[openssl-users] OPenssl and dependencies such as openssh
The Doctor
doctor at doctor.nl2k.ab.ca
Tue Jan 5 16:19:32 UTC 2016
On Mon, Jan 04, 2016 at 07:22:04PM +0000, Viktor Dukhovni wrote:
> On Mon, Jan 04, 2016 at 09:08:31AM -0700, The Doctor wrote:
>
> > if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(),
> > SSLeay_version(SSLEAY_VERSION))) <0)
> >
> > Could there be anything that is causing openssh not to see the new openssl 1.1
>
> The above. The SSLeay names are gone. The new way is:
>
> if ((rc = fprintf(fd ,"%08x (%s)\n", OpenSSL_version_num(),
> OpenSSL_version(OPENSSL_VERSION))) <0)
>
> I think it is likely prudent at this time to restore source-
> backwards-compatible behaviour, by adding to <openssl/crypto.h>:
>
> #if !defined(OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < 0x10100000L
> # include <openssl/opensslv.h>
> # define SSLeay OpenSSL_version_num
> # define SSLeay_version OpenSSL_version
> # define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER
> # define SSLEAY_VERSION OPENSSL_VERSION
> # define SSLEAY_CFLAGS OPENSSL_CFLAGS
> # define SSLEAY_BUILT_ON OPENSSL_BUILT_ON
> # define SSLEAY_PLATFORM OPENSSL_PLATFORM
> # define SSLEAY_DIR OPENSSL_DIR
> #endif /* OPENSSL_API_COMPAT */
>
> Users who want to make sure they are avoiding interfaces that are
> deprecated with 1.1.0 can set OPENSSL_API_COMPAT to 0x10100000L or
> higher as appropriate.
Tip of the iceberg.
Number of changes are needed to be committed before launching.
>From inn:
tls.o: In function `tmp_dh_cb':
/usr/source/inn-CURRENT-20160105/nnrpd/tls.c:219: undefined reference to `DH_generate_parameters'
tls.o: In function `tls_init_serverengine':
/usr/source/inn-CURRENT-20160105/nnrpd/tls.c:498: undefined reference to `SSLv23_server_method'
gmake[1]: *** [nnrpd] Error 1
so 219 and that area gives us
default:
/* We should check current keylength vs. requested keylength
* also, this is an extremely expensive operation! */
dh = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NU
LL);
r = dh;
I just comment these 2 lines out for now
line 498 is
CTX = SSL_CTX_new(SSLv23_server_method());
I just replace as follows
CTX = SSL_CTX_new(TLS_server_method());
A better fix is neeeded.
And there is Apache 2.4
Making all in support
/usr/source/httpd-2.4.18/srclib/apr/libtool --silent --mode=link /usr/bin/gcc -std=gnu99 -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -Wpointer-arith -Wformat -Wformat-security -Wall -g -O2 -L/usr/contrib/lib -lssl -lcrypto -lpthread -o ab -static ab.lo -L/usr/lib -lc -lm -ldl -liconv -lintl -lutil -ldb -levent /usr/source/httpd-2.4.18/srclib/apr-util/libaprutil-1.la -lexpat /usr/source/httpd-2.4.18/srclib/apr/libapr-1.la -lpthread -lm
ab.o: In function `test':
/usr/source/httpd-2.4.18/support/ab.c:1863: undefined reference to `SSL_state'
and this piece of code is
set_conn_state(c, STATE_CONNECTED);
#ifdef USE_SSL
if (c->ssl)
ssl_proceed_handshake(c);
else
#endif
write_request(c);
Looks like a lots of rewriting to do.
>
> --
> Viktor.
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising!
http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism
Birthdate 29 Jan 1969 Redhill, Surrey, UK
More information about the openssl-users
mailing list