Re: error at build time In function 'SSL_CTX_get0_privatekey' error: dereferencing pointer to incomplete type
Hi Emmanuel. Aleksandar Lazic wrote on 09.08.2017: > Hi Emmanuel > Emmanuel Hocdet wrote on 09.08.2017: >> >> Hi Aleksandar, >> >>> Le 9 août 2017 à 13:39, Aleksandar Lazic a écrit : [snipp] >> can you test with this patch?: > Wow that was fast, thanks ;-) > https://github.com/git001/haproxy-waf/blob/master/Dockerfile#L57 > Build passed > https://travis-ci.org/git001/haproxy-waf Please can you create a patch with comments so that it can be merged. Thank you very much. -- Best Regards Aleks
Re: error at build time In function 'SSL_CTX_get0_privatekey' error: dereferencing pointer to incomplete type
Hi Emmanuel Emmanuel Hocdet wrote on 09.08.2017: > > Hi Aleksandar, > >> Le 9 août 2017 à 13:39, Aleksandar Lazic a écrit : >> >> Hi, >> >> Today I have tried to recreate the WAF. >> >> I received this error at build time. >> >> ### >> + cd /usr/src >> + git clone http://git.haproxy.org/git/haproxy.git/ >> Cloning into 'haproxy'... >> + make -C /usr/src/haproxy TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 >> USE_ZLIB=1 USE_LINUX_SPLICE=1 USE_TFO=1 USE_PCRE_JIT=1 USE_LUA=1 all >> install-bin >> make: Entering directory `/usr/src/haproxy' >> gcc -Iinclude -Iebtree -Wall -O2 -g -fno-strict-aliasing >> -Wdeclaration-after-statement -fwrapv -DCONFIG_HAP_LINUX_SPLICE >> -DTPROXY -DCONFIG_HAP_LINUX_TPROXY -DCONFIG_HAP_CRYPT -DUSE_ZLIB >> -DENABLE_POLL -DENABLE_EPOLL -DUSE_CPU_AFFINITY -DASSUME_SPLICE_WORKS >> -DUSE_ACCEPT4 -DNETFILTER -DUSE_OPENSSL -DUSE_SYSCALL_FUTEX -DUSE_LUA >> -DUSE_PCRE -I/usr/include -DUSE_PCRE_JIT -DUSE_TFO >> -DCONFIG_HAPROXY_VERSION=\"1.8-dev2-316947-114\" >> -DCONFIG_HAPROXY_DATE=\"2017/08/03\" -c -o src/ev_poll.o src/ev_poll.c >> gcc -Iinclude -Iebtree -Wall -O2 -g -fno-strict-aliasing >> -Wdeclaration-after-statement -fwrapv -DCONFIG_HAP_LINUX_SPLICE >> -DTPROXY -DCONFIG_HAP_LINUX_TPROXY -DCONFIG_HAP_CRYPT -DUSE_ZLIB >> -DENABLE_POLL -DENABLE_EPOLL -DUSE_CPU_AFFINITY -DASSUME_SPLICE_WORKS >> -DUSE_ACCEPT4 -DNETFILTER -DUSE_OPENSSL -DUSE_SYSCALL_FUTEX -DUSE_LUA >> -DUSE_PCRE -I/usr/include -DUSE_PCRE_JIT -DUSE_TFO >> -DCONFIG_HAPROXY_VERSION=\"1.8-dev2-316947-114\" >> -DCONFIG_HAPROXY_DATE=\"2017/08/03\" -c -o src/ev_epoll.o src/ev_epoll.c >> gcc -Iinclude -Iebtree -Wall -O2 -g -fno-strict-aliasing >> -Wdeclaration-after-statement -fwrapv -DCONFIG_HAP_LINUX_SPLICE >> -DTPROXY -DCONFIG_HAP_LINUX_TPROXY -DCONFIG_HAP_CRYPT -DUSE_ZLIB >> -DENABLE_POLL -DENABLE_EPOLL -DUSE_CPU_AFFINITY -DASSUME_SPLICE_WORKS >> -DUSE_ACCEPT4 -DNETFILTER -DUSE_OPENSSL -DUSE_SYSCALL_FUTEX -DUSE_LUA >> -DUSE_PCRE -I/usr/include -DUSE_PCRE_JIT -DUSE_TFO >> -DCONFIG_HAPROXY_VERSION=\"1.8-dev2-316947-114\" >> -DCONFIG_HAPROXY_DATE=\"2017/08/03\" -c -o src/ssl_sock.o src/ssl_sock.c >> In file included from src/ssl_sock.c:94:0: >> include/proto/openssl-compat.h: In function 'SSL_CTX_get0_privatekey': >> include/proto/openssl-compat.h:99:19: error: dereferencing pointer to >> incomplete type >> return ctx->cert->key->privatekey; >> ^ >> include/proto/openssl-compat.h:102:1: warning: control reaches end of >> non-void function [-Wreturn-type] >> } >> ^ >> make: *** [src/ssl_sock.o] Error 1 >> make: Leaving directory `/usr/src/haproxy' >> ### >> >> Openssl is >> ---> Package openssl.x86_64 1:1.0.1e-60.el7_3.1 will be installed >> ---> Package openssl-devel.x86_64 1:1.0.1e-60.el7_3.1 will be installed >> >> I thought this case is covert with this commit. >> >> http://git.haproxy.org/?p=haproxy.git;a=commit;h=48a8332a4a82f151877bd6baf567031088845f2d >> >> ## >> BUG/MEDIUM: ssl: Fix regression about certificates generation >> >> Since the commit f6b37c67 ["BUG/MEDIUM: ssl: in bind line, ssl-options after >> 'crt' are ignored."], the certificates generation is broken. >> >> To generate a certificate, we retrieved the private key of the default >> certificate using the SSL object. But since the commit f6b37c67, the SSL >> object >> is created with a dummy certificate (initial_ctx). >> >> So to fix the bug, we use directly the default certificate in the bind_conf >> structure. We use SSL_CTX_get0_privatekey function to do so. Because this >> function does not exist for OpenSSL < 1.0.2 and for LibreSSL, it has been >> added >> in openssl-compat.h with the right #ifdef. >> ## >> >> [root@centos-512mb-fra1-01 haproxy-waf]# egrep OPENSSL_VERSION_NUMBER >> /usr/include/openssl/* >> /usr/include/openssl/crypto.h:#define SSLEAY_VERSION_NUMBER >> OPENSSL_VERSION_NUMBER >> /usr/include/openssl/opensslv.h:#define OPENSSL_VERSION_NUMBER 0x1000105fL >> >> How can I help to fix this issue? >> > can you test with this patch?: Wow that was fast, thanks ;-) https://github.com/git001/haproxy-waf/blob/master/Dockerfile#L57 Build passed https://travis-ci.org/git001/haproxy-waf -- Best Regards Aleks
Re: error at build time In function 'SSL_CTX_get0_privatekey' error: dereferencing pointer to incomplete type
Hi Aleksandar, > Le 9 août 2017 à 13:39, Aleksandar Lazic a écrit : > > Hi, > > Today I have tried to recreate the WAF. > > I received this error at build time. > > ### > + cd /usr/src > + git clone http://git.haproxy.org/git/haproxy.git/ > Cloning into 'haproxy'... > + make -C /usr/src/haproxy TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 > USE_ZLIB=1 USE_LINUX_SPLICE=1 USE_TFO=1 USE_PCRE_JIT=1 USE_LUA=1 all > install-bin > make: Entering directory `/usr/src/haproxy' > gcc -Iinclude -Iebtree -Wall -O2 -g -fno-strict-aliasing > -Wdeclaration-after-statement -fwrapv -DCONFIG_HAP_LINUX_SPLICE > -DTPROXY -DCONFIG_HAP_LINUX_TPROXY -DCONFIG_HAP_CRYPT -DUSE_ZLIB > -DENABLE_POLL -DENABLE_EPOLL -DUSE_CPU_AFFINITY -DASSUME_SPLICE_WORKS > -DUSE_ACCEPT4 -DNETFILTER -DUSE_OPENSSL -DUSE_SYSCALL_FUTEX -DUSE_LUA > -DUSE_PCRE -I/usr/include -DUSE_PCRE_JIT -DUSE_TFO > -DCONFIG_HAPROXY_VERSION=\"1.8-dev2-316947-114\" > -DCONFIG_HAPROXY_DATE=\"2017/08/03\" -c -o src/ev_poll.o src/ev_poll.c > gcc -Iinclude -Iebtree -Wall -O2 -g -fno-strict-aliasing > -Wdeclaration-after-statement -fwrapv -DCONFIG_HAP_LINUX_SPLICE > -DTPROXY -DCONFIG_HAP_LINUX_TPROXY -DCONFIG_HAP_CRYPT -DUSE_ZLIB > -DENABLE_POLL -DENABLE_EPOLL -DUSE_CPU_AFFINITY -DASSUME_SPLICE_WORKS > -DUSE_ACCEPT4 -DNETFILTER -DUSE_OPENSSL -DUSE_SYSCALL_FUTEX -DUSE_LUA > -DUSE_PCRE -I/usr/include -DUSE_PCRE_JIT -DUSE_TFO > -DCONFIG_HAPROXY_VERSION=\"1.8-dev2-316947-114\" > -DCONFIG_HAPROXY_DATE=\"2017/08/03\" -c -o src/ev_epoll.o src/ev_epoll.c > gcc -Iinclude -Iebtree -Wall -O2 -g -fno-strict-aliasing > -Wdeclaration-after-statement -fwrapv -DCONFIG_HAP_LINUX_SPLICE > -DTPROXY -DCONFIG_HAP_LINUX_TPROXY -DCONFIG_HAP_CRYPT -DUSE_ZLIB > -DENABLE_POLL -DENABLE_EPOLL -DUSE_CPU_AFFINITY -DASSUME_SPLICE_WORKS > -DUSE_ACCEPT4 -DNETFILTER -DUSE_OPENSSL -DUSE_SYSCALL_FUTEX -DUSE_LUA > -DUSE_PCRE -I/usr/include -DUSE_PCRE_JIT -DUSE_TFO > -DCONFIG_HAPROXY_VERSION=\"1.8-dev2-316947-114\" > -DCONFIG_HAPROXY_DATE=\"2017/08/03\" -c -o src/ssl_sock.o src/ssl_sock.c > In file included from src/ssl_sock.c:94:0: > include/proto/openssl-compat.h: In function 'SSL_CTX_get0_privatekey': > include/proto/openssl-compat.h:99:19: error: dereferencing pointer to > incomplete type > return ctx->cert->key->privatekey; > ^ > include/proto/openssl-compat.h:102:1: warning: control reaches end of > non-void function [-Wreturn-type] > } > ^ > make: *** [src/ssl_sock.o] Error 1 > make: Leaving directory `/usr/src/haproxy' > ### > > Openssl is > ---> Package openssl.x86_64 1:1.0.1e-60.el7_3.1 will be installed > ---> Package openssl-devel.x86_64 1:1.0.1e-60.el7_3.1 will be installed > > I thought this case is covert with this commit. > > http://git.haproxy.org/?p=haproxy.git;a=commit;h=48a8332a4a82f151877bd6baf567031088845f2d > > ## > BUG/MEDIUM: ssl: Fix regression about certificates generation > > Since the commit f6b37c67 ["BUG/MEDIUM: ssl: in bind line, ssl-options after > 'crt' are ignored."], the certificates generation is broken. > > To generate a certificate, we retrieved the private key of the default > certificate using the SSL object. But since the commit f6b37c67, the SSL > object > is created with a dummy certificate (initial_ctx). > > So to fix the bug, we use directly the default certificate in the bind_conf > structure. We use SSL_CTX_get0_privatekey function to do so. Because this > function does not exist for OpenSSL < 1.0.2 and for LibreSSL, it has been > added > in openssl-compat.h with the right #ifdef. > ## > > [root@centos-512mb-fra1-01 haproxy-waf]# egrep OPENSSL_VERSION_NUMBER > /usr/include/openssl/* > /usr/include/openssl/crypto.h:#define SSLEAY_VERSION_NUMBER > OPENSSL_VERSION_NUMBER > /usr/include/openssl/opensslv.h:#define OPENSSL_VERSION_NUMBER 0x1000105fL > > How can I help to fix this issue? > can you test with this patch?: fix_get0privatekey_compat.diff Description: Binary data Manu