On 18/05/2017 03:40 μμ, Amos Jeffries wrote:
On 18/05/17 23:12, Christos Tsantilas wrote:
+ # check for API functions
+ AC_CHECK_LIB(ssl, SSL_CTX_get0_certificate,
[AC_DEFINE(HAVE_SSL_CTX_GET0_CERTIFICATE, 1, [SSL_CTX_get0_certificate
is available])], [])
+
This bit seems to be correct.
Given the .cc file sequence of macro tests I think we can speed up
./configure a bit by moving the use of
SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS into the if-not-found [] path.
eg.
AC_CHECK_LIB(ssl, SSL_CTX_get0_certificate, [
AC_DEFINE(HAVE_SSL_CTX_GET0_CERTIFICATE, 1, [SSL_CTX_get0_certificate
is available])
],[
# check for bugs and hacks in the old OpenSSL API
SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS
])
I am attaching a new patch.
In this patch I moved the SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS as
you suggested.
But also my last patch was buggy, the AC_CHECK_LIB did not search at the
correct directories for libssl library.
In this patch I moved the "SQUID_STATE_ROLLBACK(squid_openssl_state)"
line some lines down to have the correct libraries search path.
Is it ok, or it is better to open a new SQUID_STATE_SAVE/ROLLBACK just
for AC_CHECK_LIB?
PS. Finally, this easy to fix issue, is one more prove that it is better
to not start fixing files involved with this satanic tool called autoconf!
Amos
Squid crashes when ServerFirst bumping mode is used with openSSL-1.1.0 release
When OpenSSL-1.1.0 or later is used:
- The SQUID_USE_SSLGETCERTIFICATE_HACK configure test is false
- The SQUID_SSLGETCERTIFICATE_BUGGY configure test is true
- Squid hits an assert(0) inside Ssl::verifySslCertificate when trying to
retrieve a generated certificate from cache.
This is a Measurement Factory project
=== modified file 'configure.ac'
--- configure.ac 2017-03-31 18:43:20 +0000
+++ configure.ac 2017-05-18 15:44:32 +0000
@@ -1300,53 +1300,62 @@
# Windows MinGW has some special libraries ...
if test "x$squid_host_os" = "xmingw" ; then
LIBOPENSSL_LIBS='-lssleay32 -leay32 -lgdi32 $LIBOPENSSL_LIBS'
AC_MSG_NOTICE([Windows OpenSSL library support: yes -lssleay32 -leay32 -lgdi32])
fi
AC_CHECK_LIB(crypto,[CRYPTO_new_ex_data],[LIBOPENSSL_LIBS="-lcrypto $LIBOPENSSL_LIBS"],[
AC_MSG_ERROR([library 'crypto' is required for OpenSSL])
],$LIBOPENSSL_LIBS)
AC_CHECK_LIB(ssl,[SSL_library_init],[LIBOPENSSL_LIBS="-lssl $LIBOPENSSL_LIBS"],[
AC_MSG_ERROR([library 'ssl' is required for OpenSSL])
],$LIBOPENSSL_LIBS)
])
# This is a workaround for RedHat 9 brain damage..
if test -d /usr/kerberos/include -a -f /usr/include/openssl/kssl.h; then
AC_MSG_NOTICE([OpenSSL depends on Kerberos])
LIBOPENSSL_LIBS="-L/usr/kerberos/lib $LIBOPENSSL_LIBS"
CPPFLAGS="$CPPFLAGS -I/usr/kerberos/include"
fi
- SQUID_STATE_ROLLBACK(squid_openssl_state) #de-pollute LIBS
if test "x$LIBOPENSSL_LIBS" != "x"; then
CXXFLAGS="$LIBOPENSSL_CFLAGS $CXXFLAGS"
SSLLIB="$LIBOPENSSL_PATH $LIBOPENSSL_LIBS $SSLLIB"
AC_DEFINE(USE_OPENSSL,1,[OpenSSL support is available])
+ # check for API functions
+ AC_CHECK_LIB(ssl, SSL_CTX_get0_certificate, [
+ AC_DEFINE(HAVE_SSL_CTX_GET0_CERTIFICATE, 1, [SSL_CTX_get0_certificate is available])
+ ], [
+ # check for bugs and hacks in the old OpenSSL API
+ SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS
+ ])
+
# check for other specific broken implementations
- SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS
SQUID_CHECK_OPENSSL_CONST_SSL_METHOD
SQUID_CHECK_OPENSSL_TXTDB
SQUID_CHECK_OPENSSL_HELLO_OVERWRITE_HACK
fi
+
+ SQUID_STATE_ROLLBACK(squid_openssl_state) #de-pollute LIBS
+
if test "x$SSLLIB" = "x"; then
AC_MSG_ERROR([Required OpenSSL library not found])
fi
fi
AC_MSG_NOTICE([OpenSSL library support: ${with_openssl:=no} ${LIBOPENSSL_PATH} ${LIBOPENSSL_LIBS}])
AM_CONDITIONAL(ENABLE_SSL,[ test "x$with_openssl" = "xyes" ])
AC_SUBST(SSLLIB)
dnl User may specify MIT Kerberos is needed from a non-standard location
AC_ARG_WITH(mit-krb5,
AS_HELP_STRING([--without-mit-krb5],
[Compile without MIT Kerberos support.]), [
case "$with_mit_krb5" in
yes|no)
: # Nothing special to do here
;;
*)
if test ! -d "$withval" ; then
AC_MSG_ERROR([--with-mit-krb5 path does not point to a directory])
fi
=== modified file 'src/ssl/support.cc'
--- src/ssl/support.cc 2017-04-29 16:19:15 +0000
+++ src/ssl/support.cc 2017-05-18 09:15:54 +0000
@@ -969,43 +969,45 @@
Security::CertPointer cert;
Ssl::EVP_PKEY_Pointer pkey;
if (!readCertAndPrivateKeyFromMemory(cert, pkey, data))
return false;
if (!cert || !pkey)
return false;
if (!SSL_use_certificate(ssl, cert.get()))
return false;
if (!SSL_use_PrivateKey(ssl, pkey.get()))
return false;
return true;
}
bool
Ssl::verifySslCertificate(Security::ContextPointer &ctx, CertificateProperties const &properties)
{
+#if HAVE_SSL_CTX_GET0_CERTIFICATE
+ X509 * cert = SSL_CTX_get0_certificate(ctx.get());
+#elif SQUID_USE_SSLGETCERTIFICATE_HACK
// SSL_get_certificate is buggy in openssl versions 1.0.1d and 1.0.1e
// Try to retrieve certificate directly from Security::ContextPointer object
-#if SQUID_USE_SSLGETCERTIFICATE_HACK
X509 ***pCert = (X509 ***)ctx->cert;
X509 * cert = pCert && *pCert ? **pCert : NULL;
#elif SQUID_SSLGETCERTIFICATE_BUGGY
X509 * cert = NULL;
assert(0);
#else
// Temporary ssl for getting X509 certificate from SSL_CTX.
Security::SessionPointer ssl(Security::NewSessionObject(ctx));
X509 * cert = SSL_get_certificate(ssl.get());
#endif
if (!cert)
return false;
ASN1_TIME * time_notBefore = X509_get_notBefore(cert);
ASN1_TIME * time_notAfter = X509_get_notAfter(cert);
bool ret = (X509_cmp_current_time(time_notBefore) < 0 && X509_cmp_current_time(time_notAfter) > 0);
if (!ret)
return false;
return certificateMatchesProperties(cert, properties);
}
_______________________________________________
squid-dev mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-dev
