Bug 196139 - www/apache24: Update to 2.4.12 / unbreak build with libressl
Summary: www/apache24: Update to 2.4.12 / unbreak build with libressl
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Olli Hauer
Keywords: feature, needs-qa, patch, patch-ready
Depends on:
Reported: 2014-12-19 18:08 UTC by Bernard Spil
Modified: 2015-04-26 09:39 UTC (History)
3 users (show)

See Also:

Patch for apache24 to build cleanly with LibreSSL (4.44 KB, patch)
2014-12-19 18:08 UTC, Bernard Spil
no flags Details | Diff
Poudriere log of build (393.27 KB, text/x-log)
2014-12-19 18:20 UTC, Bernard Spil
no flags Details
Update patches for Apache 2.4.12 incl LibreSSL fixes (5.94 KB, patch)
2015-01-30 09:01 UTC, Bernard Spil
no flags Details | Diff
Build log of Apache 2.4.12 (256.72 KB, text/plain)
2015-01-30 09:02 UTC, Bernard Spil
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Bernard Spil freebsd_committer 2014-12-19 18:08:42 UTC
Created attachment 150784 [details]
Patch for apache24 to build cleanly with LibreSSL

Apache 2.4 (and 2.2) can not be built when LibreSSL is used as SSL library.
LibreSSL has (amongst others)
  - removed RAND_egd
  - removed CHIL engine
  - added SSL_CTX_use_certificate_chain
this leads to build failures for missing and redefining functions. This patch fixes these errors by
  - adding a check for RAND_egd and SSL_CTX_use_certificate_chain
  - using an already available define for CHIL
  - using defines for the added checks
Comment 1 Bugzilla Automation freebsd_committer 2014-12-19 18:08:42 UTC
Maintainers CC'd
Comment 2 Bernard Spil freebsd_committer 2014-12-19 18:20:36 UTC
Created attachment 150785 [details]
Poudriere log of build
Comment 3 Bernard Spil freebsd_committer 2014-12-19 18:20:56 UTC
Committed upstream as
Comment 4 Olli Hauer freebsd_committer 2014-12-19 20:29:53 UTC
Hi Bernhard,

I haven't looked into libressl until now but it is on my task list.

Just some questions (because I haven't tried it until now).
- should libessl also used to build devel/apr (apache24 shifted parts into apr_crypto_openssl.so)
- does the apache24/Makefile also needs some hints to build against libressl
Comment 5 Bernard Spil freebsd_committer 2014-12-19 20:36:14 UTC
Hi Olli,

- No changes required for apr.
- Nothing required in the Makefile to make this work

As this patch still applies cleanly to the tarball I sent upstream as well.

This runs on my home-server without problems! As shown below.
(a bit earlier version of the patch that is, no conditional stuff based on configure)

[Mon Dec 15 08:41:28.894919 2014] [mpm_event:notice] [pid 13718:tid 34393318400] AH00489: Apache/2.4.10 (FreeBSD) LibreSSL/2.1 configured -- resuming normal operations
Comment 6 Olli Hauer freebsd_committer 2014-12-19 20:55:39 UTC
I'm just looking into this, but the patch does not apply clean on my system.

Found it ...
I have an upstream PR open that I want to commit to the ports tree.

To make sure the config script is regenerated I delete it in post-extract ;)

I will try to rewrite the parts from your patch so it goes into configure.in.
Comment 7 Olli Hauer freebsd_committer 2014-12-19 21:38:00 UTC
My fault, I just have to remove to ./configure part from your patch.

How have you defined libressl as replacement for your poudriere builds?
At the moment I see no way in ports/Mk to overwrite openssl with libressl.
Comment 8 Bernard Spil freebsd_committer 2014-12-20 09:23:49 UTC
Hi Olli,

All you need to build with LibreSSL are these 3 lines in your make.conf

OPENSSL_PORT=         security/libressl
Comment 9 Olli Hauer freebsd_committer 2014-12-20 11:41:17 UTC
Hi Bernhard,

thanks for the hint!

After building a fresh test tree with libressl apache24 build stopped with the following error.

From the apache24 build log:

In file included from mod_ssl.c:27:
In file included from ./ssl_private.h:181:
./ssl_util_ssl.h:73:13: error: conflicting types for 'SSL_CTX_use_certificate_chain'
int         SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, pem_password_cb *);
/usr/local/include/openssl/ssl.h:1548:5: note: previous declaration is here
int     SSL_CTX_use_certificate_chain(SSL_CTX *ctx, void *buf, int len);
1 error generated.
*** Error code 1

To make sure the build is really against libressl I defined an additional build step on a second run.

 ${MV} /usr/include/openssl /usr/include/openssl.base

 ${MV} /usr/include/openssl.base /usr/include/openssl

Will investigate later this evening.
Comment 10 Olli Hauer freebsd_committer 2014-12-20 12:32:42 UTC
Sorry, again my fault.

I lost the acinclude.m4 part in my test build, after fixing my test tree build looks fine.
Comment 11 Olli Hauer freebsd_committer 2014-12-23 21:22:33 UTC
Hi Bernhard,

I will commit your patch next week together with some other changes to apache24.

Unluckily it seems everyone is busy or there are not so many users subscribed to the apache@ list so I will commit the changes between Dec. 28-29

I haven't looked at the apache22 port, perhaps libressl is also a good alternative there for users using apache22 for hosting.
Comment 12 Bernard Spil freebsd_committer 2014-12-24 17:56:06 UTC
See https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=196256 for the Apache 2.2 patch.
Comment 13 Bernard Spil freebsd_committer 2015-01-30 09:01:31 UTC
Created attachment 152367 [details]
Update patches for Apache 2.4.12 incl LibreSSL fixes
Comment 14 Bernard Spil freebsd_committer 2015-01-30 09:02:03 UTC
Created attachment 152368 [details]
Build log of Apache 2.4.12
Comment 15 Olli Hauer freebsd_committer 2015-01-31 14:27:54 UTC
Hi Bernhard,

since I have some additional patches that haven't made the way into 2.4.12 but are already in trunk and I have to regenerate configure from configure.in I will use your old patch else parts of the new patch will be lost (the one in configure).
Comment 16 commit-hook freebsd_committer 2015-01-31 15:23:35 UTC
A commit references this bug:

Author: ohauer
Date: Sat Jan 31 15:22:59 UTC 2015
New revision: 378215
URL: https://svnweb.freebsd.org/changeset/ports/378215

  - update to 2.4.12

  - change MPM backend from static to dynamic,
    but keep mpm_prefork for compatiblity with e.g. php modules
  - install dedicated MPM load file in case httpd was build with modular MPM
  - disable SSLv3 and SSLv2 fallback in sample httpd-ssl-conf
  - use @sample macro instead EXAMPLESDIR
  - add some SSLCipherSuite examples for OpenSSL >= 1.0.x
  - add libressl support [1]
  - add pkg-install script (to handle new modular MPM build)
  - build now most all modules, so users using packages don't have
    to run a custom build for missing modules
  - fix suexec mode

  PR:		196139 [1]
  MFH:		2015Q1

Comment 17 Bernard Spil freebsd_committer 2015-02-22 10:27:22 UTC
The commit fixes build with LibreSSL, close!
Comment 18 Bernard Spil freebsd_committer 2015-04-26 09:39:48 UTC
Hi Olli,

Beware that Apache httpd meanwhile has implemented most of these changes.
Need to analyze if that's all of the changes but at least some of the patches will be deprecated with the next httpd release.