mod_ssl of apache-httpd not working

[Pedro de Oliveira]

Hi,

In the current OpenBSD snapshot of today, it isnt possible to load mod_ssl
in Apache. This is maybe related to any change made on LibreSSL.

The init script just gives (failed), but I tried to start it with apachectl2

# apachectl2 start
/usr/local/sbin/httpd2:/usr/local/lib/apache2/mod_ssl.so: undefined symbol
'SSLv3_server_method'
/usr/local/sbin/httpd2:/usr/local/lib/apache2/mod_ssl.so: undefined symbol
'SSLv3_client_method'
httpd2: Syntax error on line 141 of /etc/apache2/httpd2.conf: Cannot load
/usr/local/lib/apache2/mod_ssl.so into server: Cannot load specified object

I even tried to disable SSLv2 and SSLv3 with

SSLProtocol ALL -SSLv2 -SSLv3


But it simply fails on the load of mod_ssl.

If any more info is required please ask me.

Re: mod_ssl of apache-httpd not working

[Jérémie Courrèges-Anglas]

Pedro de Oliveira  writes:

> Hi,
>
> In the current OpenBSD snapshot of today, it isnt possible to load mod_ssl
> in Apache. This is maybe related to any change made on LibreSSL.
>
> The init script just gives (failed), but I tried to start it with apachectl2

rc.d(8) scripts support a -d flag to show output from the daemon.

> # apachectl2 start
> /usr/local/sbin/httpd2:/usr/local/lib/apache2/mod_ssl.so: undefined symbol
> 'SSLv3_server_method'
> /usr/local/sbin/httpd2:/usr/local/lib/apache2/mod_ssl.so: undefined symbol
> 'SSLv3_client_method'
> httpd2: Syntax error on line 141 of /etc/apache2/httpd2.conf: Cannot load
> /usr/local/lib/apache2/mod_ssl.so into server: Cannot load specified object
>
> I even tried to disable SSLv2 and SSLv3 with
>
> SSLProtocol ALL -SSLv2 -SSLv3
>
>
> But it simply fails on the load of mod_ssl.
>
> If any more info is required please ask me.

Here's a patch that avoids the use of SSLv3 in mod_ssl.so.  If SSLv3 is
the only protocol requested in the config, startup will fail:

[Sun Sep 06 15:44:25.881391 2015] [ssl:emerg] [pid 20104] SSLv3 protocol not 
available
[Sun Sep 06 15:44:25.882001 2015] [ssl:emerg] [pid 20104] AH02311: Fatal error 
initialising mod_ssl, exiting. See /var/www/logs/error_log for more information
AH00016: Configuration Failed

This is not enough to warn users who specify "SSLProtocols ... +SSLv3"
in their config that SSLv3 support won't be available, but I don't think
it matters much.  Dunno if this should use APLOGNO(02231) or a custom
one, this question should probably be discussed upstream anyway.

Comments / oks?

Index: Makefile
===
RCS file: /cvs/ports/www/apache-httpd/Makefile,v
retrieving revision 1.63
diff -u -p -r1.63 Makefile
--- Makefile18 Jul 2015 20:01:13 -  1.63
+++ Makefile6 Sep 2015 14:00:45 -
@@ -11,7 +11,7 @@ PKGNAME-main= ${PKGNAME}
 FULLPKGNAME-common=apache-httpd-common-${V}
 FULLPKGPATH-common=www/apache-httpd,-common
 
-REVISION-main= 1
+REVISION-main= 2
 
 CATEGORIES=www net
 
Index: patches/patch-modules_ssl_ssl_engine_init_c
===
RCS file: patches/patch-modules_ssl_ssl_engine_init_c
diff -N patches/patch-modules_ssl_ssl_engine_init_c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-modules_ssl_ssl_engine_init_c 6 Sep 2015 14:00:45 -
@@ -0,0 +1,23 @@
+$OpenBSD$
+
+Don't attempt to use SSLv3_(client|server)_method, bail out if SSLv3 is
+the only protocol requested.
+
+--- modules/ssl/ssl_engine_init.c.orig Sun Sep  6 15:23:52 2015
 modules/ssl/ssl_engine_init.c  Sun Sep  6 15:57:35 2015
+@@ -484,9 +484,15 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *
+  "Creating new SSL context (protocols: %s)", cp);
+ 
+ if (protocol == SSL_PROTOCOL_SSLV3) {
++#ifndef OPENSSL_NO_SSL3
+ method = mctx->pkp ?
+ SSLv3_client_method() : /* proxy */
+ SSLv3_server_method();  /* server */
++#else
++ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
++"SSLv3 protocol not available");
++return ssl_die(s);
++#endif
+ }
+ else if (protocol == SSL_PROTOCOL_TLSV1) {
+ method = mctx->pkp ?


-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE