[Pkg-openssl-devel] Bug#844160: marked as done (apache2-dev should depend on libssl1.0-dev)
Ondřej Surý
ondrej at sury.org
Mon Nov 14 04:03:45 UTC 2016
> Looking at mod_ssl_openssl.h and the comment in #828330,
> I'd suggest the change below to add a dependency on libssl1.0-dev
> to apache2-dev.
And that exactly happens meaning that PHP 7.0 can no longer be built
unless all it's build-depends (including PHP 7.0) and rdepends move to
libssl1.0-dev as well.
So a nice deadlock, right? To be honest I would rather have a slightly
less tested apache2 with OpenSSL 1.1.0 and iron out the bugs as we go
than revert all the work I have done.
I reviewed the patch Kurt has provided and I don't see any strong reason
why anything should break.
~~~
ssl_engine_io_init() is called but return value is not checked although
it might obviously fail as the function can return 0 on failure.
~~~
This bit looks suspicious as it changes the existing behavior:
- /* XXX: Should replace setting state with
SSL_renegotiate(ssl);
- * However, this causes failures in perl-framework
currently,
- * perhaps pre-test if we have already negotiated?
- */
-#ifdef OPENSSL_NO_SSL_INTERN
- SSL_set_state(ssl, SSL_ST_ACCEPT);
-#else
- ssl->state = SSL_ST_ACCEPT;
-#endif
+ /* XXX: Why is this done twice? */
+ SSL_renegotiate(ssl);
+ /* XXX: Return value ignored, uses SSL_get_state instead?
*/
but it might be correct...
~~~
There also seem to be some changes unrelated to OpenSSL 1.1.0 as:
- RAND_pseudo_bytes(iv, EVP_MAX_IV_LENGTH);
+ /* XXX: Return value not checked. */
+ RAND_bytes(iv, EVP_MAX_IV_LENGTH);
or adding:
+ SRP_user_pwd_free(u);
I think this should be in separate patch.
~~~
Kurt, can you confirm this doesn't change behavior of the code?
- else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK)
{
+ else if (X509_check_issued(cert, cert) == X509_V_OK) {
~~~
Wrong ws here:
- nid = OBJ_obj2nid((ASN1_OBJECT
*)(xs->cert_info->key->algor->algorithm));
+ X509_PUBKEY *pubkey = X509_get_X509_PUBKEY(xs);
+ X509_ALGOR *algor;
+ X509_PUBKEY_get0_param(NULL, NULL, NULL, &algor, pubkey);
+ nid = OBJ_obj2nid(algor->algorithm);
and here:
@@ -398,7 +403,9 @@ static int stapling_check_response(serve
if (bio) {
int n;
- if ((i2a_ASN1_INTEGER(bio, cinf->cid->serialNumber) !=
-1) &&
+ ASN1_INTEGER *serial;
+ OCSP_id_get0_info(NULL, NULL, NULL, &serial, cinf->cid);
+ if ((i2a_ASN1_INTEGER(bio, serial) != -1) &&
((n = BIO_read(bio, snum, sizeof snum - 1)) > 0))
snum[n] = '\0';
BIO_free(bio);
Cheers,
--
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro
pečení chleba všeho druhu
On Sun, Nov 13, 2016, at 13:36, Debian Bug Tracking System wrote:
> Your message dated Sun, 13 Nov 2016 12:34:03 +0000
> with message-id <E1c5tz1-000GfB-AE at fasolo.debian.org>
> and subject line Bug#844160: fixed in apache2 2.4.23-7
> has caused the Debian Bug report #844160,
> regarding apache2-dev should depend on libssl1.0-dev
> to be marked as done.
>
> This means that you claim that the problem has been dealt with.
> If this is not the case it is now your responsibility to reopen the
> Bug report if necessary, and/or fix the problem forthwith.
>
> (NB: If you are a system administrator and have no idea what this
> message is talking about, this may indicate a serious mail system
> misconfiguration somewhere. Please contact owner at bugs.debian.org
> immediately.)
>
>
> --
> 844160: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844160
> Debian Bug Tracking System
> Contact owner at bugs.debian.org with problems
> Email had 2 attachments:
> + apache2-dev should depend on libssl1.0-dev
> 3k (message/rfc822)
> + Bug#844160: fixed in apache2 2.4.23-7
> 8k (message/rfc822)
More information about the Pkg-openssl-devel
mailing list