Mailing List Archive

> Am 13.09.2021 um 07:23 schrieb Dennis Clarke <dclarke@blastwave.org>:
>
>
> ALL :
>
>
> I may receive no reply to this but in general I have been able to build
> Apache httpd from any release tarball as well as from trunk. When httpd
> needed to get TLS 1.3 working it was a slam dunk to get that working and
> it did. However now we have OpenSSL 3.0.0 and it seems that neither the
> latest RC works nor does trunk.
>
> So then ... how to proceed ?

The plan is to make a "OpenSSL 3.0" ready release soon after 2.4.49,
anticipating also a possible (likely?) OpenSSL 3.0.1, as a common
then when releases are done and the test base broadens significantly.

That's my understanding.

One could argue, that 2.4.49 should do that as well, which would mean
delaying it. And there are security relevant changes, not visible in
the candidate, that sit on a timeline.

My personal opinion is that we need to release every other month and
take into it what is ready. The old model of waiting till all stars
align - which is nice as a developer - does not work for CVEs.

- Stefan

>
>
> --
> Dennis Clarke
> RISC-V/SPARC/PPC/ARM/CISC
> UNIX and Linux spoken
> GreyBeard and suspenders optional
>
>
> PS: trunk 1893292 fails even autoreconf and then more horror follows

On Mon, Sep 13, 2021 at 01:23:37AM -0400, Dennis Clarke wrote:
>
> ALL :
>
>
> I may receive no reply to this but in general I have been able to build
> Apache httpd from any release tarball as well as from trunk. When httpd
> needed to get TLS 1.3 working it was a slam dunk to get that working and
> it did. However now we have OpenSSL 3.0.0 and it seems that neither the
> latest RC works nor does trunk.
>
> So then ... how to proceed ?

What fails with trunk?

It's expected that httpd 2.4 doesn't support 3.0 yet, hopefully we can
get this in for a future release but OpenSSL 3.0 has been a moving
target until just six days ago.

Regards, Joe

>
> anticipating also a possible (likely?) OpenSSL 3.0.1, as a common
> then when releases are done and the test base broadens significantly.
+1 for 3.0.1

Steffen




On Monday 13/09/2021 at 10:08, stefan@eissing.org wrote:
>
>>
>> Am 13.09.2021 um 07:23 schrieb Dennis Clarke <dclarke@blastwave.org>:
>>
>>
>> ALL :
>>
>>
>> I may receive no reply to this but in general I have been able to
>> build
>> Apache httpd from any release tarball as well as from trunk. When
>> httpd
>> needed to get TLS 1.3 working it was a slam dunk to get that working
>> and
>> it did. However now we have OpenSSL 3.0.0 and it seems that neither
>> the
>> latest RC works nor does trunk.
>>
>> So then ... how to proceed ?
>
> The plan is to make a "OpenSSL 3.0" ready release soon after 2.4.49,
> anticipating also a possible (likely?) OpenSSL 3.0.1, as a common
> then when releases are done and the test base broadens significantly.
>
> That's my understanding.
>
> One could argue, that 2.4.49 should do that as well, which would mean
> delaying it. And there are security relevant changes, not visible in
> the candidate, that sit on a timeline.
>
> My personal opinion is that we need to release every other month and
> take into it what is ready. The old model of waiting till all stars
> align - which is nice as a developer - does not work for CVEs.
>
> - Stefan
>
>>
>>
>>
>> --
>> Dennis Clarke
>> RISC-V/SPARC/PPC/ARM/CISC
>> UNIX and Linux spoken
>> GreyBeard and suspenders optional
>>
>>
>> PS: trunk 1893292 fails even autoreconf and then more horror follows
>

On 9/13/21 04:22, Joe Orton wrote:
> On Mon, Sep 13, 2021 at 01:23:37AM -0400, Dennis Clarke wrote:
>>
>> ALL :
>>
>>
>> I may receive no reply to this but in general I have been able to build
>> Apache httpd from any release tarball as well as from trunk. When httpd
>> needed to get TLS 1.3 working it was a slam dunk to get that working and
>> it did. However now we have OpenSSL 3.0.0 and it seems that neither the
>> latest RC works nor does trunk.
>>
>> So then ... how to proceed ?
>
> What fails with trunk?
>
> It's expected that httpd 2.4 doesn't support 3.0 yet, hopefully we can
> get this in for a future release but OpenSSL 3.0 has been a moving
> target until just six days ago.
>
> Regards, Joe
>

Why "expected" that httpd 2.4 doesn't support 3.0 ?

While I realize that 3.0.0 is very shiney new and still has a green glow
to is we also know that the beta program has been in place for months
and the release candidates go back a year.

You have me at a loss.

That Apache httpd, the biggest web server on planet Earth ( let me check
mars ) has never looked at OpenSSL 3.0.0 as an event in the mail? It has
been shipped. Delivered. Done. It works. What are you saying?


--
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional

Hi Dennis,

Am 13.09.2021 um 11:05 schrieb Dennis Clarke:
> On 9/13/21 04:22, Joe Orton wrote:
>> On Mon, Sep 13, 2021 at 01:23:37AM -0400, Dennis Clarke wrote:
>>>
>>> ALL :
>>>
>>>
>>> I may receive no reply to this but in general I have been able to build
>>> Apache httpd from any release tarball as well as from trunk. When httpd
>>> needed to get TLS 1.3 working it was a slam dunk to get that working and
>>> it did. However now we have OpenSSL 3.0.0 and it seems that neither the
>>> latest RC works nor does trunk.
>>>
>>> So then ... how to proceed ?
>>
>> What fails with trunk?
>>
>> It's expected that httpd 2.4 doesn't support 3.0 yet, hopefully we can
>> get this in for a future release but OpenSSL 3.0 has been a moving
>> target until just six days ago.
>>
>> Regards, Joe
>>
>
> Why "expected" that httpd 2.4 doesn't support 3.0 ?

"expected" in the sense that the httpd project developers know about
this. So "we" expect it.

> While I realize that 3.0.0 is very shiney new and still has a green glow
> to is we also know that the beta program has been in place for months
> and the release candidates go back a year.

We did successfully test 3.0.0 alpha and beta in combination with the
previous 2.4 releases. See for instance my release vote mails then.

3.0.0 use in combination with httpd 2.4.x did only break recently, due
to changes in 3.0.0 that were not part of earlier alpha and beta
releases. That's why we only recently got aware of needed mod_ssl
changes to again make it work with 3.0.0. As mentioned by others the
2.4.49 release is important for other reasons and we do not want to
break it due to last minute mod_ssl changes, which would only be useful
for a minority of users. Most would not yet go with OpenSSL 3.0.0.

Joe (Orton) has provided a pull request for 2.4.x based on httpd trunk
to again support OpenSSL 3.0.0 and that's why he is interested in your
observed httpd trunk failures with 3.0.0.

> You have me at a loss.

Hopefully our situation is now understandable again?

> That Apache httpd, the biggest web server on planet Earth ( let me check
> mars ) has never looked at OpenSSL 3.0.0 as an event in the mail? It has
> been shipped. Delivered. Done. It works. What are you saying?

We - for instance me - look at it since quite some time. The breaks were
introduced recently in OpenSSL land. That's why we need a few weeks to
react.

Thanks for caring about httpd in Solaris land!

Regards,

Rainer

> Am 13.09.2021 um 11:05 schrieb Dennis Clarke <dclarke@blastwave.org>:
>
> On 9/13/21 04:22, Joe Orton wrote:
>> On Mon, Sep 13, 2021 at 01:23:37AM -0400, Dennis Clarke wrote:
>>>
>>> ALL :
>>>
>>>
>>> I may receive no reply to this but in general I have been able to build
>>> Apache httpd from any release tarball as well as from trunk. When httpd
>>> needed to get TLS 1.3 working it was a slam dunk to get that working and
>>> it did. However now we have OpenSSL 3.0.0 and it seems that neither the
>>> latest RC works nor does trunk.
>>>
>>> So then ... how to proceed ?
>>
>> What fails with trunk?
>>
>> It's expected that httpd 2.4 doesn't support 3.0 yet, hopefully we can
>> get this in for a future release but OpenSSL 3.0 has been a moving
>> target until just six days ago.
>>
>> Regards, Joe
>>
>
> Why "expected" that httpd 2.4 doesn't support 3.0 ?
>
> While I realize that 3.0.0 is very shiney new and still has a green glow
> to is we also know that the beta program has been in place for months
> and the release candidates go back a year.
>
> You have me at a loss.
>
> That Apache httpd, the biggest web server on planet Earth ( let me check
> mars ) has never looked at OpenSSL 3.0.0 as an event in the mail? It has
> been shipped. Delivered. Done. It works. What are you saying?

What we are saying and what you found out on testing it is that 2.4.49
is not ready for OpenSSL 3.0. No laying blame anywhere will make it so.

Rather than painting this black and white picture, you have to see
that there have been adaptations to changes in OpenSSL 3.0. They are
just not complete.

If that could have been better, well, of course. I could say that You
could have done the necessary also. But such discussions do not lead
us anywhere.

2.4.49 contains relevant changes for people who run OpenSSL 1.1 and
other SSL libraries. And I think it should therefore ship as a better
2.4.48. Unless we find a regression.

- Stefan


> --
> Dennis Clarke
> RISC-V/SPARC/PPC/ARM/CISC
> UNIX and Linux spoken
> GreyBeard and suspenders optional

On Mon, Sep 13, 2021 at 11:16:15AM +0200, Rainer Jung wrote:
> Hi Dennis,
> Am 13.09.2021 um 11:05 schrieb Dennis Clarke:
> > That Apache httpd, the biggest web server on planet Earth ( let me check
> > mars ) has never looked at OpenSSL 3.0.0 as an event in the mail? It has
> > been shipped. Delivered. Done. It works. What are you saying?
>
> We - for instance me - look at it since quite some time. The breaks were
> introduced recently in OpenSSL land. That's why we need a few weeks to
> react.

Big +1s to the responses from Stefan and Rainer. In fact one of those
breaks [1] happened precisely because we found problems when testing
httpd against OpenSSL 3.0.

Dennis, as Stefan suggests, contributions are always welcome here.
Naturally the number of contributors actively testing against
bleeding-edge third party dependencies is smaller than against stable
versions. So, if you want to encourage better support, test, publish
results, send patches, try backports from trunk to 2.4, whatever you can
do to help will be great.

Regards, Joe

[1] https://github.com/openssl/openssl/issues/15946