Oct 9 11:15:03 2015 +0200

 MINOR: ssl: Add support for EC for the CA used to sign generated 
certificate

 This is done by adding EVP_PKEY_EC type in supported types for the CA 
privat
 key when we get the message digest used to sign a generated X509 
certificate
 So now, we support DSA, RSA and EC private keys.

 And to be sure, when the type of the private key is not directly supported,
 get its default message digest using the function
 'EVP_PKEY_get_default_digest_nid'.

 We also use the key of the default certificate instead of generated it. So 
w
 are sure to use the same key type instead of always using a RSA key.

Interestingly, not all 0.9.8 will see the same problem since SNI is not
enabled by default, it requires a build option. This explains why on my
old PC I didn't get this problem with the same version.

I initially thought it would just be a matter of adding a #if on the
openssl version but it doesn't appear that easy given that the previous
code was different, so I have no idea how to fix this. Do you have any
idea ? Probably we can have a block of code instead of EVP_PKEY_... on
older versions and that will be fine. I even wonder if EC was supported
on 0.9.8.

It's unfortunate that we managed to break things just a few days before
the release with code that looked obviously right :-(

Thanks for any insight.



Hi Willy,

Damned! I generated a huge amount of disturbances with my paches! Really 
sorry for that.


Add a #ifdef to check the OpenSSL version seems to be a good fix. I 
don't know if there is a workaround to do the same than 
EVP_PKEY_get_default_digest_nid() for old OpenSSL versions.


This function is used to get default signature digest associated to the 
private key used to sign generated X509 certificates. It is called when 
the private key differs than EVP_PKEY_RSA, EVP_PKEY_DSA and EVP_PKEY_EC. 
It should be enough for most of cases (maybe all cases ?).


By the way, I attached a patch to fix the bug.

Regards,
--
Christopher Faulet
>From 76e79a8c8a98474f3caf701b75370f50729516b2 Mon Sep 17 00:00:00 2001
From: Christopher Faulet 
Date: Mon, 19 Oct 2015 13:59:24 +0200
Subject: [PATCH 2/2] BUILD: ssl: fix build error introduced in commit 7969a3
 with OpenSSL < 1.0.0

The function 'EVP_PKEY_get_default_digest_nid()' was introduced in OpenSSL
1.0.0. So for older version of OpenSSL, compiled with the SNI support, the
HAProxy compilation fails with the following error:

src/ssl_sock.c: In function 'ssl_sock_do_create_cert':
src/ssl_sock.c:1096:7: warning: implicit declaration of function 'EVP_PKEY_get_default_digest_nid'
   if (EVP_PKEY_get_default_digest_nid(capkey, ) <= 0)
[...]
src/ssl_sock.c:1096: undefined reference to `EVP_PKEY_get_default_digest_nid'
collect2: error: ld returned 1 exit status
Makefile:760: recipe for target 'haproxy' failed
make: *** [haproxy] Error 1

So we must add a #ifdef to check the OpenSSL version (>= 1.0.0) to use this
function. It is used to get default signature digest associated to the private
key used to sign generated X509 certificates. It is called when the private key
differs than EVP_PKEY_RSA, EVP_PKEY_DSA and EVP_PKEY_EC. It should be enough for
most of cases.
---
 src/ssl_sock.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 35a3edf..7c82464 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1091,12 +1091,16 @@ ssl_sock_do_create_cert(const char *servername, unsigned int serial,
 	else if (EVP_PKEY_type (capkey->type) == EVP_PKEY_EC)
 		digest = EVP_sha256();
 	else {
+#if (OPENSSL_VERSION_NUMBER >= 0x100fL)
 		int nid;
 
 		if (EVP_PKEY_get_default_digest_nid(capkey, ) <= 0)
 			goto mkcert_error;
 		if (!(digest = EVP_get_digestbynid(nid)))
 			goto mkcert_error;
+#else
+		goto mkcert_error;
+#endif
 	}
 
 	if (!(X509_sign(newcrt, capkey, digest)))
-- 
2.4.3

Re: Build failure of 1.6 and openssl 0.9.8

2015-10-19 Thread Willy Tarreau 
Hi Christopher,

On Mon, Oct 19, 2015 at 03:05:05PM +0200, Christopher Faulet wrote:
> Damned! I generated a huge amount of disturbances with my paches! Really 
> sorry for that.

Shit happens sometimes. I had my hours of fame with option
http-send-name-header merged in 1.4-stable years ago, and that was so badly
designed that it still managed to cause a lot of trouble during 1.6-dev.

> Add a #ifdef to check the OpenSSL version seems to be a good fix. I 
> don't know if there is a workaround to do the same than 
> EVP_PKEY_get_default_digest_nid() for old OpenSSL versions.

I was unsure how the code was supposed to work given that two blocks
were replaced by two others and I was unsure whether there was a
dependence. So as long as we can fall back to the pre-patch behaviour
I'm perfectly fine.

> This function is used to get default signature digest associated to the 
> private key used to sign generated X509 certificates. It is called when 
> the private key differs than EVP_PKEY_RSA, EVP_PKEY_DSA and EVP_PKEY_EC. 
> It should be enough for most of cases (maybe all cases ?).

OK great.

> By the way, I attached a patch to fix the bug.

Thank you. Marcus, can you confirm that it's OK for you with this fix so
that I can merge it ?

Thanks!
Willy

[SPAM] Re: Build failure of 1.6 and openssl 0.9.8

2015-10-19 Thread Marcus Rueckert 
On 2015-10-19 16:29:45 +0200, Willy Tarreau wrote:
> On Mon, Oct 19, 2015 at 03:05:05PM +0200, Christopher Faulet wrote:
> > Damned! I generated a huge amount of disturbances with my paches! Really 
> > sorry for that.
> 
> Shit happens sometimes. I had my hours of fame with option
> http-send-name-header merged in 1.4-stable years ago, and that was so badly
> designed that it still managed to cause a lot of trouble during 1.6-dev.
> 
> > Add a #ifdef to check the OpenSSL version seems to be a good fix. I 
> > don't know if there is a workaround to do the same than 
> > EVP_PKEY_get_default_digest_nid() for old OpenSSL versions.
> 
> I was unsure how the code was supposed to work given that two blocks
> were replaced by two others and I was unsure whether there was a
> dependence. So as long as we can fall back to the pre-patch behaviour
> I'm perfectly fine.
> 
> > This function is used to get default signature digest associated to the 
> > private key used to sign generated X509 certificates. It is called when 
> > the private key differs than EVP_PKEY_RSA, EVP_PKEY_DSA and EVP_PKEY_EC. 
> > It should be enough for most of cases (maybe all cases ?).
> 
> OK great.
> 
> > By the way, I attached a patch to fix the bug.
> 
> Thank you. Marcus, can you confirm that it's OK for you with this fix so
> that I can merge it ?

confirmed: compiles now.

just for my understanding ... we do not hit the compile error we saw
before with ssl_sock_switchctx_cbk now because jump out of the
ssl_sock_prepare_ctx function early. my question would be ... could we
jump out even earlier if we already know that we will fail? e.g. why
create the private key and setting up the new x509 object if we already
know it will fail? why not go to mkcert_error on top of the function?

darix

-- 
   openSUSE - SUSE Linux is my linux
   openSUSE is good for you
   www.opensuse.org