[openssl-users] OPenssl and dependencies such as openssh

The Doctor doctor at doctor.nl2k.ab.ca
Tue Jan 5 22:40:03 UTC 2016 

On Tue, Jan 05, 2016 at 09:19:32AM -0700, The Doctor wrote:
> On Mon, Jan 04, 2016 at 07:22:04PM +0000, Viktor Dukhovni wrote:
> > On Mon, Jan 04, 2016 at 09:08:31AM -0700, The Doctor wrote:
> > 
> > >                 if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(),
> > >                     SSLeay_version(SSLEAY_VERSION))) <0)
> > > 
> > > Could there be anything that is causing openssh not to see the new openssl 1.1 
> > 
> > The above. The SSLeay names are gone.  The new way is:
> > 
> > 	     if ((rc = fprintf(fd ,"%08x (%s)\n", OpenSSL_version_num(),
> > 		 OpenSSL_version(OPENSSL_VERSION))) <0)
> > 
> > I think it is likely prudent at this time to restore source-
> > backwards-compatible behaviour, by adding to <openssl/crypto.h>:
> > 
> >     #if !defined(OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < 0x10100000L
> >     # include <openssl/opensslv.h>
> >     # define SSLeay                  OpenSSL_version_num
> >     # define SSLeay_version          OpenSSL_version
> >     # define SSLEAY_VERSION_NUMBER   OPENSSL_VERSION_NUMBER
> >     # define SSLEAY_VERSION          OPENSSL_VERSION
> >     # define SSLEAY_CFLAGS           OPENSSL_CFLAGS
> >     # define SSLEAY_BUILT_ON         OPENSSL_BUILT_ON
> >     # define SSLEAY_PLATFORM         OPENSSL_PLATFORM
> >     # define SSLEAY_DIR              OPENSSL_DIR
> >     #endif /* OPENSSL_API_COMPAT */
> > 
> > Users who want to make sure they are avoiding interfaces that are
> > deprecated with 1.1.0 can set OPENSSL_API_COMPAT to 0x10100000L or
> > higher as appropriate.
> 
> 
> Tip of the iceberg.
> 
> Number of changes are needed to be committed before launching.
> 
> >From inn:
> 
> tls.o: In function `tmp_dh_cb':
> /usr/source/inn-CURRENT-20160105/nnrpd/tls.c:219: undefined reference to `DH_generate_parameters'
> tls.o: In function `tls_init_serverengine':
> /usr/source/inn-CURRENT-20160105/nnrpd/tls.c:498: undefined reference to `SSLv23_server_method'
> gmake[1]: *** [nnrpd] Error 1              
> 
> so 219 and that area gives us
> 
>  default:
>                 /* We should check current keylength vs. requested keylength
>                  * also, this is an extremely expensive operation! */
>                 dh = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NU
> LL);
>                 r = dh;   
> 
> I just comment these 2 lines out for now
> 
> line 498  is
> 
> CTX = SSL_CTX_new(SSLv23_server_method());
> 
> I just replace as follows
> 
>    CTX = SSL_CTX_new(TLS_server_method());
> 
> A better fix is neeeded.
> 
> And there is Apache 2.4
> 
> Making all in support
> /usr/source/httpd-2.4.18/srclib/apr/libtool --silent --mode=link /usr/bin/gcc -std=gnu99  -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -Wpointer-arith -Wformat -Wformat-security  -Wall -g -O2 -L/usr/contrib/lib -lssl -lcrypto -lpthread        -o ab -static ab.lo   -L/usr/lib -lc -lm -ldl -liconv -lintl -lutil -ldb -levent   /usr/source/httpd-2.4.18/srclib/apr-util/libaprutil-1.la -lexpat /usr/source/httpd-2.4.18/srclib/apr/libapr-1.la -lpthread -lm
> ab.o: In function `test':
> /usr/source/httpd-2.4.18/support/ab.c:1863: undefined reference to `SSL_state' 
> 
> and this piece of code is
> 
>                         set_conn_state(c, STATE_CONNECTED);
> #ifdef USE_SSL
>                         if (c->ssl)
>                             ssl_proceed_handshake(c);
>                         else
> #endif
>                         write_request(c);  
> 
> Looks like a lots of rewriting to do.
> 
> 
>

In exim  we get

gcc -o exim
tls.o: In function `rsa_callback':
tls.o(.text+0x19a): undefined reference to `RSA_generate_key'
tls.o: In function `tls_servername_cb':
tls.o(.text+0xf32): undefined reference to `SSLv23_server_method'
tls.o: In function `tls_init':
tls.o(.text+0x1654): undefined reference to `SSLv23_server_method'
tls.o(.text+0x165e): undefined reference to `SSLv23_client_method'
tls.o(.text+0x18d2): undefined reference to `SSL_CTX_set_tmp_rsa_callback'
tls.o: In function `tls_validate_require_cipher':
tls.o(.text+0x2a6d): undefined reference to `SSLv23_server_method'
tls.o: In function `tls_version_report':
tls.o(.text+0x2b29): undefined reference to `SSLeay_version'
tls.o(.text+0x2b36): undefined reference to `SSLeay_version'
tls.o: In function `vaguely_random_number':
tls.o(.text+0x2bf0): undefined reference to `RAND_pseudo_bytes'   

Do we need more examples?
 
> 
> > 
> > -- 
> > 	Viktor.
> > _______________________________________________
> > openssl-users mailing list
> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> 
> -- 
> Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
> God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! 
> http://www.fullyfollow.me/rootnl2k  Look at Psalms 14 and 53 on Atheism
> Birthdate 29 Jan 1969 Redhill, Surrey, UK
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! 
http://www.fullyfollow.me/rootnl2k  Look at Psalms 14 and 53 on Atheism
Birthdate 29 Jan 1969 Redhill, Surrey, UK

More information about the openssl-users mailing list