httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Support for OpenSSL 1.1.0
Date Tue, 09 Feb 2016 10:20:04 GMT
I started adding support for OpenSSL 1.1.0 in trunk.

As some might know, the OpenSSL API changes and especially many 
structures have been made opaque.

I resolved all the stuff that could be done on a local/formal level, but 
some items remain, where I'm not sure how to proceed. I have marked all 
of them with "XXX: OpenSSL 1.1.0:" in the sources.

I tested a straight backport to 2.4 against OpenSSL 1.1.0pre2 plus patch 
https://github.com/openssl/openssl/commit/311f27852a18fb9c10f0c1283b639f12eea06de2 
and there were only 7 ssl test failures.

Open problems:

1) HTTP on HTTPS

OpenSSL 1.1.0 currently doesn't support the "HTTP spoken on HTTPS port" 
error. The code to detect HTTP was removed due to a major rewrite of the 
state engine. The OpenSSL project is willing to review patches for 
reintroducing the feature there but currently doesn't plan to work on it 
themselves.

2) Renegotiation

It needs to be implemented differently. The OpenSSL project suggest to 
try reading application data until the renegotiation has finished. I 
committed some rather ugly code that does loop waiting for reneg, but it 
has a couple of problems:

a) it will not work for EC or DH ciphers. Some opaque structure element 
in the ssl struct is already set and confuses the state machine. I hope 
to get some helpful feedback from the OpenSSL project for this.

b) the loop impl currently assumes we wait for client certs during the 
reneg. It will hang for the full loop duration when only the cipher 
changed but no certs will be send. We need a better loop end check.

3) ssl_engine_ocsp.c

In modssl_verify_ocsp() the following code accesses the struct member 
"valid", for which currently no accessor function exists in 1.1.0:

268     else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) {
269         /* don't do OCSP checking for valid self-issued certs */
270         ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
271                       "Skipping OCSP check for valid self-issued cert");
272         X509_STORE_CTX_set_error(ctx, X509_V_OK);
273         return 1;
274     }


4) ssl_util_stapling.c

In ssl_stapling_init_cert() there's a compiler warning:
   "passing argument 1 of 'sk_value' from incompatible pointer type
    expected 'const struct _STACK *' but argument is of type
    'struct stack_st_OPENSSL_STRING *'":

179        cinf->uri = apr_pstrdup(p, sk_OPENSSL_STRING_value(aia, 0));


5) ssl_engine_kernel.c

In ssl_callback_Info() the explicit state constants 
SSL3_ST_SR_CLNT_HELLO_A and SSL23_ST_SR_CLNT_HELLO_A are used which no 
longer exist. I can't find obvious replacements in the list of new state 
constants:

2100         int state = SSL_get_state((SSL *)ssl);
2101
2102         if (state == SSL3_ST_SR_CLNT_HELLO_A
2103             || state == SSL23_ST_SR_CLNT_HELLO_A) {
2104             scr->reneg_state = RENEG_ABORT;
2105             ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042)
2106                           "rejecting client initiated renegotiation");
2107         }


Regards,

Rainer


Mime
View raw message