Bug #2727
closedWon't compile with OpenSSL 1.1.0
Description
Lighttpd 1.4.39 won't compile with OpenSSL 1.1.0, mainly due to the fact that the internals of many structures have been hidden from the user, making the use of accessor functions mandatory.
Attached there's a patch that fixes the issue.
Files
Updated by gstrauss over 8 years ago
Thanks for the patch. I'll test it out next week (against older openssl releases, too) unless someone else beats me to it.
(FYI for others reading this ticket: openssl 1.1.0 is in beta right now, and has not yet been officially released)
Updated by gstrauss over 8 years ago
I looked up the functions calls added by your patch.
According to https://www.openssl.org/docs/manpages.html
- X509_NAME_ENTRY_get_data()
- BN_bin2bn()
- DH_get0_pqg()
- DH_set_length()
so it looks like we'll have to wrap the new calls with #if OPENSSL_VERSION_NUMBER >= 0x010100000L
https://www.openssl.org/docs/man1.0.1/crypto/OPENSSL_VERSION_NUMBER.html
Updated by gstrauss over 8 years ago
- Status changed from New to Patch Pending
The deprecated ERR_remove_state() in server.c should be replaced with ERR_remove_thread_state()
I also had trouble compiling connections.c with openssl 1.1.0pre5
connections.c:287:10: error: ‘SSL_R_TLSV1_ALERT_UNKNOWN_CA’ undeclared (first use in this function)
case SSL_R_TLSV1_ALERT_UNKNOWN_CA:
^
connections.c:287:10: note: each undeclared identifier is reported only once for each function it appears in
connections.c:288:10: error: ‘SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN’ undeclared (first use in this function)
case SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN:
^
connections.c:289:10: error: ‘SSL_R_SSLV3_ALERT_BAD_CERTIFICATE’ undeclared (first use in this function)
case SSL_R_SSLV3_ALERT_BAD_CERTIFICATE:
^
I have patched and tested compiling and linking against openssl 1.1.0pre5. The modified patch will probably go to master next Monday.
Updated by falemagn over 8 years ago
gstrauss wrote:
I looked up the functions calls added by your patch.
these are available in openssl 1.0.1 (and possibly earlier, but people should be using 1.0.1 or later)
According to https://www.openssl.org/docs/manpages.html
- X509_NAME_ENTRY_get_data()
- BN_bin2bn()
Of these 2, BN_bin2bn was already there before my patch.
these are new in openssl 1.1.0
- DH_get0_pqg()
- DH_set_length()
so it looks like we'll have to wrap the new calls with #if OPENSSL_VERSION_NUMBER >= 0x010100000L
https://www.openssl.org/docs/man1.0.1/crypto/OPENSSL_VERSION_NUMBER.html
I'd suggest that #if OPENSSL_VERSION_NUMBER < 0x010100000 then those two functions could be defined, so the code stays clean and compatible.
Updated by falemagn over 8 years ago
gstrauss wrote:
I also had trouble compiling connections.c with openssl 1.1.0pre5
[...]
Did you have that problem with the patch I submitted? That would be strange, since the patch contains an #ifdef around those cases to avoid the compilation issue: it appears those defines just don't exist anymore.
Updated by gstrauss over 8 years ago
- Target version changed from 1.4.x to 1.4.40
Updated by gstrauss over 8 years ago
Did you have that problem with the patch I submitted? That would be strange, since the patch contains an #ifdef around those cases to avoid the compilation issue: it appears those defines just don't exist anymore.
Ah, I had overlooked that #ifdef in your patch for connections.c. Sorry.
Anyway, you can see the patch in my working branch personal/gstrauss/master (to which I force-push and rewrite as I please) if you
$ git clone https://git.lighttpd.net/lighttpd/lighttpd1.4.git
Updated by falemagn over 8 years ago
gstrauss wrote:
Anyway, you can see the patch in my working branch personal/gstrauss/master (to which I force-push and rewrite as I please) if you
[...]
Looks nice to me. Thanks for your time! :)
Updated by gstrauss over 8 years ago
- Status changed from Patch Pending to Fixed
- % Done changed from 0 to 100
Applied in changeset 49c74fff65d23756746cab1470c67cf94b9db789.
Also available in: Atom