Re: svn commit: r1875544 - /httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
On Mon, Mar 23, 2020 at 4:21 PM Rainer Jung wrote: > > Thanks for the feedback. Proposed for 2.4.x a minute ago. Thanks Rainer, backported now. Regards, Yann.
Re: svn commit: r1875544 - /httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
On Mon, Mar 23, 2020 at 6:11 PM Ruediger Pluem wrote: > > On 3/23/20 2:48 PM, Ruediger Pluem wrote: > > > > > > On 3/23/20 2:44 PM, Rainer Jung wrote: > >> The dependency on SSL_CTX_get_min_proto_version() and > >> SSL_CTX_get_max_proto_version() was introduced in October by Yann's > >> "r1868645 mod_ssl: negotiate the TLS protocol version per name based vhost > >> configuration". > >> > >> Although the set variants are available in 1.1.0, the set were added later > >> in 1.1.0g. > >> > >> Not sure, whether adjusting the version check as done now is the right > >> fix. At least it unbreaks building httpd against OpenSSL > >> 1.1.0-1.1.0f. > >> > >> The original change has been backported to 2.4.x, so building that for the > >> above OpenSSL versions is currently broken. > > > > IMHO we should backport it then once clarified that this is the correct > > thing to do and ensure that it gets in 2.4.43. > > I think this is a release blocker. +1 > > Question is if we should increase the Openssl version number to the same > level for the #if around > ssl_callback_ClientHello and the respective callback registering code. I think we should be good with Rainer's patch, ssl_callback_ClientHello() depends on OpenSSL >= 1.1.1 already. Regards, Yann.
Re: svn commit: r1875544 - /httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
On 3/23/20 2:48 PM, Ruediger Pluem wrote: > > > On 3/23/20 2:44 PM, Rainer Jung wrote: >> The dependency on SSL_CTX_get_min_proto_version() and >> SSL_CTX_get_max_proto_version() was introduced in October by Yann's >> "r1868645 mod_ssl: negotiate the TLS protocol version per name based vhost >> configuration". >> >> Although the set variants are available in 1.1.0, the set were added later >> in 1.1.0g. >> >> Not sure, whether adjusting the version check as done now is the right fix. >> At least it unbreaks building httpd against OpenSSL >> 1.1.0-1.1.0f. >> >> The original change has been backported to 2.4.x, so building that for the >> above OpenSSL versions is currently broken. > > IMHO we should backport it then once clarified that this is the correct thing > to do and ensure that it gets in 2.4.43. > I think this is a release blocker. Question is if we should increase the Openssl version number to the same level for the #if around ssl_callback_ClientHello and the respective callback registering code. Regards Rüdiger
Re: svn commit: r1875544 - /httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Thanks for the feedback. Proposed for 2.4.x a minute ago. Am 23.03.2020 um 14:48 schrieb Ruediger Pluem: On 3/23/20 2:44 PM, Rainer Jung wrote: The dependency on SSL_CTX_get_min_proto_version() and SSL_CTX_get_max_proto_version() was introduced in October by Yann's "r1868645 mod_ssl: negotiate the TLS protocol version per name based vhost configuration". Although the set variants are available in 1.1.0, the set were added later in 1.1.0g. Not sure, whether adjusting the version check as done now is the right fix. At least it unbreaks building httpd against OpenSSL 1.1.0-1.1.0f. The original change has been backported to 2.4.x, so building that for the above OpenSSL versions is currently broken. IMHO we should backport it then once clarified that this is the correct thing to do and ensure that it gets in 2.4.43. I think this is a release blocker. Regards Rüdiger
Re: svn commit: r1875544 - /httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
On 3/23/20 2:44 PM, Rainer Jung wrote: > The dependency on SSL_CTX_get_min_proto_version() and > SSL_CTX_get_max_proto_version() was introduced in October by Yann's > "r1868645 mod_ssl: negotiate the TLS protocol version per name based vhost > configuration". > > Although the set variants are available in 1.1.0, the set were added later in > 1.1.0g. > > Not sure, whether adjusting the version check as done now is the right fix. > At least it unbreaks building httpd against OpenSSL > 1.1.0-1.1.0f. > > The original change has been backported to 2.4.x, so building that for the > above OpenSSL versions is currently broken. IMHO we should backport it then once clarified that this is the correct thing to do and ensure that it gets in 2.4.43. I think this is a release blocker. Regards Rüdiger
Re: svn commit: r1875544 - /httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
The dependency on SSL_CTX_get_min_proto_version() and SSL_CTX_get_max_proto_version() was introduced in October by Yann's "r1868645 mod_ssl: negotiate the TLS protocol version per name based vhost configuration". Although the set variants are available in 1.1.0, the set were added later in 1.1.0g. Not sure, whether adjusting the version check as done now is the right fix. At least it unbreaks building httpd against OpenSSL 1.1.0-1.1.0f. The original change has been backported to 2.4.x, so building that for the above OpenSSL versions is currently broken. Regards, Rainer Am 23.03.2020 um 14:33 schrieb rj...@apache.org: Author: rjung Date: Mon Mar 23 13:33:22 2020 New Revision: 1875544 URL: http://svn.apache.org/viewvc?rev=1875544&view=rev Log: Fix compilation breakage with OpenSSL 1.1.0 up to 1.1.0f. SSL_CTX_get_min_proto_version() and SSL_CTX_get_max_proto_version() were only introduced in 1.1.0g. Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1875544&r1=1875543&r2=1875544&view=diff == --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original) +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Mon Mar 23 13:33:22 2020 @@ -2535,7 +2535,7 @@ static int ssl_find_vhost(void *serverna * from the ctx by hand */ SSL_set_options(ssl, SSL_CTX_get_options(ctx)); -#if OPENSSL_VERSION_NUMBER >= 0x1010L \ +#if OPENSSL_VERSION_NUMBER >= 0x1010007fL \ && (!defined(LIBRESSL_VERSION_NUMBER) \ || LIBRESSL_VERSION_NUMBER >= 0x2080L) /* -- kippdata informationstechnologie GmbH Tel: 0228 98549 -0 Bornheimer Str. 33aFax: 0228 98549 -50 53111 Bonn www.kippdata.de HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417 Geschäftsführer: Dr. Thomas Höfer, Rainer Jung, Sven Maurmann