On 5/22/2013 6:40 PM, Chris Ross wrote:
On May 22, 2013, at 11:32 , Eliezer Croitoru wrote:
Hey Chris,
Now I remembered in a more detailed way that the reason was the crtd and no ssl
which is another thing.
I didn't used the crtd since there is a bug and also since most users don't
really need it.
OK so we have the same library and it's not corrupted but now we know for 100%
once and for all the source of the problem which os the crtd and not enable-ssl.
since this bug was found I encouraged people to use self-compiled openssl libs
and headers.
I am sorry for redhat team but they seems to not want an upgrade because last
time it cost them too much pain in many places.
Will be it be hard for you to use a custom made ssl to build squid specificly??
if this is the main issue and we can make it work in a more RPM way such as
using a good SPEC file to develop New openSSL I will be more then happy to host
it in order to spare a lot of pain from many people.
are you up for some of the task?
In my case, I found a way to work around the problem. The following unruly patch will
allow it to compile. I don't think it's a "good" solution, as it's clearly a
bit crude, but it does work for this one case.
----
Index: certificate_db.cc
===================================================================
--- certificate_db.cc (revision 5213)
+++ certificate_db.cc (working copy)
@@ -19,6 +19,10 @@
#include <fcntl.h>
#endif
+#undef CHECKED_PTR_OF
+#define CHECKED_PTR_OF(type, p) \
+ static_cast<const _STACK*>((void*) (1 ? p : (type*)0))
+
#define HERE "(ssl_crtd) " << __FILE__ << ':' << __LINE__ << ": "
Ssl::Lock::Lock(std::string const &aFilename) :
-----
This is a nice and elegant solution which I do not know about the
internals but do know that if it works it worth something.
I post this here so that it will be pulled into the archives and live on.
I'm not suggesting anyone else use it, specifically. Use at your own risk.
I haven't tried experimenting with the ssl_crtd yet, so all I know is that
it allows it to compile.
Eliezer, you mention that there is a bug. What is the bug? And, it's not
clear from the documentation or configure help, if you do not use that
configure option to get this external program, is squid able to perform the
dynamic SSL cert functionality internally? If so, I may not need it either.
But, I did want to try for SSLBump + DynamicSslCert…
- Chris
I didn't compiled squid with ssl-bump(crtd) yet on centos since there
wasn't any big demand for that but I was considering it for a long time.
I can compile squid with static libs which will take more resources on
the RPM and a bit of bigger memory print.
Since I am the maintainer of the repo I need to consider most of the
users and maybe use another static version specifically for this case on
centos.
I will probably will publish the head version with static libs which IF
I understood right should solve the issue in a nicer way rather then
forcing the users to compile openssl.(right?)
Eliezer
