New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

curl 7.60.0 can list & work with openssl engines while curl 7.61.1 can't #3023

Closed
jeanfabrice opened this Issue Sep 20, 2018 · 9 comments

Comments

Projects
None yet
2 participants
@jeanfabrice

jeanfabrice commented Sep 20, 2018

In the following, openssl is openssl @1.0.2p_0. The same openssl.cnf is used for both test

I did this

$ sudo port installed curl
The following ports are currently installed:
  curl @7.59.0_0+ssl
  curl @7.60.0_0+ssl (active)
  curl @7.61.0_0+ssl 
$ curl --version
curl 7.60.0 (x86_64-apple-darwin17.5.0) libcurl/7.60.0 OpenSSL/1.0.2p zlib/1.2.11 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5)
Release-Date: 2018-05-16
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP UnixSockets HTTPS-proxy PSL 
$ curl --engine list
Build-time engines:
  rdrand
  dynamic
  pkcs11

$ sudo port activate curl @7.61.0_0+ssl
--->  Computing dependencies for curl
--->  Deactivating curl @7.60.0_0+ssl
--->  Cleaning curl
--->  Activating curl @7.61.0_0+ssl
--->  Cleaning curl
$ curl --version
curl 7.61.0 (x86_64-apple-darwin17.6.0) libcurl/7.61.0 OpenSSL/1.0.2p zlib/1.2.11 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5)
Release-Date: 2018-07-11
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP UnixSockets HTTPS-proxy PSL
$ curl --engine list
Build-time engines:
  <none>

I expected the following

$ curl --version
curl 7.61.0 (x86_64-apple-darwin17.6.0) libcurl/7.61.0 OpenSSL/1.0.2p zlib/1.2.11 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5)
Release-Date: 2018-07-11
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP UnixSockets HTTPS-proxy PSL
$ curl --engine list
Build-time engines:
  rdrand
  dynamic
  pkcs11

operating system

Mac OS 10.13.6 & MacPorts 2.5.3

@bagder bagder added the SSL/TLS label Sep 20, 2018

@bagder

This comment has been minimized.

Member

bagder commented Sep 20, 2018

Thanks, but this issue is already fixed.

Fixed in d6417f6 (7.61.1) which made it work with OpenSSL 1.0.0+

and then again in 1599dfc (not released yet) which made it work with OpenSSL 0.9.8+

Duplicate of #2732

@bagder bagder closed this Sep 20, 2018

@jeanfabrice

This comment has been minimized.

jeanfabrice commented Sep 20, 2018

Well I tried with 7.61.1 too. No more success :

$ sudo port installed curl
The following ports are currently installed:
  curl @7.59.0_0+ssl
  curl @7.60.0_0+ssl
  curl @7.61.0_0+ssl
  curl @7.61.1_0+ssl (active)
$ curl -V
curl 7.61.1 (x86_64-apple-darwin17.7.0) libcurl/7.61.1 OpenSSL/1.0.2p zlib/1.2.11 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5)
Release-Date: 2018-09-05
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP UnixSockets HTTPS-proxy PSL 
$ curl --engine list
Build-time engines:
  <none>

@bagder bagder reopened this Sep 20, 2018

@bagder

This comment has been minimized.

Member

bagder commented Sep 20, 2018

Then there's a different problem...

@bagder bagder changed the title from curl 7.60.0 can list & work with openssl engines while curl 7.61.0 can't to curl 7.60.0 can list & work with openssl engines while curl 7.61.1 can't Sep 20, 2018

@bagder bagder added the help wanted label Sep 20, 2018

@jeanfabrice

This comment has been minimized.

jeanfabrice commented Sep 21, 2018

No luck in bisecting the 158 commits between 7_60_0 and 7_61_0. Lot of unrelated errors at compile time.

@bagder

This comment has been minimized.

Member

bagder commented Sep 21, 2018

That sounds even weirder. Most commits we merge have been verified to build cleanly on numerous platforms and build combos. So even if there's an occasional build failure, they should be rare.

@jeanfabrice

This comment has been minimized.

jeanfabrice commented Sep 21, 2018

You are right, sorry. Mistake was on my side because I did not run buildconf between each bisect.

So, bisecting properly between 7_60_0 and 7_61_0 confirms that 38203f1 is the first bad commit.

Unfortunately, d6417f6 does not solve the issue; SSL engine list is still empty after this commit. No more success after checking out 1599dfc.

@bagder

This comment has been minimized.

Member

bagder commented Sep 24, 2018

Is this the missing piece?

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 230eea2d0..551298926 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -976,11 +976,11 @@ static int Curl_ossl_init(void)
   char *keylog_file_name;
 #endif
 
   OPENSSL_load_builtin_modules();
 
-#ifdef HAVE_ENGINE_LOAD_BUILTIN_ENGINES
+#ifdef USE_OPENSSL_ENGINE
   ENGINE_load_builtin_engines();
 #endif
 
   /* OPENSSL_config(NULL); is "strongly recommended" to use but unfortunately
      that function makes an exit() call on wrongly formatted config files
@jeanfabrice

This comment has been minimized.

jeanfabrice commented Sep 24, 2018

That is the perfect missing piece, thank you!
Works exactly as expected on both curl-7_61_0 and curl-7_61_1 after patching them

@bagder

This comment has been minimized.

Member

bagder commented Sep 24, 2018

excellent! 👍

bagder added a commit that referenced this issue Sep 24, 2018

openssl: load built-in engines too
Regression since 38203f1

Reported-by: Jean Fabrice
Fixes #3023

@bagder bagder removed the help wanted label Sep 24, 2018

@bagder bagder closed this in e2dd435 Sep 24, 2018

netgate-git-updates pushed a commit to pfsense/FreeBSD-ports that referenced this issue Oct 16, 2018

Fix the OpenSSL engine support in curl.
Obtained from:	curl/curl#3023

(cherry picked from commit 3c0078e)

netgate-git-updates pushed a commit to pfsense/FreeBSD-ports that referenced this issue Oct 16, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment