Re: mod_ssl of apache-httpd not working

Sun, 06 Sep 2015 07:23:05 -0700 

Pedro de Oliveira <falsov...@gmail.com> writes:

> Hi,
>
> In the current OpenBSD snapshot of today, it isnt possible to load mod_ssl
> in Apache. This is maybe related to any change made on LibreSSL.
>
> The init script just gives (failed), but I tried to start it with apachectl2

rc.d(8) scripts support a -d flag to show output from the daemon.

> # apachectl2 start
> /usr/local/sbin/httpd2:/usr/local/lib/apache2/mod_ssl.so: undefined symbol
> 'SSLv3_server_method'
> /usr/local/sbin/httpd2:/usr/local/lib/apache2/mod_ssl.so: undefined symbol
> 'SSLv3_client_method'
> httpd2: Syntax error on line 141 of /etc/apache2/httpd2.conf: Cannot load
> /usr/local/lib/apache2/mod_ssl.so into server: Cannot load specified object
>
> I even tried to disable SSLv2 and SSLv3 with
>
> SSLProtocol ALL -SSLv2 -SSLv3
>
>
> But it simply fails on the load of mod_ssl.
>
> If any more info is required please ask me.

Here's a patch that avoids the use of SSLv3 in mod_ssl.so.  If SSLv3 is
the only protocol requested in the config, startup will fail:

[Sun Sep 06 15:44:25.881391 2015] [ssl:emerg] [pid 20104] SSLv3 protocol not 
available
[Sun Sep 06 15:44:25.882001 2015] [ssl:emerg] [pid 20104] AH02311: Fatal error 
initialising mod_ssl, exiting. See /var/www/logs/error_log for more information
AH00016: Configuration Failed

This is not enough to warn users who specify "SSLProtocols ... +SSLv3"
in their config that SSLv3 support won't be available, but I don't think
it matters much.  Dunno if this should use APLOGNO(02231) or a custom
one, this question should probably be discussed upstream anyway.

Comments / oks?

Index: Makefile
===================================================================
RCS file: /cvs/ports/www/apache-httpd/Makefile,v
retrieving revision 1.63
diff -u -p -r1.63 Makefile
--- Makefile    18 Jul 2015 20:01:13 -0000      1.63
+++ Makefile    6 Sep 2015 14:00:45 -0000
@@ -11,7 +11,7 @@ PKGNAME-main=         ${PKGNAME}
 FULLPKGNAME-common=    apache-httpd-common-${V}
 FULLPKGPATH-common=    www/apache-httpd,-common
 
-REVISION-main=         1
+REVISION-main=         2
 
 CATEGORIES=            www net
 
Index: patches/patch-modules_ssl_ssl_engine_init_c
===================================================================
RCS file: patches/patch-modules_ssl_ssl_engine_init_c
diff -N patches/patch-modules_ssl_ssl_engine_init_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-modules_ssl_ssl_engine_init_c 6 Sep 2015 14:00:45 -0000
@@ -0,0 +1,23 @@
+$OpenBSD$
+
+Don't attempt to use SSLv3_(client|server)_method, bail out if SSLv3 is
+the only protocol requested.
+
+--- modules/ssl/ssl_engine_init.c.orig Sun Sep  6 15:23:52 2015
++++ modules/ssl/ssl_engine_init.c      Sun Sep  6 15:57:35 2015
+@@ -484,9 +484,15 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *
+                  "Creating new SSL context (protocols: %s)", cp);
+ 
+     if (protocol == SSL_PROTOCOL_SSLV3) {
++#ifndef OPENSSL_NO_SSL3
+         method = mctx->pkp ?
+             SSLv3_client_method() : /* proxy */
+             SSLv3_server_method();  /* server */
++#else
++        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
++            "SSLv3 protocol not available");
++        return ssl_die(s);
++#endif
+     }
+     else if (protocol == SSL_PROTOCOL_TLSV1) {
+         method = mctx->pkp ?


-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Reply via email to