-
Notifications
You must be signed in to change notification settings - Fork 691
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Compatibility with OpenSSL 1.1 #1395
Comments
Thanks for forwarding the issue here, will take a look. |
@unbit i think we have a problem, you poked with struct internals which have now made opaque and thus we no more access to. With the untested patch above these two hunks needs a rework:
|
@xrmx is see no other solution than removing the ssl cache sync feature (well i do not think anyone is using it...) |
Since OpenSSL 1.1.0 made some structs opaque and this we cannot poke with the internals anymore. Because of that we have to disable the ssl session cache. Ref unbit#1395
@unbit i've updated the branch above, any chance you can give it a run? It compiles fine on my machine with openssl 1.1.0 but I haven't tested it. My only concern is that in both core/ssl.c and http/spdy3.c we have to ifdef this kind of code. Is it a security issue? Like now we can downgrade to a weaker crypto?
|
Looks good to me. It is sad we need to disable a feature, but i suppose no-one will cry for this :) |
Since OpenSSL 1.1.0 made some structs opaque and this we cannot poke with the internals anymore. Because of that we have to disable the ssl session cache. Ref #1395
Since OpenSSL 1.1.0 made some structs opaque and this we cannot poke with the internals anymore. Because of that we have to disable the ssl session cache. Ref #1395
@jonassmedegaard You can cherry-pick 2b3fb73 for building against openssl 1.1.0 |
Thanks! |
This still gives linker errors (after fixes done in 5537b69) on FreeBSD. I assume tests done here use an openssl version built with OPENSSL_API_COMPAT, as the linker errors all reference functions guarded by that flag:
Defining OPENSSL_API_COMPAT (CFLAGS+=-DOPENSSL_API_COMPAT=0x10000000) during uWSGI build doesn't help. It isn't a lot to fix and the best approach (also with respect to commit 2b3fb73) is probably to follow the OpenSSL wiki and implement the new functions. |
The above is because the
|
@melvyn-sopacua nice, thanks for digging the issue. I have no clue on how to forward the issue to freebsd though. |
@xrmx Already done. It wasn't until I put in forward compatible code, that I realized I was hitting that code, while I shouldn't be. Then the proverbial light bulb came on. |
Since OpenSSL 1.1.0 made some structs opaque and this we cannot poke with the internals anymore. Because of that we have to disable the ssl session cache. Ref unbit#1395
@jleclanche a 2.0.15 release is planned, personally i don't have much free time to spend on uwsgi lately |
@jleclanche the #1490 is blocking the release, as soon as it is fixed i will upload the 2.0.15 |
Very much look forward to 2.0.15 release. |
It has been scheduled for 20170330: https://github.com/unbit/uwsgi-docs/blob/master/Changelog-2.0.15.rst |
2.0.15 is up on pypi, so this can be closed, no? |
Apparently, older uwsgi doesn't install properly on systems with newer versions of OpenSSL; see unbit/uwsgi#1395 for details. This fixes zulip#7609.
Guys, any news on fixing this one? I see @xrmx should have fixed this already, but I still can't build 2.0.18 with OpenSSL 1.1.1. What should I do? |
@enchantner double check you are not doing something silly and open a new issue with a proper error and environment info. |
Debian wants to switch to OpenSSL 1.1 and uwsgi is currently failing to build with that version as reported in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828590
It would be nice if uwsgi could be made to work with OpenSSL 1.1 too.
The text was updated successfully, but these errors were encountered: