[openssl-users] Build of 1.0.2g fails

Jason Schultz jetson23 at hotmail.com
Wed Mar 23 15:07:46 UTC 2016

Greetings. I am re-posing this message (as well as another message) to the list as I was having problems with my list membership when it was posted, and I also made a mistake in the subject line, which may have deterred some responses.

I'm having problems building OpenSSL, starting with 1.0.1g. The 
scenario is as follows.

I'm not sure when the problem was introduced; however, with the compiling-out 
of SSLv2 *by default* in -1.0.2g, that change has exacerbated this problem.  
(That is, instead of affecting only those who selected "no-ssl2", it now 
affects everyone *except* those that explicitly select "ssl2".)

First, the existing package runs a self-test during the package build process.  
One of those tests verifies SSL (ssl/ssltest.c), and another verifies SSL usage 
when FIPS is active (test/testfipsssl).  The code in ssl/ssltest.c has a 
section that detects if the requested encryption mechanism has been disabled at 
build time ("compiled out").  If this situation is detected, an "OK" status is 
returned so that the test driver can determine what to do.  When FIPS is 
compiled, configured, and enabled, calling the SSL verification from 
test/testfipsssl to verify SSLv2 or SSLv3 support should result in a "Fail" 
status since neither SSLv2 nor SSLv3 is supported with FIPS.  However, when the 
"no-sslv2" and/or "no-sslv3" build options are selected, neither mechanism gets 
compiled in, so the SSL verification test detects this and immediately returns 
"OK" status.  Since FIPS is compiled, configured, and enabled, a "Fail" status 
is expected by test/testfipsssl instead, so the "OK" status that is re
 ceived because the ciphers are not present is handled as a test failure 
thereby aborting the build.

To make the package build correctly with "no-sslv2" or "no-sslv3" specified, I 
had to add the following:

Index: ssl/ssltest.c
--- ssl/ssltest.c (revision 4068)
+++ ssl/ssltest.c (working copy)
@@ -1203,8 +1203,20 @@
     if (no_protocol) {
         fprintf(stderr, "Testing was requested for a disabled protocol. "
                 "Skipping tests.\n");
+        /*
+         * If FIPS is enabled, then neither SSLv2 nor SSLv3 are permitted 
+         * In this case, the fact that one or both are compiled-out is a good 
+         * so we continue onward to return the expected error status instead.
+         */
+        if (!fips_mode || !FIPS_mode_set(1) || !(ssl2 || ssl3)) {
+            ret = 0;
+            goto end;
+        }
         ret = 0;
         goto end;

     if (!ssl2 && !ssl3 && !tls1 && !dtls1 && !dtls12 && number > 1 && !reuse 
&& !force) {

Is this a known problem? Is there a solution available?

Thanks in advance.

More information about the openssl-users mailing list