INN and openssl 1.1

Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem, , 669-2000, 470-2224 root at doctor.nl2k.ab.ca
Sat Mar 5 20:01:56 UTC 2016


[ Charset windows-1252 unsupported, converting... ]
> The Doctor,
> 
> >>> Hopefully  OPenssl commiter for 1.1 branch will hear my plea for
> >>> backwards compatability so that you have
> >>>
> >>> #define SSLeay_add_ssl_algorithms OpenSSL_add_ssl_algorithms
> >>> #define SSLv23_server_method TLS_server_method
> 
> I've just tried to build INN with latest OpenSSL 1.1.0-pre3 version, and it seems that these define's are present.
> Do you confirm you no longer have an issue with these two functions?
> 
> 
> 
> > INN so far is the only package against Openssl 1.1 that is easy to migrate.
> 
> Glad to know!
> 
> Could you please try the following patch and report if everything is OK for you?
> (that is to say the patch is enough to make INN work with OpenSSL 1.1.0-pre3
> on your server)
> 
> 
> --- nnrpd/tls.c	(r?vision 9984)
> +++ nnrpd/tls.c	(copie de travail)
> @@ -216,7 +216,10 @@
>  	default:
>  		/* We should check current keylength vs. requested keylength
>  		 * also, this is an extremely expensive operation! */
> -		dh = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
> +                dh = DH_new();
> +                if (dh != NULL) {
> +                    DH_generate_parameters_ex(dh, keylength, DH_GENERATOR_2, NULL);
> +                }
>  		r = dh;
>  	}
>  
> @@ -492,8 +495,13 @@
>      if (tls_loglevel >= 2)
>        Printf("starting TLS engine");
>  
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L
>      SSL_load_error_strings();
>      SSLeay_add_ssl_algorithms();
> +#else
> +    OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS
> +                     | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
> +#endif
>  
>      CTX = SSL_CTX_new(SSLv23_server_method());
>      if (CTX == NULL) {
> 
> 
> 
> 
> 
> 
> --- nnrpd/tls.h	(r?vision 9984)
> +++ nnrpd/tls.h	(copie de travail)
> @@ -22,8 +22,12 @@
>  #ifndef TLS_H
>  #define TLS_H
>  
>  #include <openssl/lhash.h>
>  #include <openssl/bn.h>
> +#include <openssl/dh.h>
>  #include <openssl/err.h>
>  #include <openssl/pem.h>
>  #include <openssl/rand.h>
> 
> 
> 
> 
> 
> 
> --- m4/openssl.m4	(r?vision 9984)
> +++ m4/openssl.m4	(copie de travail)
> @@ -71,10 +71,10 @@
>          [AC_MSG_ERROR([cannot find usable OpenSSL crypto library])])],
>      [$inn_openssl_extra])
>   AS_IF([test x"$inn_reduced_depends" = xtrue],
> -    [AC_CHECK_LIB([ssl], [SSL_library_init], [OPENSSL_LIBS=-lssl],
> +    [AC_CHECK_LIB([ssl], [SSL_accept], [OPENSSL_LIBS=-lssl],
>          [AS_IF([test x"$1" = xtrue],
>              [AC_MSG_ERROR([cannot find usable OpenSSL library])])])],
> -    [AC_CHECK_LIB([ssl], [SSL_library_init],
> +    [AC_CHECK_LIB([ssl], [SSL_accept],
>          [OPENSSL_LIBS="-lssl $CRYPTO_LIBS"],
>          [AS_IF([test x"$1" = xtrue],
>              [AC_MSG_ERROR([cannot find usable OpenSSL library])])],
> 
>

Let me test this out recpomiling today's current and
use slrn with SSL to access the newsgroups.

Will get back to you soon.
 
> 
> Russ, would you mind committing the change of SSL_library_init to SSL_accept
> in the openssl.m4 file shipped with rra-c-util?
> This way, the OpenSSL library can be found (for both 1.1.0 and older versions).
> 
> Thanks,
> 
> -- 
> Julien ?LIE
> 
> ? L'atour est fiel aux Huns valides. ?
> _______________________________________________
> inn-workers mailing list
> inn-workers at lists.isc.org
> https://lists.isc.org/mailman/listinfo/inn-workers


More information about the inn-workers mailing list