Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
Received-SPF: pass (nike.apache.org: domain of mamfelt@gmail.com designates
 209.85.160.169 as permitted sender)
MIME-Version: 1.0
In-Reply-To: 
 <CAFMGiz9p61O09CpZ=ymA_pNTxEYVQJMsPRpXJDA30MVXTozrFA@mail.gmail.com>
References: 
 <CAA=k7mVA2JAQiqqGgnxsu6RYMHvr7swf7nbE0F5v2Ex50BqrNg@mail.gmail.com>
	<CAFMGiz9p61O09CpZ=ymA_pNTxEYVQJMsPRpXJDA30MVXTozrFA@mail.gmail.com>
Date: Fri, 5 Jun 2015 14:15:33 +0200
Message-ID: 
 <CAN9c_NTK8uqWo+8VYRx7OafJkrHJSAwK6xQjpyQUO3TrKvr2Ow@mail.gmail.com>
Subject: Re: httpd and OpenSSL 1.0.2
From: Michael Felt <mamfelt@gmail.com>
To: dev@httpd.apache.org
Cc: Mario Brandt <jblond@gmail.com>, users@httpd.apache.org
Content-Type: multipart/alternative; boundary=089e0118241ab1a4140517c43f13

--089e0118241ab1a4140517c43f13
Content-Type: text/plain; charset=UTF-8

Along the lines of "to be continued" - IMHO httpd should be one of the
early adopters of not allowing linkage to versions of openssl that cannot
support TLS1.2.

I have built (on AIX) against libreSSL (v2.1.6) with some private additions
for AIX (that will be verified and improved upon by openbsd in the soon to
be released libreSSL 2.2 version).

Basically, there are only two defines that were 'missing'. One was rather
'obscure' it what it is suppossed to be doing (i.e., looking in the openssl
code) - the other was downright 'dangerous" because it permits 'any
external so-called enthrophy generator' to be added and used for randomness
- because it is, or at least was, part of the openSSL libraries. (the
approach of libreSSL was to completely remove it, hence a missing #define).

Again - to be continued. and asap - in a separate post I will post the
differences to get it to link against libreSSL (p.s. only mod_ssl needs
this afaik).

On Wed, May 27, 2015 at 3:29 PM, Tom Browder <tom.browder@gmail.com> wrote:

> On May 27, 2015 5:26 AM, "Mario Brandt" <jblond@gmail.com> wrote:
> > Hi Tom,
> > I saw you on the httpd dev mailing list about that topic. How did you
> > manage to build apache against 1.0.2?
> >
> > Cause if I try that I get in my VM
> >
> > /opt/apache2/modules/mod_ssl.so: undefined symbol: SSL_CONF_CTX_finish
> >
> > or on my real server
> >
> > /opt/apache2/modules/mod_ssl.so: undefined symbol: SSL_CONF_CTX_free
> >
> > OpenSSL
> > ./config --prefix=/usr zlib-dynamic --openssldir=/etc/ssl shared no-ssl2
> > make depend
> > make
> > sudo make install
> >
> >
> > apache
> > ./configure --prefix=/opt/apache2 --enable-pie
> > --enable-mods-shared=all --enable-so --disable-include --enable-lua
> > --enable-deflate --enable-headers --enable-expires --enable-ssl=shared
> > --enable-mpms-shared=all --with-mpm=event --enable-rewrite
> > --with-z=$HOME/apache24/httpd-2.4.12/srclib/zlib --enable-module=ssl
> > --enable-fcgid --with-included-apr
> > --with-openssl=$HOME/apache24/openssl-1.0.2a
> > --enable-ssl-staticlib-deps
> >
> > with the 1.0.1m it works all fine
> > seehttps://
> github.com/JBlond/debian_build_apache24/blob/master/build_apache.sh
> >
> >
> > Please tell me how you got it working.
>
> Mario, I did get it working, but I did have a bit more effort to make
> the latest openssl work.  Taking a quick look at your blog I believe I
> can help, but I'll explain my solution in a follow-up message so this
> thread is on the public mailing lists.
>
> I feel I must explain that I'm using a Debian 7, 64-bit server.  It
> might help if we could know your server info as other architectures
> may require more or other tweaks.
>
> Finally, the best I can probably do is show you my configure options
> which may conflict with yours.
>
> TO BE CONTINUED....
>
> Best regards,
>
> -Tom
>

--089e0118241ab1a4140517c43f13
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div><div>Along the lines of &quot;to be continued&qu=
ot; - IMHO httpd should be one of the early adopters of not allowing linkag=
e to versions of openssl that cannot support TLS1.2.<br><br></div>I have bu=
ilt (on AIX) against libreSSL (v2.1.6) with some private additions for AIX =
(that will be verified and improved upon by openbsd in the soon to be relea=
sed libreSSL 2.2 version).<br><br></div>Basically, there are only two defin=
es that were &#39;missing&#39;. One was rather &#39;obscure&#39; it what it=
 is suppossed to be doing (i.e., looking in the openssl code) - the other w=
as downright &#39;dangerous&quot; because it permits &#39;any external so-c=
alled enthrophy generator&#39; to be added and used for randomness - becaus=
e it is, or at least was, part of the openSSL libraries. (the approach of l=
ibreSSL was to completely remove it, hence a missing #define).<br><br></div=
>Again - to be continued. and asap - in a separate post I will post the dif=
ferences to get it to link against libreSSL (p.s. only mod_ssl needs this a=
faik).<br></div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">O=
n Wed, May 27, 2015 at 3:29 PM, Tom Browder <span dir=3D"ltr">&lt;<a href=
=3D"mailto:tom.browder@gmail.com" target=3D"_blank">tom.browder@gmail.com</=
a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0=
 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On May 27, 2015 5:26=
 AM, &quot;Mario Brandt&quot; &lt;<a href=3D"mailto:jblond@gmail.com">jblon=
d@gmail.com</a>&gt; wrote:<br>
&gt; Hi Tom,<br>
&gt; I saw you on the httpd dev mailing list about that topic. How did you<=
br>
&gt; manage to build apache against 1.0.2?<br>
&gt;<br>
&gt; Cause if I try that I get in my VM<br>
&gt;<br>
&gt; /opt/apache2/modules/mod_ssl.so: undefined symbol: SSL_CONF_CTX_finish=
<br>
&gt;<br>
&gt; or on my real server<br>
&gt;<br>
&gt; /opt/apache2/modules/mod_ssl.so: undefined symbol: SSL_CONF_CTX_free<b=
r>
&gt;<br>
&gt; OpenSSL<br>
&gt; ./config --prefix=3D/usr zlib-dynamic --openssldir=3D/etc/ssl shared n=
o-ssl2<br>
&gt; make depend<br>
&gt; make<br>
&gt; sudo make install<br>
&gt;<br>
&gt;<br>
&gt; apache<br>
&gt; ./configure --prefix=3D/opt/apache2 --enable-pie<br>
&gt; --enable-mods-shared=3Dall --enable-so --disable-include --enable-lua<=
br>
&gt; --enable-deflate --enable-headers --enable-expires --enable-ssl=3Dshar=
ed<br>
&gt; --enable-mpms-shared=3Dall --with-mpm=3Devent --enable-rewrite<br>
&gt; --with-z=3D$HOME/apache24/httpd-2.4.12/srclib/zlib --enable-module=3Ds=
sl<br>
&gt; --enable-fcgid --with-included-apr<br>
&gt; --with-openssl=3D$HOME/apache24/openssl-1.0.2a<br>
&gt; --enable-ssl-staticlib-deps<br>
&gt;<br>
&gt; with the 1.0.1m it works all fine<br>
&gt; seehttps://<a href=3D"http://github.com/JBlond/debian_build_apache24/b=
lob/master/build_apache.sh" target=3D"_blank">github.com/JBlond/debian_buil=
d_apache24/blob/master/build_apache.sh</a><br>
&gt;<br>
&gt;<br>
&gt; Please tell me how you got it working.<br>
<br>
Mario, I did get it working, but I did have a bit more effort to make<br>
the latest openssl work.=C2=A0 Taking a quick look at your blog I believe I=
<br>
can help, but I&#39;ll explain my solution in a follow-up message so this<b=
r>
thread is on the public mailing lists.<br>
<br>
I feel I must explain that I&#39;m using a Debian 7, 64-bit server.=C2=A0 I=
t<br>
might help if we could know your server info as other architectures<br>
may require more or other tweaks.<br>
<br>
Finally, the best I can probably do is show you my configure options<br>
which may conflict with yours.<br>
<br>
TO BE CONTINUED....<br>
<br>
Best regards,<br>
<br>
-Tom<br>
</blockquote></div><br></div>

--089e0118241ab1a4140517c43f13--