Re: SSL_CTX_use_certificate_chain fallout
On 2014/09/29 14:06, Christian Weisgerber wrote: Apache doesn't like the addition of SSL_CTX_use_certificate_chain(). === www/apache-httpd-openbsd ../../modules/ssl/ssl_util_ssl.h:119: error: conflicting types for 'SSL_CTX_use_certificate_chain' /usr/include/openssl/ssl.h:1533: error: previous declaration of 'SSL_CTX_use_certificate_chain' was here === www/apache-httpd ssl_util_ssl.h:92: error: conflicting types for 'SSL_CTX_use_certificate_chain' /usr/include/openssl/ssl.h:1533: error: previous declaration of 'SSL_CTX_use_certificate_chain' was here We could patch apache, but since they got there first (by more than 10 years) it probably makes more sense to rename in libressl doesn't it? (Obviously a major bump, though).
Re: SSL_CTX_use_certificate_chain fallout
On 2014/09/30 11:20, Stuart Henderson wrote: On 2014/09/29 14:06, Christian Weisgerber wrote: Apache doesn't like the addition of SSL_CTX_use_certificate_chain(). === www/apache-httpd-openbsd ../../modules/ssl/ssl_util_ssl.h:119: error: conflicting types for 'SSL_CTX_use_certificate_chain' /usr/include/openssl/ssl.h:1533: error: previous declaration of 'SSL_CTX_use_certificate_chain' was here === www/apache-httpd ssl_util_ssl.h:92: error: conflicting types for 'SSL_CTX_use_certificate_chain' /usr/include/openssl/ssl.h:1533: error: previous declaration of 'SSL_CTX_use_certificate_chain' was here We could patch apache, but since they got there first (by more than 10 years) it probably makes more sense to rename in libressl doesn't it? (Obviously a major bump, though). Major bump would mean we can remove the get_cipher_by_char symbol (turning the tor problem into a build rather than runtime failure) at the same time. Or should we just add a few more to the 3 patches to Apache that are already required to build it against libressl and rename it there instead? None of the apache extensions that we have in ports call it (though that probably isn't a very complete set). (My guess with the naming under the SSL_CTX namespace is that perhaps it's something they might have thought about trying to push upstream to ssleay/openssl.)
Re: SSL_CTX_use_certificate_chain fallout
On Tue, 30 Sep 2014, Stuart Henderson wrote: On 2014/09/29 14:06, Christian Weisgerber wrote: Apache doesn't like the addition of SSL_CTX_use_certificate_chain(). === www/apache-httpd-openbsd ../../modules/ssl/ssl_util_ssl.h:119: error: conflicting types for 'SSL_CTX_use_certificate_chain' /usr/include/openssl/ssl.h:1533: error: previous declaration of 'SSL_CTX_use_certificate_chain' was here === www/apache-httpd ssl_util_ssl.h:92: error: conflicting types for 'SSL_CTX_use_certificate_chain' /usr/include/openssl/ssl.h:1533: error: previous declaration of 'SSL_CTX_use_certificate_chain' was here We could patch apache, but since they got there first (by more than 10 years) it probably makes more sense to rename in libressl doesn't it? (Obviously a major bump, though). It can probably be renamed to SSL_CTX_use_certificate_chain_PEM() - especially since the memory that it loads has to contain PEM encoded certificates... this would match the _ASN1 suffixed functions. Otherwise SL_CTX_use_certificate_chain_mem() would be another option. That said, as mentioned on ICB, OpenSSL largely owns the SSL_* and SSL_CTX_* namespace - if you import openssl/ssl.h and then declare your own functions with these prefixes you're pretty much asking for conflicts at some point. The same problem would surface if OpenSSL proper ever added such a function. Is this the only ports fallout? -- Action without study is fatal. Study without action is futile. -- Mary Ritter Beard
Re: SSL_CTX_use_certificate_chain fallout
On Tue, 30 Sep 2014, Stuart Henderson wrote: On 2014/09/30 11:20, Stuart Henderson wrote: On 2014/09/29 14:06, Christian Weisgerber wrote: Apache doesn't like the addition of SSL_CTX_use_certificate_chain(). === www/apache-httpd-openbsd ../../modules/ssl/ssl_util_ssl.h:119: error: conflicting types for 'SSL_CTX_use_certificate_chain' /usr/include/openssl/ssl.h:1533: error: previous declaration of 'SSL_CTX_use_certificate_chain' was here === www/apache-httpd ssl_util_ssl.h:92: error: conflicting types for 'SSL_CTX_use_certificate_chain' /usr/include/openssl/ssl.h:1533: error: previous declaration of 'SSL_CTX_use_certificate_chain' was here We could patch apache, but since they got there first (by more than 10 years) it probably makes more sense to rename in libressl doesn't it? (Obviously a major bump, though). Major bump would mean we can remove the get_cipher_by_char symbol (turning the tor problem into a build rather than runtime failure) at the same time. A major bump is not a big problem - I think there is more changes that can be included, but I'd have to check. Or should we just add a few more to the 3 patches to Apache that are already required to build it against libressl and rename it there instead? None of the apache extensions that we have in ports call it (though that probably isn't a very complete set). (My guess with the naming under the SSL_CTX namespace is that perhaps it's something they might have thought about trying to push upstream to ssleay/openssl.) It would seem that way, also based on the additional comment in that file. -- Action without study is fatal. Study without action is futile. -- Mary Ritter Beard
Re: SSL_CTX_use_certificate_chain fallout
Joel Sing: === www/apache-httpd-openbsd === www/apache-httpd Is this the only ports fallout? Yes. -- Christian naddy Weisgerber na...@mips.inka.de
Re: SSL_CTX_use_certificate_chain fallout
Am 30.09.2014 um 15:39 schrieb Christian Weisgerber na...@mips.inka.de: Joel Sing: === www/apache-httpd-openbsd === www/apache-httpd Is this the only ports fallout? Yes. So what about patching these two apache ports instead of LibreSSL? It is a valid addition to the library and LibreSSL has to handle such API additions at some point. Reyk
Re: SSL_CTX_use_certificate_chain fallout
On Wed, 1 Oct 2014, Reyk Floeter wrote: Am 30.09.2014 um 15:39 schrieb Christian Weisgerber na...@mips.inka.de: Joel Sing: === www/apache-httpd-openbsd === www/apache-httpd Is this the only ports fallout? Yes. So what about patching these two apache ports instead of LibreSSL? I have no objection to this, however we should keep in mind that users of portable LibreSSL are also going to run into this conflict if they try to build Apache mod_ssl... It is a valid addition to the library and LibreSSL has to handle such API additions at some point. Agreed. -- Action without study is fatal. Study without action is futile. -- Mary Ritter Beard