xmltooling: FTBFS with openssl 1.1.0

Ferenc Wágner wferi at niif.hu
Wed Nov 9 18:13:58 UTC 2016 

wferi at niif.hu (Ferenc Wágner) writes:

> Can you recommend a reliable way to decide whether there really are any
> conflicts between the different OpenSSL libraries used by libcurl and
> xmltooling?

I've found two code fragments which pass OpenSSL structures between curl
(OpenSSL 1.1) and XMLTooling (OpenSSL 1.0) in CURLSOAPTransport.cpp:

#ifdef HAVE_CURLINFO_TLS_SSL_PTR
    if (!ctx->m_cipherLogged) {
        Category& log = Category::getInstance(XMLTOOLING_LOGCAT ".SOAPTransport.CURL");
        if (log.isDebugEnabled()) {
            struct curl_tlssessioninfo* tlsinfo = nullptr;
            CURLcode infocode = curl_easy_getinfo(ctx->m_handle, CURLINFO_TLS_SSL_PTR, &tlsinfo);
            if (infocode == CURLE_OK && tlsinfo && tlsinfo->backend == CURLSSLBACKEND_OPENSSL && tlsinfo->internals) {
                SSL* ssl = reinterpret_cast<SSL*>(tlsinfo->internals);
                const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl);
                log.debug("SSL version: %s, cipher: %s", SSL_get_version(ssl), cipher ? SSL_CIPHER_get_name(cipher) : "unknown");
            }
        }
        ctx->m_cipherLogged = true;
    }
#endif

and

xmltooling::xml_ssl_ctx_callback(CURL* curl, SSL_CTX* ssl_ctx, void* userptr)
{
    CURLSOAPTransport* conf = reinterpret_cast<CURLSOAPTransport*>(userptr);

    // Default flags manually disable SSLv2 and SSLv3 so we're not dependent on libcurl
    // to do it. Also disable the ticket option where implemented, since this breaks a
    // variety of servers. Newer libcurl also does this for us.
#ifdef SSL_OP_NO_TICKET
    SSL_CTX_set_options(ssl_ctx, conf->m_openssl_ops|SSL_OP_NO_TICKET);
#else
    SSL_CTX_set_options(ssl_ctx, conf->m_openssl_ops);
#endif

#ifndef XMLTOOLING_NO_XMLSEC
    if (conf->m_cred)
        conf->m_cred->attach(ssl_ctx);

    if (conf->m_trustEngine) {
        SSL_CTX_set_verify(ssl_ctx,SSL_VERIFY_PEER,nullptr);
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
        // With 0.9.7, we can pass a callback argument directly.
        SSL_CTX_set_cert_verify_callback(ssl_ctx,verify_callback,userptr);
#else
        // With 0.9.6, there's no argument, so we're going to use a really embarrassing hack and
        // stuff the argument in the depth property where it will get copied to the context object
        // that's handed to the callback.
        SSL_CTX_set_cert_verify_callback(ssl_ctx,reinterpret_cast<int (*)()>(verify_callback),nullptr);
        SSL_CTX_set_verify_depth(ssl_ctx,reinterpret_cast<int>(userptr));
#endif
    }
#endif

    if (conf->m_ssl_callback && !conf->m_ssl_callback(conf, ssl_ctx, conf->m_ssl_userptr))
        return CURLE_SSL_CERTPROBLEM;

    return CURLE_OK;
}

So the issue isn't clear-cut at all (at least to me).  Can we have
libcurl4-openssl1.0-dev?  Any other ideas?
-- 
Thanks,
Feri

More information about the Pkg-shibboleth-devel mailing list