INN and openssl 1.1

Julien ÉLIE julien at trigofacile.com
Sat Mar 5 14:51:39 UTC 2016


The Doctor,

>>> Hopefully  OPenssl commiter for 1.1 branch will hear my plea for
>>> backwards compatability so that you have
>>>
>>> #define SSLeay_add_ssl_algorithms OpenSSL_add_ssl_algorithms
>>> #define SSLv23_server_method TLS_server_method

I've just tried to build INN with latest OpenSSL 1.1.0-pre3 version, and it seems that these define's are present.
Do you confirm you no longer have an issue with these two functions?



> INN so far is the only package against Openssl 1.1 that is easy to migrate.

Glad to know!

Could you please try the following patch and report if everything is OK for you?
(that is to say the patch is enough to make INN work with OpenSSL 1.1.0-pre3
on your server)


--- nnrpd/tls.c	(révision 9984)
+++ nnrpd/tls.c	(copie de travail)
@@ -216,7 +216,10 @@
 	default:
 		/* We should check current keylength vs. requested keylength
 		 * also, this is an extremely expensive operation! */
-		dh = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+                dh = DH_new();
+                if (dh != NULL) {
+                    DH_generate_parameters_ex(dh, keylength, DH_GENERATOR_2, NULL);
+                }
 		r = dh;
 	}
 
@@ -492,8 +495,13 @@
     if (tls_loglevel >= 2)
       Printf("starting TLS engine");
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     SSL_load_error_strings();
     SSLeay_add_ssl_algorithms();
+#else
+    OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS
+                     | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
+#endif
 
     CTX = SSL_CTX_new(SSLv23_server_method());
     if (CTX == NULL) {






--- nnrpd/tls.h	(révision 9984)
+++ nnrpd/tls.h	(copie de travail)
@@ -22,8 +22,12 @@
 #ifndef TLS_H
 #define TLS_H
 
 #include <openssl/lhash.h>
 #include <openssl/bn.h>
+#include <openssl/dh.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/rand.h>






--- m4/openssl.m4	(révision 9984)
+++ m4/openssl.m4	(copie de travail)
@@ -71,10 +71,10 @@
         [AC_MSG_ERROR([cannot find usable OpenSSL crypto library])])],
     [$inn_openssl_extra])
  AS_IF([test x"$inn_reduced_depends" = xtrue],
-    [AC_CHECK_LIB([ssl], [SSL_library_init], [OPENSSL_LIBS=-lssl],
+    [AC_CHECK_LIB([ssl], [SSL_accept], [OPENSSL_LIBS=-lssl],
         [AS_IF([test x"$1" = xtrue],
             [AC_MSG_ERROR([cannot find usable OpenSSL library])])])],
-    [AC_CHECK_LIB([ssl], [SSL_library_init],
+    [AC_CHECK_LIB([ssl], [SSL_accept],
         [OPENSSL_LIBS="-lssl $CRYPTO_LIBS"],
         [AS_IF([test x"$1" = xtrue],
             [AC_MSG_ERROR([cannot find usable OpenSSL library])])],



Russ, would you mind committing the change of SSL_library_init to SSL_accept
in the openssl.m4 file shipped with rra-c-util?
This way, the OpenSSL library can be found (for both 1.1.0 and older versions).

Thanks,

-- 
Julien ÉLIE

« L'atour est fiel aux Huns valides. »


More information about the inn-workers mailing list