Mailing List Archive

https://bz.apache.org/bugzilla/show_bug.cgi?id=68080

--- Comment #2 from Yann Ylavic <ylavic.dev@gmail.com> ---
Created attachment 39349
--> https://bz.apache.org/bugzilla/attachment.cgi?id=39349&action=edit
Unset MODSSL_HAVE_ENGINE_API for OPENSSL_NO_ENGINE

I'm wondering if we still want to allow for "SSLCryptoDevice builtin" when
OPENSSL_NO_ENGINE is set. I don't know how much this setting is used nor if we
should care, but given that "builtin" is the same as no SSLCryptoDevice maybe
we could still let httpd start even if it's built against openssl >= 3 or
OPENSSL_NO_ENGINE.
The ENGINE api is deprecated in openssl >= 3 so in r1908537 we defined/used
MODSSL_HAVE_ENGINE_API to compile out any code using it, maybe we could do that
too for OPENSSL_NO_ENGINE like in the this patch? Does it work for your case?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

https://bz.apache.org/bugzilla/show_bug.cgi?id=68080

--- Comment #3 from Joe Orton <jorton@redhat.com> ---
(In reply to Yann Ylavic from comment #2)
> Created attachment 39349 [details]
> Unset MODSSL_HAVE_ENGINE_API for OPENSSL_NO_ENGINE

+1

> I'm wondering if we still want to allow for "SSLCryptoDevice builtin" when
> OPENSSL_NO_ENGINE is set. I don't know how much this setting is used nor if
> we should care, but given that "builtin" is the same as no SSLCryptoDevice
> maybe we could still let httpd start even if it's built against openssl >= 3
> or OPENSSL_NO_ENGINE.

+1, and removing the:

#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)

should do it?

> The ENGINE api is deprecated in openssl >= 3 so in r1908537 we defined/used
> MODSSL_HAVE_ENGINE_API to compile out any code using it, maybe we could do
> that too for OPENSSL_NO_ENGINE like in the this patch? Does it work for your
> case?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

https://bz.apache.org/bugzilla/show_bug.cgi?id=68080

--- Comment #4 from Joe Orton <jorton@redhat.com> ---
Created attachment 39370
--> https://bz.apache.org/bugzilla/attachment.cgi?id=39370&action=edit
allow SSLCryptoDevice builtin to be configured w/o any ENGINE support in
openSSL

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

https://bz.apache.org/bugzilla/show_bug.cgi?id=68080

--- Comment #5 from Bernard Spil <brnrd@freebsd.org> ---
(In reply to Yann Ylavic from comment #2)
> Created attachment 39349 [details]
> Unset MODSSL_HAVE_ENGINE_API for OPENSSL_NO_ENGINE
>
> I'm wondering if we still want to allow for "SSLCryptoDevice builtin" when
> OPENSSL_NO_ENGINE is set. I don't know how much this setting is used nor if
> we should care, but given that "builtin" is the same as no SSLCryptoDevice
> maybe we could still let httpd start even if it's built against openssl >= 3
> or OPENSSL_NO_ENGINE.
> The ENGINE api is deprecated in openssl >= 3 so in r1908537 we defined/used
> MODSSL_HAVE_ENGINE_API to compile out any code using it, maybe we could do
> that too for OPENSSL_NO_ENGINE like in the this patch? Does it work for your
> case?

The 2.4.x branch does not have MODSSL_HAVE_ENGINE_API at all, any hint on what
branch to test that is similar to what I can expect to see as 2.4.59?

I'm trying to create a patch for the FreeBSD port (I'm part of the apache team
in FreeBSD ports). May well go with OpenBSD's solution: settubg
ac_cv_func_ENGINE_init=no in configure's env.
(https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/ports/www/apache-httpd/Makefile?rev=1.126.2.2&content-type=text/plain).

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

https://bz.apache.org/bugzilla/show_bug.cgi?id=68080

--- Comment #6 from Yann Ylavic <ylavic.dev@gmail.com> ---
(In reply to Bernard Spil from comment #5)
> (In reply to Yann Ylavic from comment #2)
> > Created attachment 39349 [details]
> > Unset MODSSL_HAVE_ENGINE_API for OPENSSL_NO_ENGINE
> >
> > I'm wondering if we still want to allow for "SSLCryptoDevice builtin" when
> > OPENSSL_NO_ENGINE is set. I don't know how much this setting is used nor if
> > we should care, but given that "builtin" is the same as no SSLCryptoDevice
> > maybe we could still let httpd start even if it's built against openssl >= 3
> > or OPENSSL_NO_ENGINE.
> > The ENGINE api is deprecated in openssl >= 3 so in r1908537 we defined/used
> > MODSSL_HAVE_ENGINE_API to compile out any code using it, maybe we could do
> > that too for OPENSSL_NO_ENGINE like in the this patch? Does it work for your
> > case?
>
> The 2.4.x branch does not have MODSSL_HAVE_ENGINE_API at all, any hint on
> what branch to test that is similar to what I can expect to see as 2.4.59?

There is https://github.com/apache/httpd/pull/381 which is a backport I plan to
propose for the next release.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

https://bz.apache.org/bugzilla/show_bug.cgi?id=68080

Yann Ylavic <ylavic.dev@gmail.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Keywords| |FixedInTrunk

--- Comment #7 from Yann Ylavic <ylavic.dev@gmail.com> ---
(In reply to Joe Orton from comment #4)
> Created attachment 39370 [details]
> allow SSLCryptoDevice builtin to be configured w/o any ENGINE support in
> openSSL

Thanks Joe, I pushed the whole in r1913815.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

https://bz.apache.org/bugzilla/show_bug.cgi?id=68080

--- Comment #8 from Yann Ylavic <ylavic.dev@gmail.com> ---
> There is https://github.com/apache/httpd/pull/381 which is a backport I plan
> to propose for the next release.

r1913815 is now included in this PR, so the full patch would be:
https://patch-diff.githubusercontent.com/raw/apache/httpd/pull/381.diff

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

https://bz.apache.org/bugzilla/show_bug.cgi?id=68080

--- Comment #9 from Yann Ylavic <ylavic.dev@gmail.com> ---
Proposed for backport to 2.4.x (r1913834).

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

https://bz.apache.org/bugzilla/show_bug.cgi?id=68080

Graham Leggett <minfrin@apache.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED

--- Comment #10 from Graham Leggett <minfrin@apache.org> ---
Backported to v2.4.59.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org