Created attachment 181722 [details] nginx-1.10.3_1.log.xz - Poudriere build log Using: nginx-1.10.3_1, FreeBSD 11.0-RELEASE-p8. Building www/nginx and www/nginx-devel fails with LibreSSL. The full log is attached. The relevant section from the log is: /wrkdirs/usr/ports/www/nginx/work/lua-nginx-module-0.10.7/src/ngx_http_lua_ssl_ocsp.c:493:15: error: no member named 'tlsext_status_expected' in 'struct ssl_s t'; did you mean 'tlsext_status_type'? ssl_conn->tlsext_status_expected = 1; ^~~~~~~~~~~~~~~~~~~~~~ tlsext_status_type /usr/local/include/openssl/ssl.h:864:6: note: 'tlsext_status_type' declared here int tlsext_status_type; ^ (Not sure when this was starting to fail - it used to build fine if I remember correctly.)
This seems to be a problem with the latest version of LibreSSL (2.5.3) and is also affecting other builds ( bug #218637 net/haproxy: build fails with latest LibreSSL ) Given the following mention in the LibreSSL 2.5.3 release notes [1]: * Moved many leaked implementation details in public structs behind opaque pointers. I'm assuming there's going to have to be some upstream refactoring/cleanup of projects tickling/reading now-private internal SSL data structures 1: https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.5.3-relnotes.txt
And see also bug #218590 - mail/qmail-tls: Fix build with LibreSSL 2.5.3
Here are more helpful links regarding the switch to an opaque ssl_conn struct required for compatibility with OpenSSL 1.1.0 (same/similar refactoring as needed for LibreSSL compat): "Build fails with OpenSSL 1.1" https://github.com/openresty/lua-nginx-module/issues/757 "Initial OpenSSL 1.1.0 support" https://github.com/openresty/lua-nginx-module/pull/761 "OpenSSL 1.1.0 support - work in progress" https://github.com/openresty/lua-nginx-module/pull/922
It builds with the following hack: [root@ne-6 /svr/build/ports/p15devel/www/nginx]# svn diff Index: Makefile =================================================================== --- Makefile (revision 439421) +++ Makefile (working copy) @@ -860,7 +860,8 @@ EXTRA_PATCHES+= ${PATCHDIR}/extra-patch-ngx_http_lua_common.h \ ${PATCHDIR}/extra-patch-ngx_http_lua_headers.c \ ${PATCHDIR}/extra-patch-ngx_http_lua_headers.h \ - ${PATCHDIR}/extra-patch-ngx_http_lua_module.c + ${PATCHDIR}/extra-patch-ngx_http_lua_module.c \ + ${PATCHDIR}/extra-patch-ngx_http_lua_ssl_ocsp.c .endif .if ${PORT_OPTIONS:MMEMC} Index: files/extra-patch-ngx_http_lua_ssl_ocsp.c =================================================================== --- files/extra-patch-ngx_http_lua_ssl_ocsp.c (nonexistent) +++ files/extra-patch-ngx_http_lua_ssl_ocsp.c (working copy) @@ -0,0 +1,11 @@ +--- ../lua-nginx-module-0.10.8/src/ngx_http_lua_ssl_ocsp.c.orig 2017-04-20 11:55:28.869277356 +0200 ++++ ../lua-nginx-module-0.10.8/src/ngx_http_lua_ssl_ocsp.c 2017-04-20 11:54:45.123619437 +0200 +@@ -490,7 +490,7 @@ + + dd("set ocsp resp: resp_len=%d", (int) resp_len); + (void) SSL_set_tlsext_status_ocsp_resp(ssl_conn, p, resp_len); +- ssl_conn->tlsext_status_expected = 1; ++// ssl_conn->tlsext_status_expected = 1; + + return NGX_OK; +
Hi cedric, could you please provide a patch to check the version and product name of the SSL library. Thanks in advance.
Created attachment 182196 [details] Patch. Hi, could you please try this patch and confirm it works.
Hi Sergey, The test was inverted in your patch. The following works for me though: Index: Makefile =================================================================== --- Makefile (revision 439541) +++ Makefile (working copy) @@ -860,7 +860,8 @@ EXTRA_PATCHES+= ${PATCHDIR}/extra-patch-ngx_http_lua_common.h \ ${PATCHDIR}/extra-patch-ngx_http_lua_headers.c \ ${PATCHDIR}/extra-patch-ngx_http_lua_headers.h \ - ${PATCHDIR}/extra-patch-ngx_http_lua_module.c + ${PATCHDIR}/extra-patch-ngx_http_lua_module.c \ + ${PATCHDIR}/extra-patch-ngx_http_lua_ssl_ocsp.c .endif .if ${PORT_OPTIONS:MMEMC} Index: files/extra-patch-ngx_http_lua_ssl_ocsp.c =================================================================== --- files/extra-patch-ngx_http_lua_ssl_ocsp.c (nonexistent) +++ files/extra-patch-ngx_http_lua_ssl_ocsp.c (working copy) @@ -0,0 +1,12 @@ +--- ../lua-nginx-module-0.10.8/src/ngx_http_lua_ssl_ocsp.c.orig 2017-04-20 11:55:28.869277356 +0200 ++++ ../lua-nginx-module-0.10.8/src/ngx_http_lua_ssl_ocsp.c 2017-04-20 11:54:45.123619437 +0200 +@@ -490,7 +490,9 @@ + + dd("set ocsp resp: resp_len=%d", (int) resp_len); + (void) SSL_set_tlsext_status_ocsp_resp(ssl_conn, p, resp_len); ++#ifndef LIBRESSL_VERSION_NUMBER + ssl_conn->tlsext_status_expected = 1; ++#endif + + return NGX_OK; +
Hi cedric, yes, my fault. You're right.
A commit references this bug: Author: osa Date: Mon May 1 23:30:04 UTC 2017 New revision: 439916 URL: https://svnweb.freebsd.org/changeset/ports/439916 Log: Fix third-party lua-nginx module build with LibreSSL. While I'm here clean-up distinfo from the checksums of legacy third-party modules. Do not bump PORTREVISION. PR: 218595 Changes: head/www/nginx/Makefile head/www/nginx/distinfo head/www/nginx/files/extra-patch-ngx_http_lua_ssl_ocsp.c head/www/nginx-devel/Makefile head/www/nginx-devel/distinfo head/www/nginx-devel/files/extra-patch-ngx_http_lua_ssl_ocsp.c
Fixed, thanks for report.