virtuoso-opensource
virtuoso-opensource copied to clipboard
openlink
virtuoso-opensource: build against openssl 1.1.0
Patch has been created against 6.1.6 to address https://bugs.debian.org/828594 and then forwarded ported.
Signed-off-by: Sebastian Andrzej Siewior [email protected]
Thank you for your contribution.
Development is looking into this, as we need to make sure that this patch for OpenSSL 1.1.0 does not affect portability of the code using older versions of OpenSSL.
Actually, I tried but canno build this on Debian 9 and OpenSSL 1.1.0f:
http.c: In function ‘bif_https_renegotiate’:
http.c:9898:10: error: dereferencing pointer to incomplete type ‘SSL {aka struct ssl_st}’
ssl->state = SSL_ST_ACCEPT;
^~
http.c: In function ‘bif_ftp_log’:
http.c:10822:14: warning: variable ‘day’ set but not used [-Wunused-but-set-variabl ]
int month, day, year;
^~~
http.c: In function ‘ws_serve_client_connection’:
http.c:10893:7: warning: variable ‘rc’ set but not used [-Wunused-but-set-variable]
int rc = LTE_OK;
^~
http.c: In function ‘soap_mime_tree_ctx’:
http.c:11992:12: warning: variable ‘attrs’ set but not used [-Wunused-but-set-variable]
caddr_t *attrs = NULL, *parts = NULL;
^~~~~
Makefile:1582: recipe for target 'libwi_la-http.lo' failed
make[3]: *** [libwi_la-http.lo] Error 1
make[3]: Leaving directory '/home/klimek/virtuoso-opensource/libsrc/Wi'
Makefile:2970: recipe for target 'install' failed
make[2]: *** [install] Error 2
make[2]: Leaving directory '/home/klimek/virtuoso-opensource/libsrc/Wi'
Makefile:477: recipe for target 'install-recursive' failed
make[1]: *** [install-recursive] Error 1
make[1]: Leaving directory '/home/klimek/virtuoso-opensource/libsrc'
Makefile:633: recipe for target 'install-recursive' failed
make: *** [install-recursive] Error 1
On 2017-10-20 10:53:23 [+0000], Jakub Klímek wrote:
Actually, I tried but canno build this on Debian 9 and OpenSSL 1.1.0f:
http.c: In function ‘bif_https_renegotiate’: http.c:9898:10: error: dereferencing pointer to incomplete type ‘SSL {aka struct ssl_st}’ ssl->state = SSL_ST_ACCEPT; ^~
I've seen that. I skipped a few new ones since it would take more time and I wasn't sure about the response. This one needs a little more time to investigate because the application should not access / change libssl's state. Do you have an idea why this is there?
Sebastian
@sebastianas I do not have much knowledge of the source code. I just tried compiling it as I am unable to compile Virtuoso normally since I upgraded to OpenSSL 1.1.0 and found out it is still not possible
@sipi - Patches to OpenSSL 1.0.2r (the latest 1.0.x to date, against which you should be able to build, as documented (last updated explicitly for 1.0.2p)) have addressed at least most of those vulnerabilities fixed in 1.1.0.
Unfortunately, the OpenSSL pages do not make it easy to clearly see what (if any) vulnerabilities which are listed as addressed in 1.1.x remain in (if they impacted at all) 1.0.2r.
If you have specific information or complaint about such, please provide more detail, so we can appropriately raise priority of the 1.1.0 compatibility effort.
@TallTed ok, thanks for this answer. It reassures me. I've no more information about.
OpenSSL 1.0 will reach end-of-life on 2019-12-31, i.e. less than two months. At this point, it will not receive even security updates anymore, and will be removed from distributions such as Homebrew.
The latest release of virtuoso is not compatible with OpenSSL 1.1. Unless a new release, compatible with OpenSSL 1.1, is shipped before that date, virtuoso will be removed from Homebrew distribution.
Out of 380 packages that depend on OpenSSL in Homebrew, virtuoso is among the 5 remaining ones that have not migrated to the newer OpenSSL.
There is need for an additional patch to top-level configure.ac to remove this code:
AC_MSG_CHECKING([OpenSSL version])
AC_TRY_COMPILE([
#include <openssl/opensslv.h>
],[
#ifdef LIBRESSL_VERSION_NUMBER
/* LibreSSL defines OPENSSL_VERSION_NUMBER 0x20000000L but uses a compatible API to OpenSSL v1.0.x */
#elif OPENSSL_VERSION_NUMBER >= 0x1010000fL
#error OpenSSL version too new
#endif
],[
AC_MSG_RESULT([< 1.1.0])
],[
AC_MSG_ERROR([OpenSSL version 1.1.0 or greater is currently not supported.])
])
Even with this pull request, and the patch above, compiling against OpenSSL 1.1.0f I get the following error during compilation:
Dkernel.c:5166:8: error: use of undeclared identifier 'SSL_PROTOCOL_TLSV1_3'
opt = SSL_PROTOCOL_TLSV1_3;
^
And later, this error
http.c:9952:10: error: incomplete definition of type 'struct ssl_st'
ssl->state = SSL_ST_ACCEPT;
~~~^
which is fixed by https://github.com/openlink/virtuoso-opensource/commit/a7d1535da44cdf9315644c01b9ae2d2b7e957363
Later, one more issue:
xmlenc.c:2318:23: error: incomplete definition of type 'struct evp_pkey_st'
if (pkey && pkey->type == EVP_PKEY_RSA)
~~~~^
/usr/local/opt/[email protected]/include/openssl/ossl_typ.h:93:16: note: forward declaration of 'struct evp_pkey_st'
typedef struct evp_pkey_st EVP_PKEY;
^
xmlenc.c:2319:10: error: incomplete definition of type 'struct evp_pkey_st'
p = pkey->pkey.rsa;
~~~~^
/usr/local/opt/[email protected]/include/openssl/ossl_typ.h:93:16: note: forward declaration of 'struct evp_pkey_st'
typedef struct evp_pkey_st EVP_PKEY;
^
xmlenc.c:2322:25: error: incomplete definition of type 'struct evp_pkey_st'
if (pkkey && pkkey->type == EVP_PKEY_RSA)
~~~~~^
/usr/local/opt/[email protected]/include/openssl/ossl_typ.h:93:16: note: forward declaration of 'struct evp_pkey_st'
typedef struct evp_pkey_st EVP_PKEY;
^
xmlenc.c:2323:11: error: incomplete definition of type 'struct evp_pkey_st'
r = pkkey->pkey.rsa;
~~~~~^
/usr/local/opt/[email protected]/include/openssl/ossl_typ.h:93:16: note: forward declaration of 'struct evp_pkey_st'
typedef struct evp_pkey_st EVP_PKEY;
^
xmlenc.c:7077:22: error: variable has incomplete type 'X509_STORE_CTX' (aka 'struct x509_store_ctx_st')
X509_STORE_CTX store_ctx;
^
/usr/local/opt/[email protected]/include/openssl/ossl_typ.h:128:16: note: forward declaration of 'struct x509_store_ctx_st'
typedef struct x509_store_ctx_st X509_STORE_CTX;
^
xmlenc.c:7652:19: error: incomplete definition of type 'struct x509_store_st'
certs = CA_certs->objs;
~~~~~~~~^
/usr/local/opt/[email protected]/include/openssl/ossl_typ.h:127:16: note: forward declaration of 'struct x509_store_st'
typedef struct x509_store_st X509_STORE;
^
xmlenc.c:7657:14: error: incomplete definition of type 'struct x509_object_st'
if (obj->type == X509_LU_X509)
~~~^
/usr/local/opt/[email protected]/include/openssl/ossl_typ.h:130:16: note: forward declaration of 'struct x509_object_st'
typedef struct x509_object_st X509_OBJECT;
^
xmlenc.c:7659:17: error: incomplete definition of type 'struct x509_object_st'
X509 *x = obj->data.x509;
~~~^
/usr/local/opt/[email protected]/include/openssl/ossl_typ.h:130:16: note: forward declaration of 'struct x509_object_st'
typedef struct x509_object_st X509_OBJECT;
^
@sebastianas -- I think this PR has been obviated by relatively recent commits to develop/7 and stable/7 branches.
Please confirm and/or close if you agree.
Virtuoso versions 7.2.6 and newer have been tested against the following versions of OpenSSL/LibreSSL:
- OpenSSL 0.9.8 (deprecated)
- OpenSSL 1.0.0 (deprecated)
- OpenSSL 1.0.1 (deprecated)
- OpenSSL 1.0.2 (still supported on RedHat Enterprise Linux 7.x and other distributions)
- OpenSSL 1.1.0 (out of support)
- OpenSSL 1.1.1 (still supported until 11th September 2023)
- OpenSSL 3.0.2 (current Long Term Support version)
as well as
- LibreSSL 2.x (probably out of support)
- LibreSSL 3.x
Note that while we do support older versions of OpenSSL from a historic point of view, we recommend you use the latest version available on your platform.
We thank everyone that suggested patches or commented in this thread.
