[Pkg-haproxy-maintainers] [PATCH] Add compatibility with OpenSSL 1.1.x

Apollon Oikonomopoulos apoikos at debian.org
Thu Jun 30 12:30:53 UTC 2016 

Hi Lukas, Remi,

On 22:22 Tue 26 Jan     , Lukas Tribus wrote:
> > Date: Thu, 23 Jul 2015 16:58:51 +0200
> >
> > Hi,
> >
> > A while back, Lukas Tribus mentioned that HAproxy used quite a few
> > OpenSSL internals that were not going to be usable in the 1.1.x branch,
> > and that we would better take a look at it.
> 
> another half year later ... first of all thanks for all this work!!
> 
> 
> FYI some build changes for OpenSSL 1.1.0 since last year are [2]:
> 
> > Deprecated interfaces can now be disabled at build time either relative to
> > the latest release via the "no-deprecated" Configure argument, or via
> > the "--api=1.1.0|1.0.0|0.9.8" option.
> 
> and:
> 
> > Application software can be compiled with -DOPENSSL_API_COMPAT=version
> > to ensure that features deprecated in that version are not exposed.
> 
> 
> So to expose haproxy to the 1.1.0 API, we can compile haproxy with:
> DEFINE="-DOPENSSL_API_COMPAT=0x10100000L"
> 
> 
> But even with all deprecated interfaces still enabled (which is default)
> the API changed and the build breaks (for example due to [6]).
> 
> 
> 
> > This patch tries to make HAproxy compatible with the OpenSSL 1.1.x
> > branch, which is still in development, by using accessors instead of
> > directly using OpenSSL internals when possible, and replacing the use of
> > deprecated functions by the new ones.
> 
> It appears the API changed quite a bit again, so we will probably have
> to go through this again :(
> 
> 
> 
> > There is still some issues left with this patch:
> >
> > - in src/shctx.c, the context size increases because I didn't find a way
> > to alter the session_id_length and sid_ctx_length fields in the same way
> > it was done before ;
> > - in ssl_sock_handshake(), we have now slightly less accurate SSL
> > handshake error messages, because I couldn't find how to retrieve the
> > information contained in (SSL *)conn->xprt_ctx)->packet_length in a
> > clean way ;
> 
> Since your work on this, new accessors have been included, they will
> hopefully help with the new breakages:
> 
> ~/openssl$ git log --oneline --since="Jun 2015" | grep ccessor
> 213f60b Accessor update; fix API, document one.
> 9e5cd4b Add some accessors.
> e79f877 Make EVP_CIPHER opaque and add creator/destructor/accessor/writer functions
> 83b0634 Add accessors and writers for EVP_CIPHER_CTX
> 919ba00 DANE support structures, constructructors and accessors
> f8d7d2d EC_KEY_METHOD accessors.
> cf70b8f modify ecdsatest to use accessor
> 7236e3c Add ECDSA_SIG accessor.
> cc9d665 Have the few apps that accessed EVP_MD directly use accessors instead
> 6e59a89 Adjust all accesses to EVP_MD_CTX to use accessor functions.
> 699f163 Use accessors for X509_print_ex().
> 748118a Add new X509 accessors
> dd332ce Document signature accessors.
> 7880e14 Use accessors in X509_REQ_print().
> 32f5c25 Use accessor functions in X509_CRL_print().
> 1f143e0 New accessor X509_REQ_get_X509_PUBKEY()
> 835911b Additional X509_CRL accessors.
> dc29030 Add accessors for X509_REVOKED.
> a9732d0 Add accessors for request and CRL signatures
> e7451ed EVP_PKEY_METHOD accessor functions.
> ~/openssl$
> 
> 
> 
> > - in ssl_sock_load_ocsp_response(), we still access the certId field
> > from a OCSP_SINGLERESP struct, which is becoming opaque in 1.1. I
> > couldn't find an accessor for this field so I proposed to add one in a
> > pull request to OpenSSL [1].
> 
> Apparently [3] they also want a ticket on their bug tracker, which is
> what I did [4], and your patch is now in master [5].
> 
> So we can assume (OPENSSL_VERSION_NUMBER>= 0x10100000L) that your
> accessor is there.
> 
> Do you think we will need additional accessors?
> 
> 
> First beta (= API freeze) is planned for 3rd March 2016 [7].
> 
> 
> 
> cheers,
> lukas
> 
> 
> [1] https://github.com/openssl/openssl/pull/334
> [2] https://www.openssl.org/news/openssl-1.1.0-notes.html
> [3] http://openssl.org/community/#bugs
> [4] https://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=4251
> [5] https://github.com/openssl/openssl/commit/9e5cd4bac777e27ebcdc9aa411f0a63c27500468
> [6] https://github.com/openssl/openssl/commit/7f572e958b13041056f377a62d3219633cfb1e8a
> [7] https://www.openssl.org/policies/releasestrat.html
> 

I just wanted to revive this thread, since OpenSSL 1.1.0 is apparently 
about to be released. We already have an open bug in Debian[1] about 
HAProxy failing to build against 1.1.0, together with a log of the 
failed build[2].

Cheers,
Apollon

[1] https://bugs.debian.org/828337
[2] https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/haproxy_1.6.5-1_amd64-20160529-1427

More information about the Pkg-haproxy-maintainers mailing list