[openssl-users] OPenssl and dependencies such as openssh

The Doctor doctor at doctor.nl2k.ab.ca
Tue Jan 5 16:19:32 UTC 2016


On Mon, Jan 04, 2016 at 07:22:04PM +0000, Viktor Dukhovni wrote:
> On Mon, Jan 04, 2016 at 09:08:31AM -0700, The Doctor wrote:
> 
> >                 if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(),
> >                     SSLeay_version(SSLEAY_VERSION))) <0)
> > 
> > Could there be anything that is causing openssh not to see the new openssl 1.1 
> 
> The above. The SSLeay names are gone.  The new way is:
> 
> 	     if ((rc = fprintf(fd ,"%08x (%s)\n", OpenSSL_version_num(),
> 		 OpenSSL_version(OPENSSL_VERSION))) <0)
> 
> I think it is likely prudent at this time to restore source-
> backwards-compatible behaviour, by adding to <openssl/crypto.h>:
> 
>     #if !defined(OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < 0x10100000L
>     # include <openssl/opensslv.h>
>     # define SSLeay                  OpenSSL_version_num
>     # define SSLeay_version          OpenSSL_version
>     # define SSLEAY_VERSION_NUMBER   OPENSSL_VERSION_NUMBER
>     # define SSLEAY_VERSION          OPENSSL_VERSION
>     # define SSLEAY_CFLAGS           OPENSSL_CFLAGS
>     # define SSLEAY_BUILT_ON         OPENSSL_BUILT_ON
>     # define SSLEAY_PLATFORM         OPENSSL_PLATFORM
>     # define SSLEAY_DIR              OPENSSL_DIR
>     #endif /* OPENSSL_API_COMPAT */
> 
> Users who want to make sure they are avoiding interfaces that are
> deprecated with 1.1.0 can set OPENSSL_API_COMPAT to 0x10100000L or
> higher as appropriate.


Tip of the iceberg.

Number of changes are needed to be committed before launching.

>From inn:

tls.o: In function `tmp_dh_cb':
/usr/source/inn-CURRENT-20160105/nnrpd/tls.c:219: undefined reference to `DH_generate_parameters'
tls.o: In function `tls_init_serverengine':
/usr/source/inn-CURRENT-20160105/nnrpd/tls.c:498: undefined reference to `SSLv23_server_method'
gmake[1]: *** [nnrpd] Error 1              

so 219 and that area gives us

 default:
                /* We should check current keylength vs. requested keylength
                 * also, this is an extremely expensive operation! */
                dh = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NU
LL);
                r = dh;   

I just comment these 2 lines out for now

line 498  is

CTX = SSL_CTX_new(SSLv23_server_method());

I just replace as follows

   CTX = SSL_CTX_new(TLS_server_method());

A better fix is neeeded.

And there is Apache 2.4

Making all in support
/usr/source/httpd-2.4.18/srclib/apr/libtool --silent --mode=link /usr/bin/gcc -std=gnu99  -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -Wpointer-arith -Wformat -Wformat-security  -Wall -g -O2 -L/usr/contrib/lib -lssl -lcrypto -lpthread        -o ab -static ab.lo   -L/usr/lib -lc -lm -ldl -liconv -lintl -lutil -ldb -levent   /usr/source/httpd-2.4.18/srclib/apr-util/libaprutil-1.la -lexpat /usr/source/httpd-2.4.18/srclib/apr/libapr-1.la -lpthread -lm
ab.o: In function `test':
/usr/source/httpd-2.4.18/support/ab.c:1863: undefined reference to `SSL_state' 

and this piece of code is

                        set_conn_state(c, STATE_CONNECTED);
#ifdef USE_SSL
                        if (c->ssl)
                            ssl_proceed_handshake(c);
                        else
#endif
                        write_request(c);  

Looks like a lots of rewriting to do.




> 
> -- 
> 	Viktor.
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! 
http://www.fullyfollow.me/rootnl2k  Look at Psalms 14 and 53 on Atheism
Birthdate 29 Jan 1969 Redhill, Surrey, UK


More information about the openssl-users mailing list