httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <>
Subject Re: Fixing more OpenSSL callback crashes
Date Mon, 10 Apr 2017 22:21:03 GMT
Am 10.04.2017 um 22:41 schrieb Jacob Champion:
> A few questions for the list while I'm brainstorming the best way to fix
> ...
> - What is the oldest version of OpenSSL we'll support for the 2.4.x
> line? Will that version change in

For 2.4.0 it was discussed originally in May/June 2010. The original 
proposal was dropping support < 1.0.0, but we ended up in supporting 
everything starting with 0.9.7 (Threads was: "RFC: drop support for 
OpenSSL < 1.0 in trunk/2.3?"):

- support and build warning-free with OpenSSL >= 0.9.8
- support and build with OpenSSL >= 0.9.7a, albeit with (harmless)
   compiler warnings about argument const-ness all over the shop
- drop support for OpenSSL < 0.9.7a
- drop support for non-OpenSSL/derivatives of OpenSSL

The new minimum was mostly driven by looking at what was available on 
platforms at that time, e.g. not demanding users to build OpenSSL 
themselves. Sander Temme at that time provided this list:

* Windows: none
* Mac OS X 10.6: OpenSSL 0.9.8l 5 Nov 2009
* FreeBSD 6.4-STABLE: OpenSSL 0.9.7e-p1 25 Oct 2004
* FreeBSD 7.2-STABLE: OpenSSL 0.9.8e 23 Feb 2007
* FreeBSD 8-STABLE: OpenSSL 0.9.8k 25 Mar 2009
* OpenBSD 4.6: OpenSSL 0.9.8k 25 Mar 2009
* Solaris 10: 0.9.7 with backports... don't recall what's in the 
Coolstack but someone else may be able to tell us.
* 1.0.0 and 0.9.7g, with both Apache 2.0.59 and 2.2.15 
built against 1.0.0
* Red Hat 5: 0.9.8b with backports
* Red Hat 4: 0.9.7 with backports
* Ubuntu 10.04: OpenSSL 0.9.8k 25 Mar 2009

Later in 2.4.7 minimum support changed to 0.9.8a in Nov 2013 (commits 
r1542327 and r1555469). I think it hasn't changed since then. that would be up for discussion like it was done for 2.4 in 
2010. I guess we would look again at what current OS distributions provide.

> - Does anyone have a clever way to check, during configuration time,
> that errno is threadsafe? My plan was to spin up two threads in a config
> test program and see if the address of errno was different.

I tried it and it does not detect the threadsafe errno when using 
-D_REENTRANT. See below.

Probably not really good as well, but I tried starting two threads, both 
doing an invalid fdopen(), the first with an invalid fd (-1), the second 
with an invalid mode ("z"), then let both wait a few seconds, so that 
both had a chance to set errno, and then let both show what errno is. 
When compiling with -D_REENTRANT is get different errno values for both 

> - Does anyone know of platforms we support that *definitely* don't have
> a threadsafe errno? (From poking around on Google, it seemed like
> Solaris might fit into that bucket? Any others?)

Solaris errno is threadsafe if _REENTRANT is defined.

More precisely, if

#if defined(_REENTRANT) || defined(_TS_ERRNO) || _POSIX_C_SOURCE - 0 >= 



View raw message