On Sun, October 30, 2016 6:07 am, Axel Beckert wrote: > Hi, > > Axel Beckert wrote: >> this has been reported in Debian at https://bugs.debian.org/828611 > [...] >> OpenSSL 1.1.0 is about to released. During a rebuild of all packages >> using >> OpenSSL this package fail to build. A log of that build can be found >> at: >> https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/xymon_4.3.27-1_amd64-20160529-1558 >> >> On https://wiki.openssl.org/index.php/1.1_API_Changes you can see >> various of the >> reasons why it might fail. There are also updated man pages at >> https://www.openssl.org/docs/manmaster/ that should contain useful >> information. > > While it took quite a while to figure it out, the patch to make it > compile again against OpenSSL 1.1.0 is surprisingly tiny: > > --- a/xymonnet/contest.c > +++ b/xymonnet/contest.c > @@ -648,7 +648,7 @@ > > certcn = X509_NAME_oneline(X509_get_subject_name(peercert), NULL, 0); > certissuer = X509_NAME_oneline(X509_get_issuer_name(peercert), NULL, 0); > - certsigalg = OBJ_nid2ln(OBJ_obj2nid(peercert->sig_alg->algorithm)); > + certsigalg = OBJ_nid2ln(X509_get_signature_nid(peercert)); > certstart = strdup(xymon_ASN1_UTCTIME(X509_get_notBefore(peercert))); > certend = strdup(xymon_ASN1_UTCTIME(X509_get_notAfter(peercert))); > { > > See also > https://anonscm.debian.org/cgit/collab-maint/xymon.git/tree/debian/patches/81_fix_compilation_with_OpenSSL_1.1+.patch > https://anonscm.debian.org/cgit/collab-maint/xymon.git/plain/debian/patches/81_fix_compilation_with_OpenSSL_1.1+.patch > > I've got one (currently non-productive) Xymon server on a Raspberry Pi > running(*) Debian Unstable with that patch and xymonnet properly > reported SSL certificate and https:// URL states so far. So I believe, > that patch is sufficient and working, despite I have not much of an > idea what it actually does. I took the idea for the patch from here: > https://github.com/bukka/php-src/commit/0598a8da2bc005b3a0be2801033b5347020f8316#diff-69bad938d17f4283faa5f7fea17fa627L2174 > > I would be happy if you could integrate the patch into the (probably > upcoming) 4.3.28 release to allow others to compile Xymon against > OpenSSL 1.1.0+. (And to spread it further to get more testing. :-) > > (*) It's currently running with OpenSSL 1.0.2j though, but that proves > that it's at least also backward compatible to 1.0.2. As soon as > Debian Unstable switches to OpenSSL 1.1.0b or later, I'll continue > to test it with that version. > > Regards, Axel
Thanks! It seems I missed that back in July. This looks good. I wrapped it in a version check to hopefully DTRT when it's not present. This does lead to doing the new call between 1.0.2 and <1.1.0, but AFAICT the call itself is nothing more than that anyway... I think. Committed at https://sourceforge.net/p/xymon/code/7975/ Regards, -jc
