Bug#828611: [PATCH] Re: Fwd: Bug#828611: xymon: Fails to build from source with OpenSSL 1.1.0

Sun, 30 Oct 2016 06:09:21 -0700 

Hi,

Axel Beckert wrote:
> this has been reported in Debian at https://bugs.debian.org/828611
[...]
> OpenSSL 1.1.0 is about to released.  During a rebuild of all packages using
> OpenSSL this package fail to build.  A log of that build can be found at:
> https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/xymon_4.3.27-1_amd64-20160529-1558
> 
> On https://wiki.openssl.org/index.php/1.1_API_Changes you can see various of 
> the
> reasons why it might fail.  There are also updated man pages at
> https://www.openssl.org/docs/manmaster/ that should contain useful 
> information.

While it took quite a while to figure it out, the patch to make it
compile again against OpenSSL 1.1.0 is surprisingly tiny:

--- a/xymonnet/contest.c
+++ b/xymonnet/contest.c
@@ -648,7 +648,7 @@
 
        certcn = X509_NAME_oneline(X509_get_subject_name(peercert), NULL, 0);
        certissuer = X509_NAME_oneline(X509_get_issuer_name(peercert), NULL, 0);
-       certsigalg = OBJ_nid2ln(OBJ_obj2nid(peercert->sig_alg->algorithm));
+       certsigalg = OBJ_nid2ln(X509_get_signature_nid(peercert));
        certstart = strdup(xymon_ASN1_UTCTIME(X509_get_notBefore(peercert)));
        certend = strdup(xymon_ASN1_UTCTIME(X509_get_notAfter(peercert)));
        {

See also
https://anonscm.debian.org/cgit/collab-maint/xymon.git/tree/debian/patches/81_fix_compilation_with_OpenSSL_1.1+.patch
https://anonscm.debian.org/cgit/collab-maint/xymon.git/plain/debian/patches/81_fix_compilation_with_OpenSSL_1.1+.patch

I've got one (currently non-productive) Xymon server on a Raspberry Pi
running(*) Debian Unstable with that patch and xymonnet properly
reported SSL certificate and https:// URL states so far. So I believe,
that patch is sufficient and working, despite I have not much of an
idea what it actually does. I took the idea for the patch from here:
https://github.com/bukka/php-src/commit/0598a8da2bc005b3a0be2801033b5347020f8316#diff-69bad938d17f4283faa5f7fea17fa627L2174

I would be happy if you could integrate the patch into the (probably
upcoming) 4.3.28 release to allow others to compile Xymon against
OpenSSL 1.1.0+. (And to spread it further to get more testing. :-)

(*) It's currently running with OpenSSL 1.0.2j though, but that proves
    that it's at least also backward compatible to 1.0.2. As soon as
    Debian Unstable switches to OpenSSL 1.1.0b or later, I'll continue
    to test it with that version.

                Regards, Axel
-- 
 ,''`.  |  Axel Beckert <a...@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Attachment: signature.asc
Description: Digital signature

Reply via email to