Ubuntu
apache2 package

Merge ~sergiodj/ubuntu/+source/apache2:openssl-3-support into ubuntu/+source/apache2:ubuntu/devel

  1. Git
  2. lp:~sergiodj/ubuntu/+source/apache2
  3. openssl-3-support
  4. Merge into ubuntu/devel
Proposed by Sergio Durigan Junior
Status: Merged
Merge reported by: Sergio Durigan Junior
Merged at revision: 7564cdd51e8656e7c8559291298c94e758bbc4f3
Proposed branch: ~sergiodj/ubuntu/+source/apache2:openssl-3-support
Merge into: ubuntu/+source/apache2:ubuntu/devel
Diff against target: 976 lines (+900/-0)
12 files modified
debian/changelog (+8/-0)
debian/patches/series (+10/-0)
debian/patches/support-openssl3-001.patch (+88/-0)
debian/patches/support-openssl3-002.patch (+345/-0)
debian/patches/support-openssl3-003.patch (+48/-0)
debian/patches/support-openssl3-004.patch (+56/-0)
debian/patches/support-openssl3-005.patch (+121/-0)
debian/patches/support-openssl3-006.patch (+33/-0)
debian/patches/support-openssl3-007.patch (+72/-0)
debian/patches/support-openssl3-008.patch (+29/-0)
debian/patches/support-openssl3-009.patch (+36/-0)
debian/patches/support-openssl3-010.patch (+54/-0)
Reviewer Review Type Date Requested Status
Bryce Harrington (community) Approve
Canonical Server packageset reviewers Pending
Review via email: mp+412548@code.launchpad.net

Description of the change

This MP is an attempt to fix apache2's mod-ssl's failures that happen when one starts apache2 with OpenSSL 3 installed.

As I said during our standup a few times, these patches are part of an upstream PR that is still open, so I was monitoring the situation to see what upstream would decide. There is a possible regression/user-visible change that was detected during the tests performed by upstream (in Fedora):

===
With r1890067 (9eb262f) enabling the OpenSSL auto-DH-parameter selection overrides user-supplied DH parameters which are now ignored. This is not necessary for OpenSSL 1.1 (which that patch affects) and is only removing a "deprecated" function so not strictly necessary for 3.0 either. Need to ponder this one.
===

There was also a problem with one of the functions exported by OpenSSL 3's and used by mod_ssl, which has been reported and fixed by OpenSSL upstream:

https://github.com/openssl/openssl/issues/15946

I checked and the fix is present in our copy of OpenSSL, so we're fine in this regard.

Either way, I think it should be safe enough for us to backport the patches from the upstream PR so that we have an apache2 that builds and works fine with mod_ssl + OpenSSL 3. I'm also subscribed to the PR, so if there are any changes there it should be pretty quick to bring them to Ubuntu.

For this change, I created a bileto ticket here:

https://bileto.ubuntu.com/#/ticket/4726

with a corresponding PPA here:

https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4726/+packages

autopkgtest is back to normal:

autopkgtest [17:08:19]: @@@@@@@@@@@@@@@@@@@@ summary
run-test-suite PASS
duplicate-module-load PASS
htcacheclean PASS
default-mods PASS
ssl-passphrase PASS
check-http2 PASS
chroot PASS

It's important to mention that bileto also ran autopkgtest against apache2 and its dependencies; you will see a bunch of results here:

https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-ci-train-ppa-service-4726/?format=plain

The problem is that -proposed wasn't enabled when running the tests, which means that they will be listed as failures. I didn't know how to retrigger them automatically with '&all-proposed=1', so I didn't.

All in all, I think the pros outweigh the cons here and I believe it's worth backporting these patches in order to unblock OpenSSL 3, squid and possibly other dependencies in -proposed.

To post a comment you must log in.
Revision history for this message
Bryce Harrington (bryce) wrote :

Thanks for tackling this, looks like you've researched the situation quite thoroughly. I've verified the builds all look good in the PPA, and it builds fine for me locally as well. The autopkgtest failures (https://bileto.ubuntu.com/excuses/4726/jammy.html) surprised me, but I can believe that it just needs -proposed enabled.

I am planning on tackling the merge for apache2 at some point here, so it would be great to get this MP landed, and thus agree the pros outweigh the cons. When I do get to the merge, that will be an additional checkpoint where we can see where things sit upstream and to make any necessary corrections, and in the immediate term this will help with the openssl 3.0 transition.

LGTM, +1

review: Approve
Revision history for this message
Bryce Harrington (bryce) wrote :

(Sorry, seems Launchpad auto-added me to the canonical-server slot; if possible please re-add that as I seem to not be able to do that.)

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

On Tuesday, November 30 2021, Bryce Harrington wrote:

> Thanks for tackling this, looks like you've researched the situation
> quite thoroughly. I've verified the builds all look good in the PPA,
> and it builds fine for me locally as well. The autopkgtest failures
> (https://bileto.ubuntu.com/excuses/4726/jammy.html) surprised me, but
> I can believe that it just needs -proposed enabled.

Thanks for the review, Bryce.

Yeah, the autopkgtest failures are happening because they're not running
against -proposed, which triggers a failure when trying to install
openssl3 into the testbed. I'm not expecting these tests to fail when
we run them with the right openssl trigger.

> I am planning on tackling the merge for apache2 at some point here, so
> it would be great to get this MP landed, and thus agree the pros
> outweigh the cons. When I do get to the merge, that will be an
> additional checkpoint where we can see where things sit upstream and
> to make any necessary corrections, and in the immediate term this will
> help with the openssl 3.0 transition.

Yeah. I don't know when upstream plans to merge that PR, nor when they
intend to release a new 2.4.x version with the fix included, so I'm not
expecting us to be able to get this change through upstream and drop the
delta. We may need to revisit these patches when we merge apache2 and
check if upstream has fixed/changed something in them; I will leave a
message in the apache2 merge bug as a reminder.

Uploaded:

$ dput apache2_2.4.48-3.1ubuntu4_source.changes
Trying to upload package to ubuntu
Checking signature on .changes
gpg: /home/sergio/work/apache2/apache2_2.4.48-3.1ubuntu4_source.changes: Valid signature from 106DA1C8C3CBBF14
Checking signature on .dsc
gpg: /home/sergio/work/apache2/apache2_2.4.48-3.1ubuntu4.dsc: Valid signature from 106DA1C8C3CBBF14
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading apache2_2.4.48-3.1ubuntu4.dsc: done.
  Uploading apache2_2.4.48-3.1ubuntu4.debian.tar.xz: done.
  Uploading apache2_2.4.48-3.1ubuntu4_source.buildinfo: done.
  Uploading apache2_2.4.48-3.1ubuntu4_source.changes: done.
Successfully uploaded packages.

Thanks,

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index 0dbb7c5..1aefacb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
1apache2 (2.4.48-3.1ubuntu4) jammy; urgency=medium
2
3 * d/p/support-openssl3-*.patch: Backport various patches from
4 https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
5 failure to load when using OpenSSL 3. (LP: #1951476)
6
7 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 26 Nov 2021 16:07:56 -0500
8
1apache2 (2.4.48-3.1ubuntu3) impish; urgency=medium9apache2 (2.4.48-3.1ubuntu3) impish; urgency=medium
210
3 * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)11 * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)
diff --git a/debian/patches/series b/debian/patches/series
index 149e28d..0b07ccb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -19,3 +19,13 @@ CVE-2021-40438.patch
19CVE-2021-33193.patch19CVE-2021-33193.patch
20CVE-2021-40438-2.patch20CVE-2021-40438-2.patch
21CVE-2021-40438-3.patch21CVE-2021-40438-3.patch
22support-openssl3-001.patch
23support-openssl3-002.patch
24support-openssl3-003.patch
25support-openssl3-004.patch
26support-openssl3-005.patch
27support-openssl3-006.patch
28support-openssl3-007.patch
29support-openssl3-008.patch
30support-openssl3-009.patch
31support-openssl3-010.patch
diff --git a/debian/patches/support-openssl3-001.patch b/debian/patches/support-openssl3-001.patch
22new file mode 10064432new file mode 100644
index 0000000..d7d386d
--- /dev/null
+++ b/debian/patches/support-openssl3-001.patch
@@ -0,0 +1,88 @@
1From: Joe Orton <jorton@redhat.com>
2Date: Mon, 26 Jul 2021 12:23:24 +0100
3Subject: add some log messages and AP_DEBUG_ASSERTs for functions that should
4 never be called
5
6Submitted by: sf
7
8
9Forwarded: yes, https://github.com/apache/httpd/pull/258
10Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
11---
12 modules/ssl/ssl_engine_io.c | 28 ++++++++++++++++++++++++++++
13 1 file changed, 28 insertions(+)
14
15diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
16index cabf753..ed9db54 100644
17--- a/modules/ssl/ssl_engine_io.c
18+++ b/modules/ssl/ssl_engine_io.c
19@@ -194,6 +194,10 @@ static int bio_filter_destroy(BIO *bio)
20 static int bio_filter_out_read(BIO *bio, char *out, int outl)
21 {
22 /* this is never called */
23+ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
24+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
25+ "BUG: %s() should not be called", "bio_filter_out_read");
26+ AP_DEBUG_ASSERT(0);
27 return -1;
28 }
29
30@@ -293,12 +297,20 @@ static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr)
31 static int bio_filter_out_gets(BIO *bio, char *buf, int size)
32 {
33 /* this is never called */
34+ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
35+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
36+ "BUG: %s() should not be called", "bio_filter_out_gets");
37+ AP_DEBUG_ASSERT(0);
38 return -1;
39 }
40
41 static int bio_filter_out_puts(BIO *bio, const char *str)
42 {
43 /* this is never called */
44+ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
45+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
46+ "BUG: %s() should not be called", "bio_filter_out_puts");
47+ AP_DEBUG_ASSERT(0);
48 return -1;
49 }
50
51@@ -533,21 +545,37 @@ static int bio_filter_in_read(BIO *bio, char *in, int inlen)
52
53 static int bio_filter_in_write(BIO *bio, const char *in, int inl)
54 {
55+ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
56+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
57+ "BUG: %s() should not be called", "bio_filter_in_write");
58+ AP_DEBUG_ASSERT(0);
59 return -1;
60 }
61
62 static int bio_filter_in_puts(BIO *bio, const char *str)
63 {
64+ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
65+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
66+ "BUG: %s() should not be called", "bio_filter_in_puts");
67+ AP_DEBUG_ASSERT(0);
68 return -1;
69 }
70
71 static int bio_filter_in_gets(BIO *bio, char *buf, int size)
72 {
73+ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
74+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
75+ "BUG: %s() should not be called", "bio_filter_in_gets");
76+ AP_DEBUG_ASSERT(0);
77 return -1;
78 }
79
80 static long bio_filter_in_ctrl(BIO *bio, int cmd, long num, void *ptr)
81 {
82+ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
83+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
84+ "BUG: %s() should not be called", "bio_filter_in_ctrl");
85+ AP_DEBUG_ASSERT(0);
86 return -1;
87 }
88
diff --git a/debian/patches/support-openssl3-002.patch b/debian/patches/support-openssl3-002.patch
0new file mode 10064489new file mode 100644
index 0000000..3a56106
--- /dev/null
+++ b/debian/patches/support-openssl3-002.patch
@@ -0,0 +1,345 @@
1From: Joe Orton <jorton@redhat.com>
2Date: Mon, 26 Jul 2021 12:24:24 +0100
3Subject: mod_ssl: add compatibility with OpenSSL 3.0.0
4
5Wrappers around deprecated API:
6* X509_STORE_load_locations() => modssl_X509_STORE_load_locations(),
7* CTX_load_verify_locations() => modssl_CTX_load_verify_locations(),
8* ERR_peek_error_line_data() => modssl_ERR_peek_error_data(),
9* DH_bits(dh) => BN_num_bits(DH_get0_p(dh)).
10
11Provide a compatible version of ssl_callback_SessionTicket() which does not
12use the deprecated HMAC_CTX and HMAC_Init_ex(), replaced by EVP_MAC_CTX and
13EVP_MAC_CTX_set_params() respectively. This requires adapting struct
14modssl_ticket_key_t to replace hmac_secret[] with OSSL_PARAM mac_params[],
15created once at load time still.
16The callback is registered by SSL_CTX_set_tlsext_ticket_key_evp_cb() instead
17of SSL_CTX_set_tlsext_ticket_key_cb().
18
19Since BIO_eof() may now be called openssl-3 state machine, the never-called
20assertion in bio_filter_in_ctrl() does not hold anymore, and we have to
21handle BIO_CTRL_EOF. For any other cmd, we continue to AP_DEBUG_ASSERT(0) and
22log an error, yet the return value is changed from -1 to 0 which is the usual
23unhandled value.
24
25Note that OpenSSL 3.0.0 is still in alpha stage as of now, the API shouldn't
26change though, neither breakage to 1.x.x API.
27
28Submitted by: ylavic
29
30
31Forwarded: yes, https://github.com/apache/httpd/pull/258
32Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
33---
34 modules/ssl/ssl_engine_init.c | 76 ++++++++++++++++++++++++++++++++---------
35 modules/ssl/ssl_engine_io.c | 17 ++++++---
36 modules/ssl/ssl_engine_kernel.c | 22 ++++++++++--
37 modules/ssl/ssl_engine_log.c | 12 ++++++-
38 modules/ssl/ssl_private.h | 19 +++++++++--
39 5 files changed, 120 insertions(+), 26 deletions(-)
40
41diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
42index 4da24ed..eb41e7f 100644
43--- a/modules/ssl/ssl_engine_init.c
44+++ b/modules/ssl/ssl_engine_init.c
45@@ -843,6 +843,23 @@ static void ssl_init_ctx_callbacks(server_rec *s,
46 #endif
47 }
48
49+static APR_INLINE
50+int modssl_CTX_load_verify_locations(SSL_CTX *ctx,
51+ const char *file,
52+ const char *path)
53+{
54+#if OPENSSL_VERSION_NUMBER < 0x30000000L
55+ if (!SSL_CTX_load_verify_locations(ctx, file, path))
56+ return 0;
57+#else
58+ if (file && !SSL_CTX_load_verify_file(ctx, file))
59+ return 0;
60+ if (path && !SSL_CTX_load_verify_dir(ctx, path))
61+ return 0;
62+#endif
63+ return 1;
64+}
65+
66 static apr_status_t ssl_init_ctx_verify(server_rec *s,
67 apr_pool_t *p,
68 apr_pool_t *ptemp,
69@@ -883,10 +900,8 @@ static apr_status_t ssl_init_ctx_verify(server_rec *s,
70 ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
71 "Configuring client authentication");
72
73- if (!SSL_CTX_load_verify_locations(ctx,
74- mctx->auth.ca_cert_file,
75- mctx->auth.ca_cert_path))
76- {
77+ if (!modssl_CTX_load_verify_locations(ctx, mctx->auth.ca_cert_file,
78+ mctx->auth.ca_cert_path)) {
79 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01895)
80 "Unable to configure verify locations "
81 "for client authentication");
82@@ -971,6 +986,23 @@ static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s,
83 return APR_SUCCESS;
84 }
85
86+static APR_INLINE
87+int modssl_X509_STORE_load_locations(X509_STORE *store,
88+ const char *file,
89+ const char *path)
90+{
91+#if OPENSSL_VERSION_NUMBER < 0x30000000L
92+ if (!X509_STORE_load_locations(store, file, path))
93+ return 0;
94+#else
95+ if (file && !X509_STORE_load_file(store, file))
96+ return 0;
97+ if (path && !X509_STORE_load_path(store, path))
98+ return 0;
99+#endif
100+ return 1;
101+}
102+
103 static apr_status_t ssl_init_ctx_crl(server_rec *s,
104 apr_pool_t *p,
105 apr_pool_t *ptemp,
106@@ -1009,8 +1041,8 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s,
107 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01900)
108 "Configuring certificate revocation facility");
109
110- if (!store || !X509_STORE_load_locations(store, mctx->crl_file,
111- mctx->crl_path)) {
112+ if (!store || modssl_X509_STORE_load_locations(store, mctx->crl_file,
113+ mctx->crl_path)) {
114 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01901)
115 "Host %s: unable to configure X.509 CRL storage "
116 "for certificate revocation", mctx->sc->vhost_id);
117@@ -1249,7 +1281,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
118 const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile;
119 int i;
120 X509 *cert;
121- DH *dhparams;
122+ DH *dh;
123 #ifdef HAVE_ECC
124 EC_GROUP *ecparams = NULL;
125 int nid;
126@@ -1434,12 +1466,12 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
127 */
128 certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
129 if (certfile && !modssl_is_engine_id(certfile)
130- && (dhparams = ssl_dh_GetParamFromFile(certfile))) {
131- SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams);
132+ && (dh = ssl_dh_GetParamFromFile(certfile))) {
133+ SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
134 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
135 "Custom DH parameters (%d bits) for %s loaded from %s",
136- DH_bits(dhparams), vhost_id, certfile);
137- DH_free(dhparams);
138+ BN_num_bits(DH_get0_p(dh)), vhost_id, certfile);
139+ DH_free(dh);
140 }
141
142 #ifdef HAVE_ECC
143@@ -1490,6 +1522,7 @@ static apr_status_t ssl_init_ticket_key(server_rec *s,
144 char buf[TLSEXT_TICKET_KEY_LEN];
145 char *path;
146 modssl_ticket_key_t *ticket_key = mctx->ticket_key;
147+ int res;
148
149 if (!ticket_key->file_path) {
150 return APR_SUCCESS;
151@@ -1517,11 +1550,22 @@ static apr_status_t ssl_init_ticket_key(server_rec *s,
152 }
153
154 memcpy(ticket_key->key_name, buf, 16);
155- memcpy(ticket_key->hmac_secret, buf + 16, 16);
156 memcpy(ticket_key->aes_key, buf + 32, 16);
157-
158- if (!SSL_CTX_set_tlsext_ticket_key_cb(mctx->ssl_ctx,
159- ssl_callback_SessionTicket)) {
160+#if OPENSSL_VERSION_NUMBER < 0x30000000L
161+ memcpy(ticket_key->hmac_secret, buf + 16, 16);
162+ res = SSL_CTX_set_tlsext_ticket_key_cb(mctx->ssl_ctx,
163+ ssl_callback_SessionTicket);
164+#else
165+ ticket_key->mac_params[0] =
166+ OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, buf + 16, 16);
167+ ticket_key->mac_params[1] =
168+ OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, "sha256", 0);
169+ ticket_key->mac_params[2] =
170+ OSSL_PARAM_construct_end();
171+ res = SSL_CTX_set_tlsext_ticket_key_evp_cb(mctx->ssl_ctx,
172+ ssl_callback_SessionTicket);
173+#endif
174+ if (!res) {
175 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01913)
176 "Unable to initialize TLS session ticket key callback "
177 "(incompatible OpenSSL version?)");
178@@ -1652,7 +1696,7 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s,
179 return ssl_die(s);
180 }
181
182- X509_STORE_load_locations(store, pkp->ca_cert_file, NULL);
183+ modssl_X509_STORE_load_locations(store, pkp->ca_cert_file, NULL);
184
185 for (n = 0; n < ncerts; n++) {
186 int i;
187diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
188index ed9db54..f7e5cfc 100644
189--- a/modules/ssl/ssl_engine_io.c
190+++ b/modules/ssl/ssl_engine_io.c
191@@ -572,11 +572,20 @@ static int bio_filter_in_gets(BIO *bio, char *buf, int size)
192
193 static long bio_filter_in_ctrl(BIO *bio, int cmd, long num, void *ptr)
194 {
195- bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
196+ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
197+ switch (cmd) {
198+#ifdef BIO_CTRL_EOF
199+ case BIO_CTRL_EOF:
200+ return inctx->rc == APR_EOF;
201+#endif
202+ default:
203+ break;
204+ }
205 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
206- "BUG: %s() should not be called", "bio_filter_in_ctrl");
207+ "BUG: bio_filter_in_ctrl() should not be called with cmd=%i",
208+ cmd);
209 AP_DEBUG_ASSERT(0);
210- return -1;
211+ return 0;
212 }
213
214 #if MODSSL_USE_OPENSSL_PRE_1_1_API
215@@ -601,7 +610,7 @@ static BIO_METHOD bio_filter_in_method = {
216 bio_filter_in_read,
217 bio_filter_in_puts, /* puts is never called */
218 bio_filter_in_gets, /* gets is never called */
219- bio_filter_in_ctrl, /* ctrl is never called */
220+ bio_filter_in_ctrl, /* ctrl is called for EOF check */
221 bio_filter_create,
222 bio_filter_destroy,
223 NULL
224diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
225index b99dcf1..f2d49ad 100644
226--- a/modules/ssl/ssl_engine_kernel.c
227+++ b/modules/ssl/ssl_engine_kernel.c
228@@ -2614,7 +2614,11 @@ int ssl_callback_SessionTicket(SSL *ssl,
229 unsigned char *keyname,
230 unsigned char *iv,
231 EVP_CIPHER_CTX *cipher_ctx,
232- HMAC_CTX *hctx,
233+#if OPENSSL_VERSION_NUMBER < 0x30000000L
234+ HMAC_CTX *hmac_ctx,
235+#else
236+ EVP_MAC_CTX *mac_ctx,
237+#endif
238 int mode)
239 {
240 conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
241@@ -2641,7 +2645,13 @@ int ssl_callback_SessionTicket(SSL *ssl,
242 }
243 EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
244 ticket_key->aes_key, iv);
245- HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL);
246+
247+#if OPENSSL_VERSION_NUMBER < 0x30000000L
248+ HMAC_Init_ex(hmac_ctx, ticket_key->hmac_secret, 16,
249+ tlsext_tick_md(), NULL);
250+#else
251+ EVP_MAC_CTX_set_params(mac_ctx, ticket_key->mac_params);
252+#endif
253
254 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02289)
255 "TLS session ticket key for %s successfully set, "
256@@ -2662,7 +2672,13 @@ int ssl_callback_SessionTicket(SSL *ssl,
257
258 EVP_DecryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
259 ticket_key->aes_key, iv);
260- HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL);
261+
262+#if OPENSSL_VERSION_NUMBER < 0x30000000L
263+ HMAC_Init_ex(hmac_ctx, ticket_key->hmac_secret, 16,
264+ tlsext_tick_md(), NULL);
265+#else
266+ EVP_MAC_CTX_set_params(mac_ctx, ticket_key->mac_params);
267+#endif
268
269 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02290)
270 "TLS session ticket key for %s successfully set, "
271diff --git a/modules/ssl/ssl_engine_log.c b/modules/ssl/ssl_engine_log.c
272index 7dbbbdb..3b3ceac 100644
273--- a/modules/ssl/ssl_engine_log.c
274+++ b/modules/ssl/ssl_engine_log.c
275@@ -78,6 +78,16 @@ apr_status_t ssl_die(server_rec *s)
276 return APR_EGENERAL;
277 }
278
279+static APR_INLINE
280+unsigned long modssl_ERR_peek_error_data(const char **data, int *flags)
281+{
282+#if OPENSSL_VERSION_NUMBER < 0x30000000L
283+ return ERR_peek_error_line_data(NULL, NULL, data, flags);
284+#else
285+ return ERR_peek_error_data(data, flags);
286+#endif
287+}
288+
289 /*
290 * Prints the SSL library error information.
291 */
292@@ -87,7 +97,7 @@ void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s)
293 const char *data;
294 int flags;
295
296- while ((e = ERR_peek_error_line_data(NULL, NULL, &data, &flags))) {
297+ while ((e = modssl_ERR_peek_error_data(&data, &flags))) {
298 const char *annotation;
299 char err[256];
300
301diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
302index a6fc751..71d658c 100644
303--- a/modules/ssl/ssl_private.h
304+++ b/modules/ssl/ssl_private.h
305@@ -89,6 +89,9 @@
306 /* must be defined before including ssl.h */
307 #define OPENSSL_NO_SSL_INTERN
308 #endif
309+#if OPENSSL_VERSION_NUMBER >= 0x30000000
310+#include <openssl/core_names.h>
311+#endif
312 #include <openssl/ssl.h>
313 #include <openssl/err.h>
314 #include <openssl/x509.h>
315@@ -674,7 +677,11 @@ typedef struct {
316 typedef struct {
317 const char *file_path;
318 unsigned char key_name[16];
319+#if OPENSSL_VERSION_NUMBER < 0x30000000L
320 unsigned char hmac_secret[16];
321+#else
322+ OSSL_PARAM mac_params[3];
323+#endif
324 unsigned char aes_key[16];
325 } modssl_ticket_key_t;
326 #endif
327@@ -938,8 +945,16 @@ int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
328 int ssl_callback_ClientHello(SSL *, int *, void *);
329 #endif
330 #ifdef HAVE_TLS_SESSION_TICKETS
331-int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
332- EVP_CIPHER_CTX *, HMAC_CTX *, int);
333+int ssl_callback_SessionTicket(SSL *ssl,
334+ unsigned char *keyname,
335+ unsigned char *iv,
336+ EVP_CIPHER_CTX *cipher_ctx,
337+#if OPENSSL_VERSION_NUMBER < 0x30000000L
338+ HMAC_CTX *hmac_ctx,
339+#else
340+ EVP_MAC_CTX *mac_ctx,
341+#endif
342+ int mode);
343 #endif
344
345 #ifdef HAVE_TLS_ALPN
diff --git a/debian/patches/support-openssl3-003.patch b/debian/patches/support-openssl3-003.patch
0new file mode 100644346new file mode 100644
index 0000000..06906a9
--- /dev/null
+++ b/debian/patches/support-openssl3-003.patch
@@ -0,0 +1,48 @@
1From: Joe Orton <jorton@redhat.com>
2Date: Mon, 26 Jul 2021 12:24:27 +0100
3Subject: mod_ssl: follow up to r1876934: wrap DH_bits()
4
5DH_get0_p() seems to be undefined for some openssl versions, so it can't
6be used to implement DH_bits() generically.
7
8Add new a modssl_DH_bits() wrapper to call DH_bits() for openssl < 3,
9and BN_num_bits(DH_get0_p(dh)) otherwise.
10
11Submitted by: ylavic
12
13
14Forwarded: yes, https://github.com/apache/httpd/pull/258
15Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
16---
17 modules/ssl/ssl_engine_init.c | 11 ++++++++++-
18 1 file changed, 10 insertions(+), 1 deletion(-)
19
20diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
21index eb41e7f..a2da916 100644
22--- a/modules/ssl/ssl_engine_init.c
23+++ b/modules/ssl/ssl_engine_init.c
24@@ -1271,6 +1271,15 @@ static int ssl_no_passwd_prompt_cb(char *buf, int size, int rwflag,
25 return 0;
26 }
27
28+static APR_INLINE int modssl_DH_bits(DH *dh)
29+{
30+#if OPENSSL_VERSION_NUMBER < 0x30000000L
31+ return DH_bits(dh);
32+#else
33+ return BN_num_bits(DH_get0_p(dh));
34+#endif
35+}
36+
37 static apr_status_t ssl_init_server_certs(server_rec *s,
38 apr_pool_t *p,
39 apr_pool_t *ptemp,
40@@ -1470,7 +1479,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
41 SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
42 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
43 "Custom DH parameters (%d bits) for %s loaded from %s",
44- BN_num_bits(DH_get0_p(dh)), vhost_id, certfile);
45+ modssl_DH_bits(dh), vhost_id, certfile);
46 DH_free(dh);
47 }
48
diff --git a/debian/patches/support-openssl3-004.patch b/debian/patches/support-openssl3-004.patch
0new file mode 10064449new file mode 100644
index 0000000..5566eaf
--- /dev/null
+++ b/debian/patches/support-openssl3-004.patch
@@ -0,0 +1,56 @@
1From: Joe Orton <jorton@redhat.com>
2Date: Mon, 26 Jul 2021 12:24:46 +0100
3Subject: * modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Fix use of
4 encrypted private keys with OpenSSL 3.0.
5
6* test/travis_run_linux.sh: For TEST_SSL, test loading encrypted
7 private keys.
8
9Github: closes #{197}
10
11Submitted by: jorton
12
13
14Forwarded: yes, https://github.com/apache/httpd/pull/258
15Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
16---
17 modules/ssl/ssl_engine_init.c | 19 +++++++++++++++++--
18 1 file changed, 17 insertions(+), 2 deletions(-)
19
20diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
21index a2da916..2f3a120 100644
22--- a/modules/ssl/ssl_engine_init.c
23+++ b/modules/ssl/ssl_engine_init.c
24@@ -1280,6 +1280,22 @@ static APR_INLINE int modssl_DH_bits(DH *dh)
25 #endif
26 }
27
28+/* SSL_CTX_use_PrivateKey_file() can fail either because the private
29+ * key was encrypted, or due to a mismatch between an already-loaded
30+ * cert and the key - a common misconfiguration - from calling
31+ * X509_check_private_key(). This macro is passed the last error code
32+ * off the OpenSSL stack and evaluates to true only for the first
33+ * case. With OpenSSL < 3 the second case is identifiable by the
34+ * function code, but function codes are not used from 3.0. */
35+#if OPENSSL_VERSION_NUMBER < 0x30000000L
36+#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_FUNC(ec) != X509_F_X509_CHECK_PRIVATE_KEY)
37+#else
38+#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_LIB != ERR_LIB_X509 \
39+ || (ERR_GET_REASON(ec) != X509_R_KEY_TYPE_MISMATCH \
40+ && ERR_GET_REASON(ec) != X509_R_KEY_VALUES_MISMATCH \
41+ && ERR_GET_REASON(ec) != X509_R_UNKNOWN_KEY_TYPE))
42+#endif
43+
44 static apr_status_t ssl_init_server_certs(server_rec *s,
45 apr_pool_t *p,
46 apr_pool_t *ptemp,
47@@ -1385,8 +1401,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
48 }
49 else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile,
50 SSL_FILETYPE_PEM) < 1)
51- && (ERR_GET_FUNC(ERR_peek_last_error())
52- != X509_F_X509_CHECK_PRIVATE_KEY)) {
53+ && CHECK_PRIVKEY_ERROR(ERR_peek_last_error())) {
54 ssl_asn1_t *asn1;
55 const unsigned char *ptr;
56
diff --git a/debian/patches/support-openssl3-005.patch b/debian/patches/support-openssl3-005.patch
0new file mode 10064457new file mode 100644
index 0000000..5c6ebe8
--- /dev/null
+++ b/debian/patches/support-openssl3-005.patch
@@ -0,0 +1,121 @@
1From: Joe Orton <jorton@redhat.com>
2Date: Mon, 26 Jul 2021 12:25:36 +0100
3Subject: mod_ssl: Switch to using OpenSSL's automatic internal DH parameter
4 generation from OpenSSL 1.1.0 and later. The SSL_set_tmp_dh_callback() API
5 is deprecated from OpenSSL 3.0 onwards. Should not be a user-visible change
6 (except mod_ssl gets smaller).
7
8* modules/ssl/ssl_private.h,
9 modules/ssl/ssl_engine_kernel.c,
10 modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks):
11 Drop internal DH parameter generation and callback for OpenSSL 1.1+,
12 use SSL_CTX_set_dh_auto(, 1) instead.
13
14Github: closes #188
15Reviewed by: rpluem
16
17Submitted by: jorton
18
19
20Forwarded: yes, https://github.com/apache/httpd/pull/258
21Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
22---
23 modules/ssl/ssl_engine_init.c | 14 ++++++++++----
24 modules/ssl/ssl_engine_kernel.c | 2 ++
25 modules/ssl/ssl_private.h | 2 ++
26 3 files changed, 14 insertions(+), 4 deletions(-)
27
28diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
29index 2f3a120..d0ef4ba 100644
30--- a/modules/ssl/ssl_engine_init.c
31+++ b/modules/ssl/ssl_engine_init.c
32@@ -91,7 +91,6 @@ static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
33
34 return 1;
35 }
36-#endif
37
38 /*
39 * Grab well-defined DH parameters from OpenSSL, see the BN_get_rfc*
40@@ -171,6 +170,7 @@ DH *modssl_get_dh_params(unsigned keylen)
41
42 return NULL; /* impossible to reach. */
43 }
44+#endif
45
46 static void ssl_add_version_components(apr_pool_t *ptemp, apr_pool_t *pconf,
47 server_rec *s)
48@@ -440,8 +440,9 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
49
50 modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */
51
52+#if MODSSL_USE_OPENSSL_PRE_1_1_API
53 init_dh_params();
54-#if !MODSSL_USE_OPENSSL_PRE_1_1_API
55+#else
56 init_bio_methods();
57 #endif
58
59@@ -834,7 +835,11 @@ static void ssl_init_ctx_callbacks(server_rec *s,
60 {
61 SSL_CTX *ctx = mctx->ssl_ctx;
62
63+#if MODSSL_USE_OPENSSL_PRE_1_1_API
64 SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
65+#else
66+ SSL_CTX_set_dh_auto(ctx, 1);
67+#endif
68
69 SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
70
71@@ -2317,10 +2322,11 @@ apr_status_t ssl_init_ModuleKill(void *data)
72
73 }
74
75-#if !MODSSL_USE_OPENSSL_PRE_1_1_API
76+#if MODSSL_USE_OPENSSL_PRE_1_1_API
77+ free_dh_params();
78+#else
79 free_bio_methods();
80 #endif
81- free_dh_params();
82
83 return APR_SUCCESS;
84 }
85diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
86index f2d49ad..aced92d 100644
87--- a/modules/ssl/ssl_engine_kernel.c
88+++ b/modules/ssl/ssl_engine_kernel.c
89@@ -1685,6 +1685,7 @@ const authz_provider ssl_authz_provider_verify_client =
90 ** _________________________________________________________________
91 */
92
93+#if MODSSL_USE_OPENSSL_PRE_1_1_API
94 /*
95 * Hand out standard DH parameters, based on the authentication strength
96 */
97@@ -1730,6 +1731,7 @@ DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
98
99 return modssl_get_dh_params(keylen);
100 }
101+#endif
102
103 /*
104 * This OpenSSL callback function is called when OpenSSL
105diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
106index 71d658c..b74d956 100644
107--- a/modules/ssl/ssl_private.h
108+++ b/modules/ssl/ssl_private.h
109@@ -1127,10 +1127,12 @@ void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx);
110
111 #endif
112
113+#if MODSSL_USE_OPENSSL_PRE_1_1_API
114 /* Retrieve DH parameters for given key length. Return value should
115 * be treated as unmutable, since it is stored in process-global
116 * memory. */
117 DH *modssl_get_dh_params(unsigned keylen);
118+#endif
119
120 /* Returns non-zero if the request was made over SSL/TLS. If sslconn
121 * is non-NULL and the request is using SSL/TLS, sets *sslconn to the
diff --git a/debian/patches/support-openssl3-006.patch b/debian/patches/support-openssl3-006.patch
0new file mode 100644122new file mode 100644
index 0000000..33e0c1f
--- /dev/null
+++ b/debian/patches/support-openssl3-006.patch
@@ -0,0 +1,33 @@
1From: Joe Orton <jorton@redhat.com>
2Date: Mon, 26 Jul 2021 12:29:32 +0100
3Subject: fix build with LibreSSL [Yann Ylavic] Github issue #188
4
5Submitted by: gbechis
6
7
8Forwarded: yes, https://github.com/apache/httpd/pull/258
9Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
10---
11 modules/ssl/ssl_private.h | 5 ++---
12 1 file changed, 2 insertions(+), 3 deletions(-)
13
14diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
15index b74d956..b091c58 100644
16--- a/modules/ssl/ssl_private.h
17+++ b/modules/ssl/ssl_private.h
18@@ -137,13 +137,12 @@
19 SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
20 #define SSL_CTX_set_max_proto_version(ctx, version) \
21 SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
22-#elif LIBRESSL_VERSION_NUMBER < 0x2070000f
23+#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */
24 /* LibreSSL before 2.7 declares OPENSSL_VERSION_NUMBER == 2.0 but does not
25 * include most changes from OpenSSL >= 1.1 (new functions, macros,
26 * deprecations, ...), so we have to work around this...
27 */
28-#define MODSSL_USE_OPENSSL_PRE_1_1_API (1)
29-#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */
30+#define MODSSL_USE_OPENSSL_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2070000f)
31 #else /* defined(LIBRESSL_VERSION_NUMBER) */
32 #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
33 #endif
diff --git a/debian/patches/support-openssl3-007.patch b/debian/patches/support-openssl3-007.patch
0new file mode 10064434new file mode 100644
index 0000000..6f760b8
--- /dev/null
+++ b/debian/patches/support-openssl3-007.patch
@@ -0,0 +1,72 @@
1From: Joe Orton <jorton@redhat.com>
2Date: Mon, 26 Jul 2021 14:15:28 +0100
3Subject: Support for OpenSSL 1.1.0: - BIO was made opaque after OpenSSL
4 1.1.0pre4.
5
6Submitted by: rjung
7
8
9Forwarded: yes, https://github.com/apache/httpd/pull/258
10Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
11---
12 modules/ssl/ssl_engine_io.c | 12 ++++++------
13 1 file changed, 6 insertions(+), 6 deletions(-)
14
15diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
16index f7e5cfc..3db7077 100644
17--- a/modules/ssl/ssl_engine_io.c
18+++ b/modules/ssl/ssl_engine_io.c
19@@ -194,7 +194,7 @@ static int bio_filter_destroy(BIO *bio)
20 static int bio_filter_out_read(BIO *bio, char *out, int outl)
21 {
22 /* this is never called */
23- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
24+ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
25 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
26 "BUG: %s() should not be called", "bio_filter_out_read");
27 AP_DEBUG_ASSERT(0);
28@@ -297,7 +297,7 @@ static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr)
29 static int bio_filter_out_gets(BIO *bio, char *buf, int size)
30 {
31 /* this is never called */
32- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
33+ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
34 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
35 "BUG: %s() should not be called", "bio_filter_out_gets");
36 AP_DEBUG_ASSERT(0);
37@@ -307,7 +307,7 @@ static int bio_filter_out_gets(BIO *bio, char *buf, int size)
38 static int bio_filter_out_puts(BIO *bio, const char *str)
39 {
40 /* this is never called */
41- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
42+ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
43 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
44 "BUG: %s() should not be called", "bio_filter_out_puts");
45 AP_DEBUG_ASSERT(0);
46@@ -545,7 +545,7 @@ static int bio_filter_in_read(BIO *bio, char *in, int inlen)
47
48 static int bio_filter_in_write(BIO *bio, const char *in, int inl)
49 {
50- bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
51+ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
52 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
53 "BUG: %s() should not be called", "bio_filter_in_write");
54 AP_DEBUG_ASSERT(0);
55@@ -554,7 +554,7 @@ static int bio_filter_in_write(BIO *bio, const char *in, int inl)
56
57 static int bio_filter_in_puts(BIO *bio, const char *str)
58 {
59- bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
60+ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
61 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
62 "BUG: %s() should not be called", "bio_filter_in_puts");
63 AP_DEBUG_ASSERT(0);
64@@ -563,7 +563,7 @@ static int bio_filter_in_puts(BIO *bio, const char *str)
65
66 static int bio_filter_in_gets(BIO *bio, char *buf, int size)
67 {
68- bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
69+ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
70 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
71 "BUG: %s() should not be called", "bio_filter_in_gets");
72 AP_DEBUG_ASSERT(0);
diff --git a/debian/patches/support-openssl3-008.patch b/debian/patches/support-openssl3-008.patch
0new file mode 10064473new file mode 100644
index 0000000..d04497f
--- /dev/null
+++ b/debian/patches/support-openssl3-008.patch
@@ -0,0 +1,29 @@
1From: Joe Orton <jorton@redhat.com>
2Date: Wed, 28 Jul 2021 12:28:59 +0100
3Subject: mod_ssl: follow up to r1876934: fix
4 !modssl_X509_STORE_load_locations() logic.
5
6Submitted by: ylavic
7
8
9Forwarded: yes, https://github.com/apache/httpd/pull/258
10Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
11---
12 modules/ssl/ssl_engine_init.c | 4 ++--
13 1 file changed, 2 insertions(+), 2 deletions(-)
14
15diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
16index d0ef4ba..5d199cd 100644
17--- a/modules/ssl/ssl_engine_init.c
18+++ b/modules/ssl/ssl_engine_init.c
19@@ -1046,8 +1046,8 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s,
20 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01900)
21 "Configuring certificate revocation facility");
22
23- if (!store || modssl_X509_STORE_load_locations(store, mctx->crl_file,
24- mctx->crl_path)) {
25+ if (!store || !modssl_X509_STORE_load_locations(store, mctx->crl_file,
26+ mctx->crl_path)) {
27 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01901)
28 "Host %s: unable to configure X.509 CRL storage "
29 "for certificate revocation", mctx->sc->vhost_id);
diff --git a/debian/patches/support-openssl3-009.patch b/debian/patches/support-openssl3-009.patch
0new file mode 10064430new file mode 100644
index 0000000..01687e9
--- /dev/null
+++ b/debian/patches/support-openssl3-009.patch
@@ -0,0 +1,36 @@
1From: Joe Orton <jorton@redhat.com>
2Date: Mon, 4 Oct 2021 14:26:49 +0100
3Subject: * modules/ssl/ssl_engine_init.c (ssl_init_server_certs): For OpenSSL
4 1.1+,
5 disable auto DH parameter selection if parameters have been manually
6 configured. This fixes a regression in r1890067 after which manually
7 configured parameters are ignored.
8
9Submitted by: jorton
10
11
12Forwarded: yes, https://github.com/apache/httpd/pull/258
13Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
14---
15 modules/ssl/ssl_engine_init.c | 7 +++++++
16 1 file changed, 7 insertions(+)
17
18diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
19index 5d199cd..3986ba7 100644
20--- a/modules/ssl/ssl_engine_init.c
21+++ b/modules/ssl/ssl_engine_init.c
22@@ -1496,7 +1496,14 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
23 certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
24 if (certfile && !modssl_is_engine_id(certfile)
25 && (dh = ssl_dh_GetParamFromFile(certfile))) {
26+ /* ### This should be replaced with SSL_CTX_set0_tmp_dh_pkey()
27+ * for OpenSSL 3.0+. */
28 SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
29+#if !MODSSL_USE_OPENSSL_PRE_1_1_API
30+ /* OpenSSL ignores manually configured DH params if automatic
31+ * selection if enabled, so disable auto selection here. */
32+ SSL_CTX_set_dh_auto(mctx->ssl_ctx, 0);
33+#endif
34 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
35 "Custom DH parameters (%d bits) for %s loaded from %s",
36 modssl_DH_bits(dh), vhost_id, certfile);
diff --git a/debian/patches/support-openssl3-010.patch b/debian/patches/support-openssl3-010.patch
0new file mode 10064437new file mode 100644
index 0000000..2791e96
--- /dev/null
+++ b/debian/patches/support-openssl3-010.patch
@@ -0,0 +1,54 @@
1From: Joe Orton <jorton@redhat.com>
2Date: Tue, 12 Oct 2021 13:48:55 +0100
3Subject: * modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks,
4 ssl_init_server_certs): Flip logic for enabling/disabling DH auto
5 parameter selection for OpenSSL 1.1+ to be simpler and consistent with
6 auto ECDH curve selection.
7
8
9Forwarded: yes, https://github.com/apache/httpd/pull/258
10Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
11---
12 modules/ssl/ssl_engine_init.c | 16 +++++++++-------
13 1 file changed, 9 insertions(+), 7 deletions(-)
14
15diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
16index 3986ba7..f440a37 100644
17--- a/modules/ssl/ssl_engine_init.c
18+++ b/modules/ssl/ssl_engine_init.c
19@@ -836,9 +836,9 @@ static void ssl_init_ctx_callbacks(server_rec *s,
20 SSL_CTX *ctx = mctx->ssl_ctx;
21
22 #if MODSSL_USE_OPENSSL_PRE_1_1_API
23+ /* Note that for OpenSSL>=1.1, auto selection is enabled via
24+ * SSL_CTX_set_dh_auto(,1) if no parameter is configured. */
25 SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
26-#else
27- SSL_CTX_set_dh_auto(ctx, 1);
28 #endif
29
30 SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
31@@ -1499,16 +1499,18 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
32 /* ### This should be replaced with SSL_CTX_set0_tmp_dh_pkey()
33 * for OpenSSL 3.0+. */
34 SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
35-#if !MODSSL_USE_OPENSSL_PRE_1_1_API
36- /* OpenSSL ignores manually configured DH params if automatic
37- * selection if enabled, so disable auto selection here. */
38- SSL_CTX_set_dh_auto(mctx->ssl_ctx, 0);
39-#endif
40 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
41 "Custom DH parameters (%d bits) for %s loaded from %s",
42 modssl_DH_bits(dh), vhost_id, certfile);
43 DH_free(dh);
44 }
45+#if !MODSSL_USE_OPENSSL_PRE_1_1_API
46+ else {
47+ /* If no parameter is manually configured, enable auto
48+ * selection. */
49+ SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1);
50+ }
51+#endif
52
53 #ifdef HAVE_ECC
54 /*

Subscribers

People subscribed via source and target branches