Created attachment 150784 [details] Patch for apache24 to build cleanly with LibreSSL Apache 2.4 (and 2.2) can not be built when LibreSSL is used as SSL library. LibreSSL has (amongst others) - removed RAND_egd - removed CHIL engine - added SSL_CTX_use_certificate_chain this leads to build failures for missing and redefining functions. This patch fixes these errors by - adding a check for RAND_egd and SSL_CTX_use_certificate_chain - using an already available define for CHIL - using defines for the added checks
Maintainers CC'd
Created attachment 150785 [details] Poudriere log of build
Committed upstream as https://issues.apache.org/bugzilla/show_bug.cgi?id=57375
Hi Bernhard, I haven't looked into libressl until now but it is on my task list. Just some questions (because I haven't tried it until now). - should libessl also used to build devel/apr (apache24 shifted parts into apr_crypto_openssl.so) - does the apache24/Makefile also needs some hints to build against libressl
Hi Olli, - No changes required for apr. - Nothing required in the Makefile to make this work As this patch still applies cleanly to the tarball I sent upstream as well. This runs on my home-server without problems! As shown below. (a bit earlier version of the patch that is, no conditional stuff based on configure) [Mon Dec 15 08:41:28.894919 2014] [mpm_event:notice] [pid 13718:tid 34393318400] AH00489: Apache/2.4.10 (FreeBSD) LibreSSL/2.1 configured -- resuming normal operations
I'm just looking into this, but the patch does not apply clean on my system. Found it ... I have an upstream PR open that I want to commit to the ports tree. https://issues.apache.org/bugzilla/show_bug.cgi?id=53882 To make sure the config script is regenerated I delete it in post-extract ;) I will try to rewrite the parts from your patch so it goes into configure.in.
My fault, I just have to remove to ./configure part from your patch. How have you defined libressl as replacement for your poudriere builds? At the moment I see no way in ports/Mk to overwrite openssl with libressl.
Hi Olli, All you need to build with LibreSSL are these 3 lines in your make.conf WITH_OPENSSL_PORT= yes OPENSSL_SHLIBVER= 30 OPENSSL_PORT= security/libressl
Hi Bernhard, thanks for the hint! After building a fresh test tree with libressl apache24 build stopped with the following error. From the apache24 build log: In file included from mod_ssl.c:27: In file included from ./ssl_private.h:181: ./ssl_util_ssl.h:73:13: error: conflicting types for 'SSL_CTX_use_certificate_chain' int SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, pem_password_cb *); ^ /usr/local/include/openssl/ssl.h:1548:5: note: previous declaration is here int SSL_CTX_use_certificate_chain(SSL_CTX *ctx, void *buf, int len); ^ 1 error generated. *** Error code 1 To make sure the build is really against libressl I defined an additional build step on a second run. post-extract: ${MV} /usr/include/openssl /usr/include/openssl.base pre-install: ${MV} /usr/include/openssl.base /usr/include/openssl Will investigate later this evening.
Sorry, again my fault. I lost the acinclude.m4 part in my test build, after fixing my test tree build looks fine.
Hi Bernhard, I will commit your patch next week together with some other changes to apache24. Unluckily it seems everyone is busy or there are not so many users subscribed to the apache@ list so I will commit the changes between Dec. 28-29 PS: I haven't looked at the apache22 port, perhaps libressl is also a good alternative there for users using apache22 for hosting.
See https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=196256 for the Apache 2.2 patch.
Created attachment 152367 [details] Update patches for Apache 2.4.12 incl LibreSSL fixes
Created attachment 152368 [details] Build log of Apache 2.4.12
Hi Bernhard, since I have some additional patches that haven't made the way into 2.4.12 but are already in trunk and I have to regenerate configure from configure.in I will use your old patch else parts of the new patch will be lost (the one in configure).
A commit references this bug: Author: ohauer Date: Sat Jan 31 15:22:59 UTC 2015 New revision: 378215 URL: https://svnweb.freebsd.org/changeset/ports/378215 Log: - update to 2.4.12 - change MPM backend from static to dynamic, but keep mpm_prefork for compatiblity with e.g. php modules - install dedicated MPM load file in case httpd was build with modular MPM (modules.d/000_mpm_prefork_fallback.conf) - disable SSLv3 and SSLv2 fallback in sample httpd-ssl-conf - use @sample macro instead EXAMPLESDIR - add some SSLCipherSuite examples for OpenSSL >= 1.0.x - add libressl support [1] - add pkg-install script (to handle new modular MPM build) - build now most all modules, so users using packages don't have to run a custom build for missing modules - fix suexec mode PR: 196139 [1] MFH: 2015Q1 Changes: head/www/apache24/Makefile head/www/apache24/Makefile.modules head/www/apache24/Makefile.options head/www/apache24/Makefile.options.desc head/www/apache24/distinfo head/www/apache24/files/patch-Makefile.in head/www/apache24/files/patch-acinclude.m4 head/www/apache24/files/patch-config.layout head/www/apache24/files/patch-configure.in head/www/apache24/files/patch-docs__conf__extra__httpd-autoindex.conf.in head/www/apache24/files/patch-docs__conf__extra__httpd-ssl.conf.in head/www/apache24/files/patch-docs__conf__extra__httpd-userdir.conf.in head/www/apache24/files/patch-docs__conf__httpd.conf.in head/www/apache24/files/patch-include__ap_config_auto.h.in head/www/apache24/files/patch-modules__ssl__ssl_engine_init.c head/www/apache24/files/patch-modules__ssl__ssl_engine_rand.c head/www/apache24/files/patch-modules__ssl__ssl_util_ssl.c head/www/apache24/files/patch-modules__ssl__ssl_util_ssl.h head/www/apache24/files/patch-r1611744-modules__lua__lua_request.c head/www/apache24/files/patch-support__Makefile.in head/www/apache24/files/patch-support__apachectl.in head/www/apache24/files/patch-support__apxs.in head/www/apache24/files/patch-support__envvars-std.in head/www/apache24/files/patch-support__log_server_status.in head/www/apache24/files/pkg-deinstall.in head/www/apache24/files/pkg-install.in head/www/apache24/pkg-help head/www/apache24/pkg-message head/www/apache24/pkg-plist
The commit fixes build with LibreSSL, close!
Hi Olli, Beware that Apache httpd meanwhile has implemented most of these changes. https://svn.apache.org/viewvc?view=rev&rev=1673455 https://svn.apache.org/viewvc?view=rev&rev=1674542 https://svn.apache.org/viewvc?view=rev&rev=1675410 https://svn.apache.org/viewvc?view=rev&rev=1673900 Need to analyze if that's all of the changes but at least some of the patches will be deprecated with the next httpd release.