Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix OpenSSL 1.1 support #1997

Merged
merged 4 commits into from
Apr 19, 2018
Merged

Fix OpenSSL 1.1 support #1997

merged 4 commits into from
Apr 19, 2018

Conversation

MrAnno
Copy link
Collaborator

@MrAnno MrAnno commented Apr 17, 2018
edited

Building OpenSSL without support for deprecated APIs revealed additional API changes.

Fixes #1921

Reproduction:

  1. Build OpenSSL 1.1 without deprecated API support:
./config no-deprecated --prefix=/tmp/openssl
make -j4
make install
  1. Configure and build syslog-ng as follows:
env PKG_CONFIG_PATH=/tmp/openssl/lib/pkgconfig ./configure
make -j4

TODO:

  • CMake

@MrAnno MrAnno mentioned this pull request Apr 17, 2018
Closed
@kira-syslogng
Copy link
Contributor

success

@MrAnno
Copy link
Collaborator Author

MrAnno commented Apr 17, 2018
edited

This pull request reorganizes a few lines of OpenSSL compatibility code. I'm pretty sure it's correct, but I've only tested it with OpenSSL 1.1.0h and 1.0.2o (the supported versions).

@czanik Do you have platforms where older/unsupported OpenSSL versions are used by default? If so, can you compile my branch please?

@czanik
Copy link
Contributor

czanik commented Apr 18, 2018

RPM distros seem to have either a supported version of openssl 1.1 or are still on openssl 1.0 (RHEL / CentOS, SLES 12 / Leap 42)

FreeBSD uses openssl 1.0 by default. 1.1 is available in the openssl-devel port, version 1.1g

Fedora 27:

bash-4.4$ rpm -qi openssl | head
Name        : openssl
Epoch       : 1
Version     : 1.1.0h
Release     : 3.fc27
Architecture: x86_64
Install Date: Fri 06 Apr 2018 21:21:15 CEST
Group       : System Environment/Libraries
Size        : 979500
License     : OpenSSL
Signature   : RSA/SHA256, Tue 03 Apr 2018 15:37:55 CEST, Key ID f55e7430f5282ee4

opensuse Leap 15 beta:

linux-h3su:~ # rpm -qi openssl | head
Name        : openssl
Version     : 1.1.0h
Release     : lp150.1.1
Architecture: noarch
Install Date: Tue 17 Apr 2018 15:37:20 CEST
Group       : Productivity/Networking/Security
Size        : 246
License     : OpenSSL
Signature   : RSA/SHA256, Sat 31 Mar 2018 00:34:53 CEST, Key ID b88b2fd43dbdc284
Source RPM  : openssl-1.1.0h-lp150.1.1.src.rpm

@MrAnno
Copy link
Collaborator Author

MrAnno commented Apr 18, 2018

@czanik Thanks. I was interested in OpenSSL versions < 1.0.2 (for example, 0.9.8, 1.0.0 and 1.0.1). They are unsupported versions, so they shouldn't be used, but I wanted to make sure.

@czanik
Copy link
Contributor

czanik commented Apr 18, 2018

  • RHEL/CentOS 6 has openssl 1.0.1e
  • SLES 11 has 0.9.8j

We can EoL SLES 11 support in OSE, but RHEL 6 is still one of our most important platform after RHEL 7. It is supported for yet another few years and is the base for AWS Linux.

@MrAnno
Copy link
Collaborator Author

MrAnno commented Apr 18, 2018
edited

@czanik Thank you for the quick answer! :)

My change should work fine with older OpenSSL versions as well.
I'll check 1.0.1e, can you give it a try and compile my branch on SLES 11 (0.9.8j)?

@kira-syslogng
Copy link
Contributor

success

@czanik
Copy link
Contributor

czanik commented Apr 19, 2018

Patched git sources and generated a release tarball using dbld. Tested compile on SLES 11 SP4, and it failed:

[   33s]   CC       lib/tests_loggen_loggen-crypto.o
[   33s] libtool: link: gcc -O2 -g -pthread -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -Wno-error -o iv_signal_thread_test iv_signal_thread_test.o  ./../src/.libs/libivykis.a -lrt -lpthread_nonshared -pthread
[   33s] /bin/sh ./libtool  --tag=CC   --mode=link gcc  -O2 -g -pthread -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -Wno-error   -o iv_wait_test iv_wait_test.o ./../src/libivykis.la 
[   33s]   CC       lib/compat/tests_loggen_loggen-openssl_support.o
[   33s] libtool: link: gcc -O2 -g -pthread -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -Wno-error -o iv_wait_test iv_wait_test.o  ./../src/.libs/libivykis.a -lrt -lpthread_nonshared -pthread
[   33s] /bin/sh ./libtool  --tag=CC   --mode=link gcc  -O2 -g -pthread -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -Wno-error   -o server server.o ./../src/libivykis.la 
[   33s] lib/compat/openssl_support.c:56: error: expected ')' before '*' token
[   33s] lib/compat/openssl_support.c: In function '_init_threadid_callback':
[   33s] lib/compat/openssl_support.c:64: warning: implicit declaration of function 'CRYPTO_THREADID_set_callback'
[   33s] lib/compat/openssl_support.c:64: error: '_ssl_thread_id2' undeclared (first use in this function)
[   33s] lib/compat/openssl_support.c:64: error: (Each undeclared identifier is reported only once
[   33s] lib/compat/openssl_support.c:64: error: for each function it appears in.)
[   33s] make[2]: *** [lib/compat/tests_loggen_loggen-openssl_support.o] Error 1
[   33s] make[2]: *** Waiting for unfinished jobs....
[   33s] /bin/sh ./libtool  --tag=CC   --mode=link gcc  -O2 -g -pthread -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -Wno-error   -o server_thread server_thread-server.o ./../src/libivykis.la 
[   33s] libtool: link: gcc -O2 -g -pthread -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -Wno-error -o server server.o  ./../src/.libs/libivykis.a -lrt -lpthread_nonshared -pthread
[   33s] libtool: link: gcc -O2 -g -pthread -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -Wno-error -o server_thread server_thread-server.o  ./../src/.libs/libivykis.a -lrt -lpthread_nonshared -pthread
[   33s] Making all in contrib
[   33s] Making all in iv_getaddrinfo
[   33s] gcc -DHAVE_CONFIG_H -I. -I../..  -D_GNU_SOURCE -I../../src/include -I../../src/include   -O2 -g -pthread -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -Wno-error -MT test.o -MD -MP -MF .deps/test.Tpo -c -o test.o test.c
[   33s] gcc -DHAVE_CONFIG_H -I. -I../..  -D_GNU_SOURCE -I../../src/include -I../../src/include   -O2 -g -pthread -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -Wno-error -MT iv_getaddrinfo.o -MD -MP -MF .deps/iv_getaddrinfo.Tpo -c -o iv_getaddrinfo.o iv_getaddrinfo.c
[   33s] mv -f .deps/test.Tpo .deps/test.Po
[   33s] mv -f .deps/iv_getaddrinfo.Tpo .deps/iv_getaddrinfo.Po
[   33s] /bin/sh ../../libtool  --tag=CC   --mode=link gcc  -O2 -g -pthread -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -Wno-error   -o test test.o iv_getaddrinfo.o ../../src/libivykis.la -lrt -lpthread_nonshared 
[   33s] libtool: link: gcc -O2 -g -pthread -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -Wno-error -o test test.o iv_getaddrinfo.o  ../../src/.libs/libivykis.a -lrt -lpthread_nonshared -pthread
[   33s] make[6]: Nothing to be done for `all-am'.
[   33s] Making all in misc
[   33s] make[5]: Nothing to be done for `all'.
[   33s] Making all in man3
[   33s] make[5]: Nothing to be done for `all'.
[   33s] make[1]: *** [all-recursive] Error 1
[   33s] make: *** [all] Error 2

@MrAnno
Copy link
Collaborator Author

MrAnno commented Apr 19, 2018

@czanik Oops, that's unpleasant. I've fixed this. Thank you very much for your help.

@MrAnno
cmake: fix openssl_set_defines
fa39fd3 
Signed-off-by: László Várady <laszlo.varady@balabit.com>
@MrAnno
compat: add OpenSSL compat function BN_get_rfc3526_prime_2048()
ffa6b73 
Signed-off-by: László Várady <laszlo.varady@balabit.com>
@MrAnno
tlscontext: use documented getter for DH fallback parameters
f824c15 
Signed-off-by: László Várady <laszlo.varady@balabit.com>
@MrAnno
compat: fix OpenSSL 1.1 support
4555ec7 
Building OpenSSL without support for deprecated APIs (--api=1.1.0)
revealed additional API changes.

Signed-off-by: László Várady <laszlo.varady@balabit.com>
@kira-syslogng
Copy link
Contributor

success

@kira-syslogng
Copy link
Contributor

success

@lbudai
Copy link
Collaborator

lbudai commented Apr 19, 2018

@MrAnno , @czanik : another test before merge?

@MrAnno
Copy link
Collaborator Author

MrAnno commented Apr 19, 2018

It compiles on CentOS 6.9 (OpenSSL 1.0.1e).

@lbudai
Copy link
Collaborator

lbudai commented Apr 19, 2018

ok, then I push the merge button

@lbudai lbudai merged commit 80cbbd7 into syslog-ng:master Apr 19, 2018
@MrAnno MrAnno mentioned this pull request Apr 23, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lbudai lbudai lbudai approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
5 participants
@MrAnno @kira-syslogng @czanik @lbudai @gaborznagy