On 14/05/2013 6:28 a.m., Tsantilas Christos wrote:
I am attaching a fix.
Still needs some discussion.
This patch does the following two checks:
1) Checks if the SSL_get_certificate is buggy
2) Checks it he workaround can be enabled.
Inside squid:
If the workaround can be used, enable it
else if the SSL_get_certificate is not buggy, use it
else hit an assertion
I select this approach:
1) because the workaround is significant faster than using the
SSL_get_certificate
2) to avoid the segfault if the SSL_get_certificate is buggy .
Problems:
I had problem with the LD_LIBRARY_PATH. For example if the user does
not want to use system libraries and use openSSL SDK installed under a
non standard directory, the test program will run with system libraries.
To avoid this someone should use the LD_LIBRARY_PATH in configure script:
./configure --with-openssl=/path/to/openssl/
LD_LIBRARY_PATH=/path/to/openssl/
I do not like this option, so in the test I am using the -wl,-rpath
compiler option to pass the openSSL libraries path.
But this option does not looks good too..
Also we may want to harden the workaround test to use a hardcoded
certificate instead of a NULL certificate. (I attached an example in a
previous mail)
Regards,
Christos
Looks like good progress.
Have you tried moving the m4_include statement after AC_SUBST(SSLLIB)?
The the m4_include will expand the file in-place inside configure.ac.
Have you tried passing the flags as an argument to the check macro? eg.
SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS([$SSLLIB])
partial audit:
* Provided the m4_include is not sensitive to location I would like this
AC_DEFUN to be in acinclude/lib-checks.m4 though along with the other
library hack checks. If location is sensitive we will be forced to use a
separate .m4 file though.
* Also the .cc code does not need to use "#if defined(" when the squid
code is in explicit control of the macro definitino 0/1/absent state.
Just use "#if SQUID_"...
Amos