On Mon, 29 Jan 2024 19:45:27 +0000 Stuart Henderson <s...@spacehopper.org> wrote:
> On 2024/01/29 09:51, giova...@paclan.it wrote: > > On 1/26/24 23:11, Tim wrote: > > > I'm trying to troubleshoot an issue where Chrome/Chromium browsers > > > randomly fail to correctly use SSL against my web server. > > > > > This is a known issue, see > > https://marc.info/?l=openbsd-ports&m=167449054903277&w=2 > > > > > So I am trying to compile and install an apache-http port with OpenSSL 1.1 > > > library instead of LibreSSL. > > > > > > I have managed to compile and install this customer port, however, I > > > don't know if I ultimately succeeded because when it starts it still > > > says this in the log file: > > > > > > [Fri Jan 26 14:02:57.131803 2024] [mpm_prefork:notice] [pid 67010] > > > AH00163: Apache/2.4.58 (Unix) LibreSSL/3.8.2 configured -- resuming > > > normal operations > > > > > > Is this message wrong? Or am I still ending up with an Apache2 > > > compiled against LibreSSL instead of OpenSSL? > > > you can find it by running "ldd /usr/local/lib/apache2/mod_ssl.so". > > That will show the libraries used but not the headers. (It is possible > to compile with openssl libraries but libressl headers - that will cause > problems too). > > I didn't check where httpd gets this version number in the log entry > from, but it can either be a function in one of the libraries > (libssl/libcrypto), or from the opensslv.h header. > > Even if you get apache-httpd built against the correct libraries, some > of the other libraries which it pulls in are built using libressl > libraries. Those will need to be rebuilt using openssl too. This > includes apr-util and curl - but curl is used widely in the ports tree > and you're likely to cause problems for other installed packages if you > change that. > > Basically: building against a non-default version of a widely used > library is a hard problem and really best avoided. > > If your setup is reasonably simple, you may be able to use the > workaround of a single cert with a bunch of additional hostnames in > subjectAltName. In that case, SNI is not needed for the site to work, > and that will almost certainly be the easiest way... > > Another possible approach (untested)... > > Index: patch-modules_ssl_ssl_private_h > =================================================================== > RCS file: > /cvs/ports/www/apache-httpd/patches/patch-modules_ssl_ssl_private_h,v > retrieving revision 1.11 > diff -u -p -r1.11 patch-modules_ssl_ssl_private_h > --- patch-modules_ssl_ssl_private_h 15 Nov 2022 23:14:12 -0000 1.11 > +++ patch-modules_ssl_ssl_private_h 29 Jan 2024 19:44:30 -0000 > @@ -1,6 +1,15 @@ > Index: modules/ssl/ssl_private.h > --- modules/ssl/ssl_private.h.orig > +++ modules/ssl/ssl_private.h > +@@ -217,7 +217,7 @@ > + #endif > + > + /* ALPN Protocol Negotiation */ > +-#if defined(TLSEXT_TYPE_application_layer_protocol_negotiation) > ++#if 0 && defined(TLSEXT_TYPE_application_layer_protocol_negotiation) > + #define HAVE_TLS_ALPN > + #endif > + > @@ -232,9 +232,11 @@ > #define BN_get_rfc3526_prime_4096 get_rfc3526_prime_4096 > #define BN_get_rfc3526_prime_6144 get_rfc3526_prime_6144 > Thank you for looking at this. I will try your suggestion at my earliest opportunity and report back. --TimH