First impressions from OpenSSL 3.0.0 and httpd 2.4.45

Sat, 01 Aug 2020 03:08:13 -0700 

Hi there,
during release testing for 2.4.45 I also built and tested using OpenSSL 3.0.0alpha5 on the server. Overall first results are pretty good: 

- a few deprecation warnings during compilation:


modules/ssl/ssl_engine_config.c:610:5: warning: 'ENGINE_by_id' is 
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_config.c:612:9: warning: 'ENGINE_free' is 
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_config.c:617:9: warning: 'ENGINE_get_first' is 
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_config.c:619:13: warning: 'ENGINE_get_id' is 
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_config.c:620:42: warning: 'ENGINE_get_name' is 
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_config.c:623:13: warning: 'ENGINE_get_next' is 
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_init.c:457:9: warning: 'ENGINE_by_id' is 
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_init.c:467:13: warning: 'ENGINE_ctrl' is 
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_init.c:471:9: warning: 'ENGINE_set_default' is 
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_init.c:482:9: warning: 'ENGINE_free' is 
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_kernel.c:2611:9: warning: 'HMAC_Init_ex' is 
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_kernel.c:2632:9: warning: 'HMAC_Init_ex' is 
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_log.c:90:5: warning: 'ERR_peek_error_line_data' 
is deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_pphrase.c:856:5: warning: 'ENGINE_by_id' is 
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_pphrase.c:864:5: warning: 'ENGINE_init' is 
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_pphrase.c:877:9: warning: 
'ENGINE_ctrl_cmd_string' is deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_pphrase.c:886:9: warning: 'ENGINE_ctrl_cmd' is 
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_pphrase.c:896:5: warning: 
'ENGINE_load_private_key' is deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_pphrase.c:904:5: warning: 'ENGINE_finish' is 
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_pphrase.c:905:5: warning: 'ENGINE_free' is 
deprecated [-Wdeprecated-declarations]


- a few const warnings


modules/ssl/ssl_engine_kernel.c:608:55: warning: passing argument 2 of 
'sk_SSL_CIPHER_find' discards 'const' qualifier from pointer target type 
[-Wdiscarded-qualifiers]
modules/ssl/ssl_engine_kernel.c:627:61: warning: passing argument 2 of 
'sk_SSL_CIPHER_find' discards 'const' qualifier from pointer target type 
[-Wdiscarded-qualifiers]
modules/ssl/ssl_engine_kernel.c:638:57: warning: passing argument 2 of 
'sk_SSL_CIPHER_find' discards 'const' qualifier from pointer target type 
[-Wdiscarded-qualifiers]
modules/ssl/ssl_engine_kernel.c:1039:49: warning: passing argument 2 of 
'sk_SSL_CIPHER_find' discards 'const' qualifier from pointer target type 
[-Wdiscarded-qualifiers]


and unit tests show two problems, one will be fixed in OpenSSL itself:


- during unit test preparation, our test script create a PKCS12 store 
with default encoding params. That's known to be broken in alpha5. So 
the "-configure" step of "t/TEST" should be run before the actual 
testing with a stable version of OpenSSL.

https://github.com/openssl/openssl/pull/12540
https://github.com/openssl/openssl/issues/11672


- independent of OpenSSL 3.0.0: to work around the previous observation 
I tried using the env var "APACHE_TEST_OPENSSL_CMD". Unfortunately this 
is slightly broken, because it tests for the existence using the "which" 
function in TestConfig.pm and that function is broken when used for a 
command containing a path component. I temporarily fixed it using:


@@ -1782,6 +1782,11 @@

     return undef unless $program;

+    # No need to search PATH components
+    # if $program already contains a path
+    return $program if !OSX and !WINFU and
+        $program =~ /\// and -f $program and -x $program;
+
     my @dirs = File::Spec->path();

     require Config;



- when testing with client >= OpenSSL 1.1.0 against 3.0.0alpha5, only 
t/ssl/proxy.t shows failures, especially in eat_post but already during 
TLS handshake:



[ssl:info] [pid 9162:tid 140326149928720] [client 127.0.0.1:56312] 
AH01964: Connection to child 82 established (server localhost:8532)



[ssl:info] [pid 9162:tid 140326166714128] [remote 127.0.0.1:8532] 
AH02276: Certificate Verification: Error (3): unable to get certificate 
CRL [subject: 
emailAddress=test-...@httpd.apache.org,CN=localhost,OU=httpd-test/rsa-test,O=ASF,L=San 
Francisco,ST=California,C=US / issuer: 
emailAddress=test-...@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San 
Francisco,ST=California,C=US / serial: 0C / notbefore: Jul 30 23:29:05 
2020 GMT / notafter: Jul 30 23:29:05 2021 GMT]



[ssl:info] [pid 9162:tid 140326149928720] [client 127.0.0.1:56312] 
AH02008: SSL library error 1 in handshake (server localhost:8532)



[ssl:info] [pid 9162:tid 140326149928720] SSL Library Error: 
error:0A000418:SSL routines::tlsv1 alert unknown ca (SSL alert number 48)



[ssl:info] [pid 9162:tid 140326149928720] [client 127.0.0.1:56312] 
AH01998: Connection closed to child 82 with abortive shutdown (server 
localhost:8532)


[example_hooks:notice] [pid 9162:tid 140326149928720] x_create_request()

[ssl:info] [pid 9162:tid 140326166714128] [remote 127.0.0.1:8532] 
AH02003: SSL Proxy connect failed



[ssl:info] [pid 9162:tid 140326166714128] SSL Library Error: 
error:0A000086:SSL routines::certificate verify failed



[ssl:info] [pid 9162:tid 140326166714128] [remote 127.0.0.1:8532] 
AH01998: Connection closed to child 0 with abortive shutdown (server 
localhost:8563)



[ssl:info] [pid 9162:tid 140326166714128] [remote 127.0.0.1:8532] 
AH01997: SSL handshake failed: sending 502



[proxy:error] [pid 9162:tid 140326166714128] (20014)Internal error 
(specific information not available): [client 127.0.0.1:49283] AH01084: 
pass request body failed to [::1]:8532 (localhost)



[proxy:error] [pid 9162:tid 140326166714128] [client 127.0.0.1:49283] 
AH00898: Error during SSL Handshake with remote server returned by /eat_post



[proxy_http:error] [pid 9162:tid 140326166714128] [client 
127.0.0.1:49283] AH01097: pass request body failed to [::1]:8532 
(localhost) from 127.0.0.1 ()




- when testing with OpenSSL 0.9.8zh as a client, mostly all TLS tests 
fail. I guess, one would have to load the legacy provider for the server 
side OpenSSL to allow handshakes with the old version of TLS supported 
by 0.9.8. I have not verified this yet.



Regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org























					Reply via email to