The t4 patch
On 19/05/2017 12:27 πμ, Amos Jeffries wrote:
On 19/05/17 04:04, Christos Tsantilas wrote:
On 18/05/2017 03:40 μμ, Amos Jeffries wrote:
On 18/05/17 23:12, Christos Tsantilas wrote:
+ # check for API functions
+ AC_CHECK_LIB(ssl, SSL_CTX_get0_certificate,
[AC_DEFINE(HAVE_SSL_CTX_GET0_CERTIFICATE, 1, [SSL_CTX_get0_certificate
is available])], [])
+
This bit seems to be correct.
Given the .cc file sequence of macro tests I think we can speed up
./configure a bit by moving the use of
SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS into the if-not-found [] path.
eg.
AC_CHECK_LIB(ssl, SSL_CTX_get0_certificate, [
AC_DEFINE(HAVE_SSL_CTX_GET0_CERTIFICATE, 1, [SSL_CTX_get0_certificate
is available])
],[
# check for bugs and hacks in the old OpenSSL API
SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS
])
I am attaching a new patch.
In this patch I moved the SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS as
you suggested.
But also my last patch was buggy, the AC_CHECK_LIB did not search at
the correct directories for libssl library.
In this patch I moved the "SQUID_STATE_ROLLBACK(squid_openssl_state)"
line some lines down to have the correct libraries search path.
Is it ok, or it is better to open a new SQUID_STATE_SAVE/ROLLBACK just
for AC_CHECK_LIB?
Ah. Either moving the check which alters compiler environment above the
existign ROLLBACK, or a new one. It is important the CXXFLAGS and SSLLIB
lines directly above where your patch placed it do not get rolled back.
PS. Finally, this easy to fix issue, is one more prove that it is
better to not start fixing files involved with this satanic tool
called autoconf!
:-P
Amos
_______________________________________________
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
Squid crashes when ServerFirst bumping mode is used with openSSL-1.1.0 release
When OpenSSL-1.1.0 or later is used:
- The SQUID_USE_SSLGETCERTIFICATE_HACK configure test is false
- The SQUID_SSLGETCERTIFICATE_BUGGY configure test is true
- Squid hits an assert(0) inside Ssl::verifySslCertificate when trying to
retrieve a generated certificate from cache.
This is a Measurement Factory project
=== modified file 'configure.ac'
--- configure.ac 2017-03-31 18:43:20 +0000
+++ configure.ac 2017-05-19 16:17:18 +0000
@@ -1307,42 +1307,54 @@
AC_MSG_ERROR([library 'crypto' is required for OpenSSL])
],$LIBOPENSSL_LIBS)
AC_CHECK_LIB(ssl,[SSL_library_init],[LIBOPENSSL_LIBS="-lssl $LIBOPENSSL_LIBS"],[
AC_MSG_ERROR([library 'ssl' is required for OpenSSL])
],$LIBOPENSSL_LIBS)
])
# This is a workaround for RedHat 9 brain damage..
if test -d /usr/kerberos/include -a -f /usr/include/openssl/kssl.h; then
AC_MSG_NOTICE([OpenSSL depends on Kerberos])
LIBOPENSSL_LIBS="-L/usr/kerberos/lib $LIBOPENSSL_LIBS"
CPPFLAGS="$CPPFLAGS -I/usr/kerberos/include"
fi
SQUID_STATE_ROLLBACK(squid_openssl_state) #de-pollute LIBS
if test "x$LIBOPENSSL_LIBS" != "x"; then
CXXFLAGS="$LIBOPENSSL_CFLAGS $CXXFLAGS"
SSLLIB="$LIBOPENSSL_PATH $LIBOPENSSL_LIBS $SSLLIB"
AC_DEFINE(USE_OPENSSL,1,[OpenSSL support is available])
+ # check for API functions
+ SQUID_STATE_SAVE(check_SSL_CTX_get0_certificate)
+ LIBS="$LIBS $SSLLIB"
+ AC_CHECK_LIB(ssl, SSL_CTX_get0_certificate, [
+ AC_DEFINE(HAVE_SSL_CTX_GET0_CERTIFICATE, 1, [SSL_CTX_get0_certificate is available])
+ ], [
+ missing_SSL_CTX_get0_certificate=yes
+ ])
+ SQUID_STATE_ROLLBACK(check_SSL_CTX_get0_certificate)
+
# check for other specific broken implementations
- SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS
+ if test "x$missing_SSL_CTX_get0_certificate" = "xyes"; then
+ SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS
+ fi
SQUID_CHECK_OPENSSL_CONST_SSL_METHOD
SQUID_CHECK_OPENSSL_TXTDB
SQUID_CHECK_OPENSSL_HELLO_OVERWRITE_HACK
fi
if test "x$SSLLIB" = "x"; then
AC_MSG_ERROR([Required OpenSSL library not found])
fi
fi
AC_MSG_NOTICE([OpenSSL library support: ${with_openssl:=no} ${LIBOPENSSL_PATH} ${LIBOPENSSL_LIBS}])
AM_CONDITIONAL(ENABLE_SSL,[ test "x$with_openssl" = "xyes" ])
AC_SUBST(SSLLIB)
dnl User may specify MIT Kerberos is needed from a non-standard location
AC_ARG_WITH(mit-krb5,
AS_HELP_STRING([--without-mit-krb5],
[Compile without MIT Kerberos support.]), [
case "$with_mit_krb5" in
yes|no)
: # Nothing special to do here
;;
=== modified file 'src/ssl/support.cc'
--- src/ssl/support.cc 2017-04-29 16:19:15 +0000
+++ src/ssl/support.cc 2017-05-18 17:34:46 +0000
@@ -969,43 +969,45 @@
Security::CertPointer cert;
Ssl::EVP_PKEY_Pointer pkey;
if (!readCertAndPrivateKeyFromMemory(cert, pkey, data))
return false;
if (!cert || !pkey)
return false;
if (!SSL_use_certificate(ssl, cert.get()))
return false;
if (!SSL_use_PrivateKey(ssl, pkey.get()))
return false;
return true;
}
bool
Ssl::verifySslCertificate(Security::ContextPointer &ctx, CertificateProperties const &properties)
{
+#if HAVE_SSL_CTX_GET0_CERTIFICATE
+ X509 * cert = SSL_CTX_get0_certificate(ctx.get());
+#elif SQUID_USE_SSLGETCERTIFICATE_HACK
// SSL_get_certificate is buggy in openssl versions 1.0.1d and 1.0.1e
// Try to retrieve certificate directly from Security::ContextPointer object
-#if SQUID_USE_SSLGETCERTIFICATE_HACK
X509 ***pCert = (X509 ***)ctx->cert;
X509 * cert = pCert && *pCert ? **pCert : NULL;
#elif SQUID_SSLGETCERTIFICATE_BUGGY
X509 * cert = NULL;
assert(0);
#else
// Temporary ssl for getting X509 certificate from SSL_CTX.
Security::SessionPointer ssl(Security::NewSessionObject(ctx));
X509 * cert = SSL_get_certificate(ssl.get());
#endif
if (!cert)
return false;
ASN1_TIME * time_notBefore = X509_get_notBefore(cert);
ASN1_TIME * time_notAfter = X509_get_notAfter(cert);
bool ret = (X509_cmp_current_time(time_notBefore) < 0 && X509_cmp_current_time(time_notAfter) > 0);
if (!ret)
return false;
return certificateMatchesProperties(cert, properties);
}
_______________________________________________
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
