Bug 196139 - www/apache24: Update to 2.4.12 / unbreak build with libressl
Summary: www/apache24: Update to 2.4.12 / unbreak build with libressl
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Olli Hauer
URL:
Keywords: feature, needs-qa, patch, patch-ready
Depends on:
Blocks:
 
Reported: 2014-12-19 18:08 UTC by Bernard Spil
Modified: 2015-04-26 09:39 UTC (History)
3 users (show)

See Also:


Attachments
Patch for apache24 to build cleanly with LibreSSL (4.44 KB, patch)
2014-12-19 18:08 UTC, Bernard Spil
no flags Details | Diff
Poudriere log of build (393.27 KB, text/x-log)
2014-12-19 18:20 UTC, Bernard Spil
no flags Details
Update patches for Apache 2.4.12 incl LibreSSL fixes (5.94 KB, patch)
2015-01-30 09:01 UTC, Bernard Spil
no flags Details | Diff
Build log of Apache 2.4.12 (256.72 KB, text/plain)
2015-01-30 09:02 UTC, Bernard Spil
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Bernard Spil freebsd_committer 2014-12-19 18:08:42 UTC
Created attachment 150784 [details]
Patch for apache24 to build cleanly with LibreSSL

Apache 2.4 (and 2.2) can not be built when LibreSSL is used as SSL library.
LibreSSL has (amongst others)
  - removed RAND_egd
  - removed CHIL engine
  - added SSL_CTX_use_certificate_chain
this leads to build failures for missing and redefining functions. This patch fixes these errors by
  - adding a check for RAND_egd and SSL_CTX_use_certificate_chain
  - using an already available define for CHIL
  - using defines for the added checks
Comment 1 Bugzilla Automation freebsd_committer 2014-12-19 18:08:42 UTC
Maintainers CC'd
Comment 2 Bernard Spil freebsd_committer 2014-12-19 18:20:36 UTC
Created attachment 150785 [details]
Poudriere log of build
Comment 3 Bernard Spil freebsd_committer 2014-12-19 18:20:56 UTC
Committed upstream as
https://issues.apache.org/bugzilla/show_bug.cgi?id=57375
Comment 4 Olli Hauer freebsd_committer 2014-12-19 20:29:53 UTC
Hi Bernhard,

I haven't looked into libressl until now but it is on my task list.

Just some questions (because I haven't tried it until now).
- should libessl also used to build devel/apr (apache24 shifted parts into apr_crypto_openssl.so)
- does the apache24/Makefile also needs some hints to build against libressl
Comment 5 Bernard Spil freebsd_committer 2014-12-19 20:36:14 UTC
Hi Olli,

- No changes required for apr.
- Nothing required in the Makefile to make this work

As this patch still applies cleanly to the tarball I sent upstream as well.

This runs on my home-server without problems! As shown below.
(a bit earlier version of the patch that is, no conditional stuff based on configure)

[Mon Dec 15 08:41:28.894919 2014] [mpm_event:notice] [pid 13718:tid 34393318400] AH00489: Apache/2.4.10 (FreeBSD) LibreSSL/2.1 configured -- resuming normal operations
Comment 6 Olli Hauer freebsd_committer 2014-12-19 20:55:39 UTC
I'm just looking into this, but the patch does not apply clean on my system.

Found it ...
I have an upstream PR open that I want to commit to the ports tree.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53882

To make sure the config script is regenerated I delete it in post-extract ;)

I will try to rewrite the parts from your patch so it goes into configure.in.
Comment 7 Olli Hauer freebsd_committer 2014-12-19 21:38:00 UTC
My fault, I just have to remove to ./configure part from your patch.

How have you defined libressl as replacement for your poudriere builds?
At the moment I see no way in ports/Mk to overwrite openssl with libressl.
Comment 8 Bernard Spil freebsd_committer 2014-12-20 09:23:49 UTC
Hi Olli,

All you need to build with LibreSSL are these 3 lines in your make.conf

WITH_OPENSSL_PORT=    yes
OPENSSL_SHLIBVER=     30
OPENSSL_PORT=         security/libressl
Comment 9 Olli Hauer freebsd_committer 2014-12-20 11:41:17 UTC
Hi Bernhard,

thanks for the hint!

After building a fresh test tree with libressl apache24 build stopped with the following error.


From the apache24 build log:

In file included from mod_ssl.c:27:
In file included from ./ssl_private.h:181:
./ssl_util_ssl.h:73:13: error: conflicting types for 'SSL_CTX_use_certificate_chain'
int         SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, pem_password_cb *);
            ^
/usr/local/include/openssl/ssl.h:1548:5: note: previous declaration is here
int     SSL_CTX_use_certificate_chain(SSL_CTX *ctx, void *buf, int len);
        ^
1 error generated.
*** Error code 1


To make sure the build is really against libressl I defined an additional build step on a second run.

post-extract:
 ${MV} /usr/include/openssl /usr/include/openssl.base

pre-install:
 ${MV} /usr/include/openssl.base /usr/include/openssl


Will investigate later this evening.
Comment 10 Olli Hauer freebsd_committer 2014-12-20 12:32:42 UTC
Sorry, again my fault.

I lost the acinclude.m4 part in my test build, after fixing my test tree build looks fine.
Comment 11 Olli Hauer freebsd_committer 2014-12-23 21:22:33 UTC
Hi Bernhard,

I will commit your patch next week together with some other changes to apache24.

Unluckily it seems everyone is busy or there are not so many users subscribed to the apache@ list so I will commit the changes between Dec. 28-29

PS:
I haven't looked at the apache22 port, perhaps libressl is also a good alternative there for users using apache22 for hosting.
Comment 12 Bernard Spil freebsd_committer 2014-12-24 17:56:06 UTC
See https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=196256 for the Apache 2.2 patch.
Comment 13 Bernard Spil freebsd_committer 2015-01-30 09:01:31 UTC
Created attachment 152367 [details]
Update patches for Apache 2.4.12 incl LibreSSL fixes
Comment 14 Bernard Spil freebsd_committer 2015-01-30 09:02:03 UTC
Created attachment 152368 [details]
Build log of Apache 2.4.12
Comment 15 Olli Hauer freebsd_committer 2015-01-31 14:27:54 UTC
Hi Bernhard,

since I have some additional patches that haven't made the way into 2.4.12 but are already in trunk and I have to regenerate configure from configure.in I will use your old patch else parts of the new patch will be lost (the one in configure).
Comment 16 commit-hook freebsd_committer 2015-01-31 15:23:35 UTC
A commit references this bug:

Author: ohauer
Date: Sat Jan 31 15:22:59 UTC 2015
New revision: 378215
URL: https://svnweb.freebsd.org/changeset/ports/378215

Log:
  - update to 2.4.12

  - change MPM backend from static to dynamic,
    but keep mpm_prefork for compatiblity with e.g. php modules
  - install dedicated MPM load file in case httpd was build with modular MPM
    (modules.d/000_mpm_prefork_fallback.conf)
  - disable SSLv3 and SSLv2 fallback in sample httpd-ssl-conf
  - use @sample macro instead EXAMPLESDIR
  - add some SSLCipherSuite examples for OpenSSL >= 1.0.x
  - add libressl support [1]
  - add pkg-install script (to handle new modular MPM build)
  - build now most all modules, so users using packages don't have
    to run a custom build for missing modules
  - fix suexec mode

  PR:		196139 [1]
  MFH:		2015Q1

Changes:
  head/www/apache24/Makefile
  head/www/apache24/Makefile.modules
  head/www/apache24/Makefile.options
  head/www/apache24/Makefile.options.desc
  head/www/apache24/distinfo
  head/www/apache24/files/patch-Makefile.in
  head/www/apache24/files/patch-acinclude.m4
  head/www/apache24/files/patch-config.layout
  head/www/apache24/files/patch-configure.in
  head/www/apache24/files/patch-docs__conf__extra__httpd-autoindex.conf.in
  head/www/apache24/files/patch-docs__conf__extra__httpd-ssl.conf.in
  head/www/apache24/files/patch-docs__conf__extra__httpd-userdir.conf.in
  head/www/apache24/files/patch-docs__conf__httpd.conf.in
  head/www/apache24/files/patch-include__ap_config_auto.h.in
  head/www/apache24/files/patch-modules__ssl__ssl_engine_init.c
  head/www/apache24/files/patch-modules__ssl__ssl_engine_rand.c
  head/www/apache24/files/patch-modules__ssl__ssl_util_ssl.c
  head/www/apache24/files/patch-modules__ssl__ssl_util_ssl.h
  head/www/apache24/files/patch-r1611744-modules__lua__lua_request.c
  head/www/apache24/files/patch-support__Makefile.in
  head/www/apache24/files/patch-support__apachectl.in
  head/www/apache24/files/patch-support__apxs.in
  head/www/apache24/files/patch-support__envvars-std.in
  head/www/apache24/files/patch-support__log_server_status.in
  head/www/apache24/files/pkg-deinstall.in
  head/www/apache24/files/pkg-install.in
  head/www/apache24/pkg-help
  head/www/apache24/pkg-message
  head/www/apache24/pkg-plist
Comment 17 Bernard Spil freebsd_committer 2015-02-22 10:27:22 UTC
The commit fixes build with LibreSSL, close!
Comment 18 Bernard Spil freebsd_committer 2015-04-26 09:39:48 UTC
Hi Olli,

Beware that Apache httpd meanwhile has implemented most of these changes.
https://svn.apache.org/viewvc?view=rev&rev=1673455
https://svn.apache.org/viewvc?view=rev&rev=1674542
https://svn.apache.org/viewvc?view=rev&rev=1675410
https://svn.apache.org/viewvc?view=rev&rev=1673900
Need to analyze if that's all of the changes but at least some of the patches will be deprecated with the next httpd release.