Ubuntu
apache2 package

apache2: mod_ssl fails to load with OpenSSL 3.0

Bug #1951476 reported by Sergio Durigan Junior on 2021-11-18

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	apache2 (Ubuntu)	Fix Released	High	Sergio Durigan Junior

Bug Description

Installing apache2 in a system with OpenSSL 3.0 makes the service fail to start if mod_ssl is enabled:

Nov 18 21:55:43 autopkgtest-lxd-apkgtd systemd[1]: Starting The Apache HTTP Server...
Nov 18 21:55:43 autopkgtest-lxd-apkgtd apachectl[2199]: apache2: Syntax error on line 146 of /etc/apache2/apache2.conf: Syntax error on line 2 of /etc/apache2/mods-enabled/ssl.load: Cannot load /usr/lib/apache2/modules/mod_ssl.so into server: /usr/lib/apache2/modules/mod_ssl.so: undefined symbol: ERR_GET_FUNC
Nov 18 21:55:43 autopkgtest-lxd-apkgtd apachectl[2196]: Action 'start' failed.
Nov 18 21:55:43 autopkgtest-lxd-apkgtd apachectl[2196]: The Apache error log may have more information.
Nov 18 21:55:43 autopkgtest-lxd-apkgtd systemd[1]: apache2.service: Control process exited, code=exited, status=1/FAILURE
Nov 18 21:55:43 autopkgtest-lxd-apkgtd systemd[1]: apache2.service: Failed with result 'exit-code'.
Nov 18 21:55:43 autopkgtest-lxd-apkgtd systemd[1]: Failed to start The Apache HTTP Server.

We're planning to transition to OpenSSL 3.0 for the 22.04 release, and consider
this issue as blocking for this transition.

You can find general migration informations at
https://www.openssl.org/docs/manmaster/man7/migration_guide.html
For your tests, you can build against libssl-dev as found in the PPA
schopin/openssl-3.0.0

You can test this by using the follow PPA:

ppa:schopin/openssl-3.0.0

Upstream has apparently fixed the issue with the following commit:

https://svn.apache.org/viewvc?view=revision&revision=1894716

Tags:

Related branches

~bryce/ubuntu/+source/apache2:merge-v2.4.51-2-jammy

Merged into ubuntu/+source/apache2:debian/sid at revision e249e4c816da6f89181fa734e8f324ed03a10eef

Andreas Hasenack: Approve on 2021-12-17

Christian Ehrhardt  (community): Needs Fixing on 2021-12-06

git-ubuntu import: Pending requested 2021-12-03

~sergiodj/ubuntu/+source/apache2:openssl-3-support

Merged into ubuntu/+source/apache2:ubuntu/devel at revision 7564cdd51e8656e7c8559291298c94e758bbc4f3

Bryce Harrington (community): Approve on 2021-12-01

Canonical Server packageset reviewers: Pending requested 2021-11-29

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2021-11-18:

Actually, a better reference for an upstream fix is:

https://github.com/apache/httpd/pull/258

Note that, as of this writing, the PR is still open and apparently a regression has been found with OpenSSL 3. We should take a closer look.

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2021-11-24:

I worked on this a little bit.

I backported the 10 patches that are currently present in the PR mentioned above (https://github.com/apache/httpd/pull/258), and verified that they seem to address the problem, at least in the sense that they make mod_ssl loadable again when using OpenSSL 3.

I ran apache2's autopkgtests and most of them succeeded; the only failure I'm seeing is actually not related to apache2, and is instead a problem with an uninstallable package currently in jammy-proposed.

The situation here is very similar to what's happening with net-snmp and squid: there are upstream patches that can "fix" the compatibility issue with OpenSSL, but upstream is still not entirely comfortable with them. In apache2's case, this situation a bit more complicated because there is apparently a behaviour change/regression that has been found with OpenSSL 3:

https://github.com/openssl/openssl/issues/15946

I will keep an eye on the progress of apache2's PR and see what happens. It'd probably be a good idea to have someone from the Security team take a look at this possible regression and assess it.

Sergio Durigan Junior (sergiodj) on 2021-12-01

Changed in apache2 (Ubuntu):
assignee:	nobody → Sergio Durigan Junior (sergiodj)

Sergio Durigan Junior (sergiodj) on 2021-12-01

Changed in apache2 (Ubuntu):
status:	New → In Progress

Bryce Harrington (bryce) on 2021-12-06

Changed in apache2 (Ubuntu):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2021-12-06:

This bug was fixed in the package apache2 - 2.4.48-3.1ubuntu4

---------------
apache2 (2.4.48-3.1ubuntu4) jammy; urgency=medium

  * d/p/support-openssl3-*.patch: Backport various patches from
    https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
    failure to load when using OpenSSL 3. (LP: #1951476)

-- Sergio Durigan Junior <email address hidden> Fri, 26 Nov 2021 16:07:56 -0500

Changed in apache2 (Ubuntu):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

auto-github-openssl-openssl #15946
[closed branch: master triaged: bug triaged: feature triaged: OTC evaluated] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntuapache2 package

apache2: mod_ssl fails to load with OpenSSL 3.0

Bug Description

Related branches

Other bug subscribers

Remote bug watches

Ubuntu
apache2 package