Ubuntu
apache2 package

Merge ~sergiodj/ubuntu/+source/apache2:openssl-3-support into ubuntu/+source/apache2:ubuntu/devel

Proposed by Sergio Durigan Junior on 2021-11-29

Status:

Merged

Merge reported by:

Sergio Durigan Junior

Merged at revision:

7564cdd51e8656e7c8559291298c94e758bbc4f3

Proposed branch:

~sergiodj/ubuntu/+source/apache2:openssl-3-support

Merge into:

ubuntu/+source/apache2:ubuntu/devel

Diff against target:

976 lines (+900/-0)

12 files modified

debian/changelog (+8/-0)
debian/patches/series (+10/-0)
debian/patches/support-openssl3-001.patch (+88/-0)
debian/patches/support-openssl3-002.patch (+345/-0)
debian/patches/support-openssl3-003.patch (+48/-0)
debian/patches/support-openssl3-004.patch (+56/-0)
debian/patches/support-openssl3-005.patch (+121/-0)
debian/patches/support-openssl3-006.patch (+33/-0)
debian/patches/support-openssl3-007.patch (+72/-0)
debian/patches/support-openssl3-008.patch (+29/-0)
debian/patches/support-openssl3-009.patch (+36/-0)
debian/patches/support-openssl3-010.patch (+54/-0)

High

Fix Released

Link a bug report

Reviewer	Date Requested	Status
Bryce Harrington (community)	2021-11-29	Approve on 2021-12-01
Canonical Server packageset reviewers	2021-11-29	Pending
Review via email: mp+412548@code.launchpad.net

Description of the change

This MP is an attempt to fix apache2's mod-ssl's failures that happen when one starts apache2 with OpenSSL 3 installed.

As I said during our standup a few times, these patches are part of an upstream PR that is still open, so I was monitoring the situation to see what upstream would decide. There is a possible regression/user-visible change that was detected during the tests performed by upstream (in Fedora):

===
With r1890067 (9eb262f) enabling the OpenSSL auto-DH-parameter selection overrides user-supplied DH parameters which are now ignored. This is not necessary for OpenSSL 1.1 (which that patch affects) and is only removing a "deprecated" function so not strictly necessary for 3.0 either. Need to ponder this one.
===

There was also a problem with one of the functions exported by OpenSSL 3's and used by mod_ssl, which has been reported and fixed by OpenSSL upstream:

https://github.com/openssl/openssl/issues/15946

I checked and the fix is present in our copy of OpenSSL, so we're fine in this regard.

Either way, I think it should be safe enough for us to backport the patches from the upstream PR so that we have an apache2 that builds and works fine with mod_ssl + OpenSSL 3. I'm also subscribed to the PR, so if there are any changes there it should be pretty quick to bring them to Ubuntu.

For this change, I created a bileto ticket here:

https://bileto.ubuntu.com/#/ticket/4726

with a corresponding PPA here:

https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4726/+packages

autopkgtest is back to normal:

autopkgtest [17:08:19]: @@@@@@@@@@@@@@@@@@@@ summary
run-test-suite PASS
duplicate-module-load PASS
htcacheclean PASS
default-mods PASS
ssl-passphrase PASS
check-http2 PASS
chroot PASS

It's important to mention that bileto also ran autopkgtest against apache2 and its dependencies; you will see a bunch of results here:

https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-ci-train-ppa-service-4726/?format=plain

The problem is that -proposed wasn't enabled when running the tests, which means that they will be listed as failures. I didn't know how to retrigger them automatically with '&all-proposed=1', so I didn't.

All in all, I think the pros outweigh the cons here and I believe it's worth backporting these patches in order to unblock OpenSSL 3, squid and possibly other dependencies in -proposed.

Revision history for this message

Bryce Harrington (bryce) wrote on 2021-12-01:

Thanks for tackling this, looks like you've researched the situation quite thoroughly. I've verified the builds all look good in the PPA, and it builds fine for me locally as well. The autopkgtest failures (https://bileto.ubuntu.com/excuses/4726/jammy.html) surprised me, but I can believe that it just needs -proposed enabled.

I am planning on tackling the merge for apache2 at some point here, so it would be great to get this MP landed, and thus agree the pros outweigh the cons. When I do get to the merge, that will be an additional checkpoint where we can see where things sit upstream and to make any necessary corrections, and in the immediate term this will help with the openssl 3.0 transition.

LGTM, +1

review: Approve

Revision history for this message

Bryce Harrington (bryce) wrote on 2021-12-01:

(Sorry, seems Launchpad auto-added me to the canonical-server slot; if possible please re-add that as I seem to not be able to do that.)

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2021-12-01:

On Tuesday, November 30 2021, Bryce Harrington wrote:

> Thanks for tackling this, looks like you've researched the situation
> quite thoroughly. I've verified the builds all look good in the PPA,
> and it builds fine for me locally as well. The autopkgtest failures
> (https://bileto.ubuntu.com/excuses/4726/jammy.html) surprised me, but
> I can believe that it just needs -proposed enabled.

Thanks for the review, Bryce.

Yeah, the autopkgtest failures are happening because they're not running
against -proposed, which triggers a failure when trying to install
openssl3 into the testbed. I'm not expecting these tests to fail when
we run them with the right openssl trigger.

> I am planning on tackling the merge for apache2 at some point here, so
> it would be great to get this MP landed, and thus agree the pros
> outweigh the cons. When I do get to the merge, that will be an
> additional checkpoint where we can see where things sit upstream and
> to make any necessary corrections, and in the immediate term this will
> help with the openssl 3.0 transition.

Yeah. I don't know when upstream plans to merge that PR, nor when they
intend to release a new 2.4.x version with the fix included, so I'm not
expecting us to be able to get this change through upstream and drop the
delta. We may need to revisit these patches when we merge apache2 and
check if upstream has fixed/changed something in them; I will leave a
message in the apache2 merge bug as a reminder.

Uploaded:

$ dput apache2_2.4.48-3.1ubuntu4_source.changes
Trying to upload package to ubuntu
Checking signature on .changes
gpg: /home/sergio/work/apache2/apache2_2.4.48-3.1ubuntu4_source.changes: Valid signature from 106DA1C8C3CBBF14
Checking signature on .dsc
gpg: /home/sergio/work/apache2/apache2_2.4.48-3.1ubuntu4.dsc: Valid signature from 106DA1C8C3CBBF14
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading apache2_2.4.48-3.1ubuntu4.dsc: done.
  Uploading apache2_2.4.48-3.1ubuntu4.debian.tar.xz: done.
  Uploading apache2_2.4.48-3.1ubuntu4_source.buildinfo: done.
  Uploading apache2_2.4.48-3.1ubuntu4_source.changes: done.
Successfully uploaded packages.

Thanks,

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

On Tuesday, November 30 2021, Bryce Harrington wrote:

> Thanks for tackling this, looks like you've researched the situation
> quite thoroughly.  I've verified the builds all look good in the PPA,
> and it builds fine for me locally as well.  The autopkgtest failures
> (https://bileto.ubuntu.com/excuses/4726/jammy.html) surprised me, but
> I can believe that it just needs -proposed enabled.

Thanks for the review, Bryce.

Yeah, the autopkgtest failures are happening because they're not running
against -proposed, which triggers a failure when trying to install
openssl3 into the testbed.  I'm not expecting these tests to fail when
we run them with the right openssl trigger.

> I am planning on tackling the merge for apache2 at some point here, so
> it would be great to get this MP landed, and thus agree the pros
> outweigh the cons.  When I do get to the merge, that will be an
> additional checkpoint where we can see where things sit upstream and
> to make any necessary corrections, and in the immediate term this will
> help with the openssl 3.0 transition.

Yeah.  I don't know when upstream plans to merge that PR, nor when they
intend to release a new 2.4.x version with the fix included, so I'm not
expecting us to be able to get this change through upstream and drop the
delta.  We may need to revisit these patches when we merge apache2 and
check if upstream has fixed/changed something in them; I will leave a
message in the apache2 merge bug as a reminder.

Uploaded:

$ dput apache2_2.4.48-3.1ubuntu4_source.changes
Trying to upload package to ubuntu
Checking signature on .changes
gpg: /home/sergio/work/apache2/apache2_2.4.48-3.1ubuntu4_source.changes: Valid signature from 106DA1C8C3CBBF14
Checking signature on .dsc
gpg: /home/sergio/work/apache2/apache2_2.4.48-3.1ubuntu4.dsc: Valid signature from 106DA1C8C3CBBF14
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading apache2_2.4.48-3.1ubuntu4.dsc: done.
  Uploading apache2_2.4.48-3.1ubuntu4.debian.tar.xz: done.    
  Uploading apache2_2.4.48-3.1ubuntu4_source.buildinfo: done.
  Uploading apache2_2.4.48-3.1ubuntu4_source.changes: done.
Successfully uploaded packages.

Thanks,

-- 
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0  EB2F 106D A1C8 C3CB BF14

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Sergio Durigan Junior

git-ubuntu developers

 diff --git a/debian/changelog b/debian/changelog
 index 0dbb7c5..1aefacb 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,11 @@
++apache2 (2.4.48-3.1ubuntu4) jammy; urgency=medium
++
++  * d/p/support-openssl3-*.patch: Backport various patches from
++    https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
++    failure to load when using OpenSSL 3.  (LP: #1951476)
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Fri, 26 Nov 2021 16:07:56 -0500
++
  apache2 (2.4.48-3.1ubuntu3) impish; urgency=medium
    * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)
 diff --git a/debian/patches/series b/debian/patches/series
 index 149e28d..0b07ccb 100644
 --- a/debian/patches/series
 +++ b/debian/patches/series
@@ -19,3 +19,13 @@ CVE-2021-40438.patch
  CVE-2021-33193.patch
  CVE-2021-40438-2.patch
  CVE-2021-40438-3.patch
++support-openssl3-001.patch
++support-openssl3-002.patch
++support-openssl3-003.patch
++support-openssl3-004.patch
++support-openssl3-005.patch
++support-openssl3-006.patch
++support-openssl3-007.patch
++support-openssl3-008.patch
++support-openssl3-009.patch
++support-openssl3-010.patch
 diff --git a/debian/patches/support-openssl3-001.patch b/debian/patches/support-openssl3-001.patch
 new file mode 100644
 index 0000000..d7d386d
 --- /dev/null
 +++ b/debian/patches/support-openssl3-001.patch
@@ -0,0 +1,88 @@
++From: Joe Orton <jorton@redhat.com>
++Date: Mon, 26 Jul 2021 12:23:24 +0100
++Subject: add some log messages and AP_DEBUG_ASSERTs for functions that should
++ never be called
++
++Submitted by: sf
++
++
++Forwarded: yes, https://github.com/apache/httpd/pull/258
++Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
++---
++ modules/ssl/ssl_engine_io.c | 28 ++++++++++++++++++++++++++++
++ 1 file changed, 28 insertions(+)
++
++diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
++index cabf753..ed9db54 100644
++--- a/modules/ssl/ssl_engine_io.c
+++++ b/modules/ssl/ssl_engine_io.c
++@@ -194,6 +194,10 @@ static int bio_filter_destroy(BIO *bio)
++ static int bio_filter_out_read(BIO *bio, char *out, int outl)
++ {
++     /* this is never called */
+++    bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
+++    ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
+++                  "BUG: %s() should not be called", "bio_filter_out_read");
+++    AP_DEBUG_ASSERT(0);
++     return -1;
++ }
++
++@@ -293,12 +297,20 @@ static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr)
++ static int bio_filter_out_gets(BIO *bio, char *buf, int size)
++ {
++     /* this is never called */
+++    bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
+++    ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
+++                  "BUG: %s() should not be called", "bio_filter_out_gets");
+++    AP_DEBUG_ASSERT(0);
++     return -1;
++ }
++
++ static int bio_filter_out_puts(BIO *bio, const char *str)
++ {
++     /* this is never called */
+++    bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
+++    ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
+++                  "BUG: %s() should not be called", "bio_filter_out_puts");
+++    AP_DEBUG_ASSERT(0);
++     return -1;
++ }
++
++@@ -533,21 +545,37 @@ static int bio_filter_in_read(BIO *bio, char *in, int inlen)
++
++ static int bio_filter_in_write(BIO *bio, const char *in, int inl)
++ {
+++    bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
+++    ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
+++                  "BUG: %s() should not be called", "bio_filter_in_write");
+++    AP_DEBUG_ASSERT(0);
++     return -1;
++ }
++
++ static int bio_filter_in_puts(BIO *bio, const char *str)
++ {
+++    bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
+++    ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
+++                  "BUG: %s() should not be called", "bio_filter_in_puts");
+++    AP_DEBUG_ASSERT(0);
++     return -1;
++ }
++
++ static int bio_filter_in_gets(BIO *bio, char *buf, int size)
++ {
+++    bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
+++    ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
+++                  "BUG: %s() should not be called", "bio_filter_in_gets");
+++    AP_DEBUG_ASSERT(0);
++     return -1;
++ }
++
++ static long bio_filter_in_ctrl(BIO *bio, int cmd, long num, void *ptr)
++ {
+++    bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
+++    ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
+++                  "BUG: %s() should not be called", "bio_filter_in_ctrl");
+++    AP_DEBUG_ASSERT(0);
++     return -1;
++ }
++
 diff --git a/debian/patches/support-openssl3-002.patch b/debian/patches/support-openssl3-002.patch
 new file mode 100644
 index 0000000..3a56106
 --- /dev/null
 +++ b/debian/patches/support-openssl3-002.patch
@@ -0,0 +1,345 @@
++From: Joe Orton <jorton@redhat.com>
++Date: Mon, 26 Jul 2021 12:24:24 +0100
++Subject: mod_ssl: add compatibility with OpenSSL 3.0.0
++
++Wrappers around deprecated API:
++* X509_STORE_load_locations() => modssl_X509_STORE_load_locations(),
++* CTX_load_verify_locations() => modssl_CTX_load_verify_locations(),
++* ERR_peek_error_line_data()  => modssl_ERR_peek_error_data(),
++* DH_bits(dh)                 => BN_num_bits(DH_get0_p(dh)).
++
++Provide a compatible version of ssl_callback_SessionTicket() which does not
++use the deprecated HMAC_CTX and HMAC_Init_ex(), replaced by EVP_MAC_CTX and
++EVP_MAC_CTX_set_params() respectively. This requires adapting struct
++modssl_ticket_key_t to replace hmac_secret[] with OSSL_PARAM mac_params[],
++created once at load time still.
++The callback is registered by SSL_CTX_set_tlsext_ticket_key_evp_cb() instead
++of SSL_CTX_set_tlsext_ticket_key_cb().
++
++Since BIO_eof() may now be called openssl-3 state machine, the never-called
++assertion in bio_filter_in_ctrl() does not hold anymore, and we have to
++handle BIO_CTRL_EOF. For any other cmd, we continue to AP_DEBUG_ASSERT(0) and
++log an error, yet the return value is changed from -1 to 0 which is the usual
++unhandled value.
++
++Note that OpenSSL 3.0.0 is still in alpha stage as of now, the API shouldn't
++change though, neither breakage to 1.x.x API.
++
++Submitted by: ylavic
++
++
++Forwarded: yes, https://github.com/apache/httpd/pull/258
++Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
++---
++ modules/ssl/ssl_engine_init.c   | 76 ++++++++++++++++++++++++++++++++---------
++ modules/ssl/ssl_engine_io.c     | 17 ++++++---
++ modules/ssl/ssl_engine_kernel.c | 22 ++++++++++--
++ modules/ssl/ssl_engine_log.c    | 12 ++++++-
++ modules/ssl/ssl_private.h       | 19 +++++++++--
++ 5 files changed, 120 insertions(+), 26 deletions(-)
++
++diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
++index 4da24ed..eb41e7f 100644
++--- a/modules/ssl/ssl_engine_init.c
+++++ b/modules/ssl/ssl_engine_init.c
++@@ -843,6 +843,23 @@ static void ssl_init_ctx_callbacks(server_rec *s,
++ #endif
++ }
++
+++static APR_INLINE
+++int modssl_CTX_load_verify_locations(SSL_CTX *ctx,
+++                                     const char *file,
+++                                     const char *path)
+++{
+++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+++    if (!SSL_CTX_load_verify_locations(ctx, file, path))
+++        return 0;
+++#else
+++    if (file && !SSL_CTX_load_verify_file(ctx, file))
+++        return 0;
+++    if (path && !SSL_CTX_load_verify_dir(ctx, path))
+++        return 0;
+++#endif
+++    return 1;
+++}
+++
++ static apr_status_t ssl_init_ctx_verify(server_rec *s,
++                                         apr_pool_t *p,
++                                         apr_pool_t *ptemp,
++@@ -883,10 +900,8 @@ static apr_status_t ssl_init_ctx_verify(server_rec *s,
++         ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
++                      "Configuring client authentication");
++
++-        if (!SSL_CTX_load_verify_locations(ctx,
++-                                           mctx->auth.ca_cert_file,
++-                                           mctx->auth.ca_cert_path))
++-        {
+++        if (!modssl_CTX_load_verify_locations(ctx, mctx->auth.ca_cert_file,
+++                                                   mctx->auth.ca_cert_path)) {
++             ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01895)
++                     "Unable to configure verify locations "
++                     "for client authentication");
++@@ -971,6 +986,23 @@ static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s,
++     return APR_SUCCESS;
++ }
++
+++static APR_INLINE
+++int modssl_X509_STORE_load_locations(X509_STORE *store,
+++                                     const char *file,
+++                                     const char *path)
+++{
+++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+++    if (!X509_STORE_load_locations(store, file, path))
+++        return 0;
+++#else
+++    if (file && !X509_STORE_load_file(store, file))
+++        return 0;
+++    if (path && !X509_STORE_load_path(store, path))
+++        return 0;
+++#endif
+++    return 1;
+++}
+++
++ static apr_status_t ssl_init_ctx_crl(server_rec *s,
++                                      apr_pool_t *p,
++                                      apr_pool_t *ptemp,
++@@ -1009,8 +1041,8 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s,
++     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01900)
++                  "Configuring certificate revocation facility");
++
++-    if (!store || !X509_STORE_load_locations(store, mctx->crl_file,
++-                                             mctx->crl_path)) {
+++    if (!store || modssl_X509_STORE_load_locations(store, mctx->crl_file,
+++                                                          mctx->crl_path)) {
++         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01901)
++                      "Host %s: unable to configure X.509 CRL storage "
++                      "for certificate revocation", mctx->sc->vhost_id);
++@@ -1249,7 +1281,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
++     const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile;
++     int i;
++     X509 *cert;
++-    DH *dhparams;
+++    DH *dh;
++ #ifdef HAVE_ECC
++     EC_GROUP *ecparams = NULL;
++     int nid;
++@@ -1434,12 +1466,12 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
++      */
++     certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
++     if (certfile && !modssl_is_engine_id(certfile)
++-        && (dhparams = ssl_dh_GetParamFromFile(certfile))) {
++-        SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams);
+++        && (dh = ssl_dh_GetParamFromFile(certfile))) {
+++        SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
++         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
++                      "Custom DH parameters (%d bits) for %s loaded from %s",
++-                     DH_bits(dhparams), vhost_id, certfile);
++-        DH_free(dhparams);
+++                     BN_num_bits(DH_get0_p(dh)), vhost_id, certfile);
+++        DH_free(dh);
++     }
++
++ #ifdef HAVE_ECC
++@@ -1490,6 +1522,7 @@ static apr_status_t ssl_init_ticket_key(server_rec *s,
++     char buf[TLSEXT_TICKET_KEY_LEN];
++     char *path;
++     modssl_ticket_key_t *ticket_key = mctx->ticket_key;
+++    int res;
++
++     if (!ticket_key->file_path) {
++         return APR_SUCCESS;
++@@ -1517,11 +1550,22 @@ static apr_status_t ssl_init_ticket_key(server_rec *s,
++     }
++
++     memcpy(ticket_key->key_name, buf, 16);
++-    memcpy(ticket_key->hmac_secret, buf + 16, 16);
++     memcpy(ticket_key->aes_key, buf + 32, 16);
++-
++-    if (!SSL_CTX_set_tlsext_ticket_key_cb(mctx->ssl_ctx,
++-                                          ssl_callback_SessionTicket)) {
+++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+++    memcpy(ticket_key->hmac_secret, buf + 16, 16);
+++    res = SSL_CTX_set_tlsext_ticket_key_cb(mctx->ssl_ctx,
+++                                           ssl_callback_SessionTicket);
+++#else
+++    ticket_key->mac_params[0] =
+++        OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, buf + 16, 16);
+++    ticket_key->mac_params[1] =
+++        OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, "sha256", 0);
+++    ticket_key->mac_params[2] =
+++        OSSL_PARAM_construct_end();
+++    res = SSL_CTX_set_tlsext_ticket_key_evp_cb(mctx->ssl_ctx,
+++                                               ssl_callback_SessionTicket);
+++#endif
+++    if (!res) {
++         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01913)
++                      "Unable to initialize TLS session ticket key callback "
++                      "(incompatible OpenSSL version?)");
++@@ -1652,7 +1696,7 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s,
++         return ssl_die(s);
++     }
++
++-    X509_STORE_load_locations(store, pkp->ca_cert_file, NULL);
+++    modssl_X509_STORE_load_locations(store, pkp->ca_cert_file, NULL);
++
++     for (n = 0; n < ncerts; n++) {
++         int i;
++diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
++index ed9db54..f7e5cfc 100644
++--- a/modules/ssl/ssl_engine_io.c
+++++ b/modules/ssl/ssl_engine_io.c
++@@ -572,11 +572,20 @@ static int bio_filter_in_gets(BIO *bio, char *buf, int size)
++
++ static long bio_filter_in_ctrl(BIO *bio, int cmd, long num, void *ptr)
++ {
++-    bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
+++    bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
+++    switch (cmd) {
+++#ifdef BIO_CTRL_EOF
+++    case BIO_CTRL_EOF:
+++        return inctx->rc == APR_EOF;
+++#endif
+++    default:
+++        break;
+++    }
++     ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
++-                  "BUG: %s() should not be called", "bio_filter_in_ctrl");
+++                  "BUG: bio_filter_in_ctrl() should not be called with cmd=%i",
+++                  cmd);
++     AP_DEBUG_ASSERT(0);
++-    return -1;
+++    return 0;
++ }
++
++ #if MODSSL_USE_OPENSSL_PRE_1_1_API
++@@ -601,7 +610,7 @@ static BIO_METHOD bio_filter_in_method = {
++     bio_filter_in_read,
++     bio_filter_in_puts,         /* puts is never called */
++     bio_filter_in_gets,         /* gets is never called */
++-    bio_filter_in_ctrl,         /* ctrl is never called */
+++    bio_filter_in_ctrl,         /* ctrl is called for EOF check */
++     bio_filter_create,
++     bio_filter_destroy,
++     NULL
++diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
++index b99dcf1..f2d49ad 100644
++--- a/modules/ssl/ssl_engine_kernel.c
+++++ b/modules/ssl/ssl_engine_kernel.c
++@@ -2614,7 +2614,11 @@ int ssl_callback_SessionTicket(SSL *ssl,
++                                unsigned char *keyname,
++                                unsigned char *iv,
++                                EVP_CIPHER_CTX *cipher_ctx,
++-                               HMAC_CTX *hctx,
+++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+++                               HMAC_CTX *hmac_ctx,
+++#else
+++                               EVP_MAC_CTX *mac_ctx,
+++#endif
++                                int mode)
++ {
++     conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
++@@ -2641,7 +2645,13 @@ int ssl_callback_SessionTicket(SSL *ssl,
++         }
++         EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
++                            ticket_key->aes_key, iv);
++-        HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL);
+++
+++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+++        HMAC_Init_ex(hmac_ctx, ticket_key->hmac_secret, 16,
+++                     tlsext_tick_md(), NULL);
+++#else
+++        EVP_MAC_CTX_set_params(mac_ctx, ticket_key->mac_params);
+++#endif
++
++         ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02289)
++                       "TLS session ticket key for %s successfully set, "
++@@ -2662,7 +2672,13 @@ int ssl_callback_SessionTicket(SSL *ssl,
++
++         EVP_DecryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
++                            ticket_key->aes_key, iv);
++-        HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL);
+++
+++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+++        HMAC_Init_ex(hmac_ctx, ticket_key->hmac_secret, 16,
+++                     tlsext_tick_md(), NULL);
+++#else
+++        EVP_MAC_CTX_set_params(mac_ctx, ticket_key->mac_params);
+++#endif
++
++         ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02290)
++                       "TLS session ticket key for %s successfully set, "
++diff --git a/modules/ssl/ssl_engine_log.c b/modules/ssl/ssl_engine_log.c
++index 7dbbbdb..3b3ceac 100644
++--- a/modules/ssl/ssl_engine_log.c
+++++ b/modules/ssl/ssl_engine_log.c
++@@ -78,6 +78,16 @@ apr_status_t ssl_die(server_rec *s)
++     return APR_EGENERAL;
++ }
++
+++static APR_INLINE
+++unsigned long modssl_ERR_peek_error_data(const char **data, int *flags)
+++{
+++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+++    return ERR_peek_error_line_data(NULL, NULL, data, flags);
+++#else
+++    return ERR_peek_error_data(data, flags);
+++#endif
+++}
+++
++ /*
++  * Prints the SSL library error information.
++  */
++@@ -87,7 +97,7 @@ void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s)
++     const char *data;
++     int flags;
++
++-    while ((e = ERR_peek_error_line_data(NULL, NULL, &data, &flags))) {
+++    while ((e = modssl_ERR_peek_error_data(&data, &flags))) {
++         const char *annotation;
++         char err[256];
++
++diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
++index a6fc751..71d658c 100644
++--- a/modules/ssl/ssl_private.h
+++++ b/modules/ssl/ssl_private.h
++@@ -89,6 +89,9 @@
++ /* must be defined before including ssl.h */
++ #define OPENSSL_NO_SSL_INTERN
++ #endif
+++#if OPENSSL_VERSION_NUMBER >= 0x30000000
+++#include <openssl/core_names.h>
+++#endif
++ #include <openssl/ssl.h>
++ #include <openssl/err.h>
++ #include <openssl/x509.h>
++@@ -674,7 +677,11 @@ typedef struct {
++ typedef struct {
++     const char *file_path;
++     unsigned char key_name[16];
+++#if OPENSSL_VERSION_NUMBER < 0x30000000L
++     unsigned char hmac_secret[16];
+++#else
+++    OSSL_PARAM mac_params[3];
+++#endif
++     unsigned char aes_key[16];
++ } modssl_ticket_key_t;
++ #endif
++@@ -938,8 +945,16 @@ int          ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
++ int          ssl_callback_ClientHello(SSL *, int *, void *);
++ #endif
++ #ifdef HAVE_TLS_SESSION_TICKETS
++-int         ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
++-                                       EVP_CIPHER_CTX *, HMAC_CTX *, int);
+++int ssl_callback_SessionTicket(SSL *ssl,
+++                               unsigned char *keyname,
+++                               unsigned char *iv,
+++                               EVP_CIPHER_CTX *cipher_ctx,
+++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+++                               HMAC_CTX *hmac_ctx,
+++#else
+++                               EVP_MAC_CTX *mac_ctx,
+++#endif
+++                               int mode);
++ #endif
++
++ #ifdef HAVE_TLS_ALPN
 diff --git a/debian/patches/support-openssl3-003.patch b/debian/patches/support-openssl3-003.patch
 new file mode 100644
 index 0000000..06906a9
 --- /dev/null
 +++ b/debian/patches/support-openssl3-003.patch
@@ -0,0 +1,48 @@
++From: Joe Orton <jorton@redhat.com>
++Date: Mon, 26 Jul 2021 12:24:27 +0100
++Subject: mod_ssl: follow up to r1876934: wrap DH_bits()
++
++DH_get0_p() seems to be undefined for some openssl versions, so it can't
++be used to implement DH_bits() generically.
++
++Add new a modssl_DH_bits() wrapper to call DH_bits() for openssl < 3,
++and BN_num_bits(DH_get0_p(dh)) otherwise.
++
++Submitted by: ylavic
++
++
++Forwarded: yes, https://github.com/apache/httpd/pull/258
++Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
++---
++ modules/ssl/ssl_engine_init.c | 11 ++++++++++-
++ 1 file changed, 10 insertions(+), 1 deletion(-)
++
++diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
++index eb41e7f..a2da916 100644
++--- a/modules/ssl/ssl_engine_init.c
+++++ b/modules/ssl/ssl_engine_init.c
++@@ -1271,6 +1271,15 @@ static int ssl_no_passwd_prompt_cb(char *buf, int size, int rwflag,
++    return 0;
++ }
++
+++static APR_INLINE int modssl_DH_bits(DH *dh)
+++{
+++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+++    return DH_bits(dh);
+++#else
+++    return BN_num_bits(DH_get0_p(dh));
+++#endif
+++}
+++
++ static apr_status_t ssl_init_server_certs(server_rec *s,
++                                           apr_pool_t *p,
++                                           apr_pool_t *ptemp,
++@@ -1470,7 +1479,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
++         SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
++         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
++                      "Custom DH parameters (%d bits) for %s loaded from %s",
++-                     BN_num_bits(DH_get0_p(dh)), vhost_id, certfile);
+++                     modssl_DH_bits(dh), vhost_id, certfile);
++         DH_free(dh);
++     }
++
 diff --git a/debian/patches/support-openssl3-004.patch b/debian/patches/support-openssl3-004.patch
 new file mode 100644
 index 0000000..5566eaf
 --- /dev/null
 +++ b/debian/patches/support-openssl3-004.patch
@@ -0,0 +1,56 @@
++From: Joe Orton <jorton@redhat.com>
++Date: Mon, 26 Jul 2021 12:24:46 +0100
++Subject: * modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Fix use of
++   encrypted private keys with OpenSSL 3.0.
++
++* test/travis_run_linux.sh: For TEST_SSL, test loading encrypted
++  private keys.
++
++Github: closes #{197}
++
++Submitted by: jorton
++
++
++Forwarded: yes, https://github.com/apache/httpd/pull/258
++Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
++---
++ modules/ssl/ssl_engine_init.c | 19 +++++++++++++++++--
++ 1 file changed, 17 insertions(+), 2 deletions(-)
++
++diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
++index a2da916..2f3a120 100644
++--- a/modules/ssl/ssl_engine_init.c
+++++ b/modules/ssl/ssl_engine_init.c
++@@ -1280,6 +1280,22 @@ static APR_INLINE int modssl_DH_bits(DH *dh)
++ #endif
++ }
++
+++/* SSL_CTX_use_PrivateKey_file() can fail either because the private
+++ * key was encrypted, or due to a mismatch between an already-loaded
+++ * cert and the key - a common misconfiguration - from calling
+++ * X509_check_private_key().  This macro is passed the last error code
+++ * off the OpenSSL stack and evaluates to true only for the first
+++ * case.  With OpenSSL < 3 the second case is identifiable by the
+++ * function code, but function codes are not used from 3.0. */
+++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+++#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_FUNC(ec) != X509_F_X509_CHECK_PRIVATE_KEY)
+++#else
+++#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_LIB != ERR_LIB_X509            \
+++                                 || (ERR_GET_REASON(ec) != X509_R_KEY_TYPE_MISMATCH \
+++                                     && ERR_GET_REASON(ec) != X509_R_KEY_VALUES_MISMATCH \
+++                                     && ERR_GET_REASON(ec) != X509_R_UNKNOWN_KEY_TYPE))
+++#endif
+++
++ static apr_status_t ssl_init_server_certs(server_rec *s,
++                                           apr_pool_t *p,
++                                           apr_pool_t *ptemp,
++@@ -1385,8 +1401,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
++         }
++         else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile,
++                                               SSL_FILETYPE_PEM) < 1)
++-                 && (ERR_GET_FUNC(ERR_peek_last_error())
++-                     != X509_F_X509_CHECK_PRIVATE_KEY)) {
+++                 && CHECK_PRIVKEY_ERROR(ERR_peek_last_error())) {
++             ssl_asn1_t *asn1;
++             const unsigned char *ptr;
++
 diff --git a/debian/patches/support-openssl3-005.patch b/debian/patches/support-openssl3-005.patch
 new file mode 100644
 index 0000000..5c6ebe8
 --- /dev/null
 +++ b/debian/patches/support-openssl3-005.patch
@@ -0,0 +1,121 @@
++From: Joe Orton <jorton@redhat.com>
++Date: Mon, 26 Jul 2021 12:25:36 +0100
++Subject: mod_ssl: Switch to using OpenSSL's automatic internal DH parameter
++ generation from OpenSSL 1.1.0 and later.  The SSL_set_tmp_dh_callback() API
++ is deprecated from OpenSSL 3.0 onwards. Should not be a user-visible change
++ (except mod_ssl gets smaller).
++
++* modules/ssl/ssl_private.h,
++  modules/ssl/ssl_engine_kernel.c,
++  modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks):
++  Drop internal DH parameter generation and callback for OpenSSL 1.1+,
++  use SSL_CTX_set_dh_auto(, 1) instead.
++
++Github: closes #188
++Reviewed by: rpluem
++
++Submitted by: jorton
++
++
++Forwarded: yes, https://github.com/apache/httpd/pull/258
++Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
++---
++ modules/ssl/ssl_engine_init.c   | 14 ++++++++++----
++ modules/ssl/ssl_engine_kernel.c |  2 ++
++ modules/ssl/ssl_private.h       |  2 ++
++ 3 files changed, 14 insertions(+), 4 deletions(-)
++
++diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
++index 2f3a120..d0ef4ba 100644
++--- a/modules/ssl/ssl_engine_init.c
+++++ b/modules/ssl/ssl_engine_init.c
++@@ -91,7 +91,6 @@ static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
++
++     return 1;
++ }
++-#endif
++
++ /*
++  * Grab well-defined DH parameters from OpenSSL, see the BN_get_rfc*
++@@ -171,6 +170,7 @@ DH *modssl_get_dh_params(unsigned keylen)
++
++     return NULL; /* impossible to reach. */
++ }
+++#endif
++
++ static void ssl_add_version_components(apr_pool_t *ptemp, apr_pool_t *pconf,
++                                        server_rec *s)
++@@ -440,8 +440,9 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
++
++     modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */
++
+++#if MODSSL_USE_OPENSSL_PRE_1_1_API
++     init_dh_params();
++-#if !MODSSL_USE_OPENSSL_PRE_1_1_API
+++#else
++     init_bio_methods();
++ #endif
++
++@@ -834,7 +835,11 @@ static void ssl_init_ctx_callbacks(server_rec *s,
++ {
++     SSL_CTX *ctx = mctx->ssl_ctx;
++
+++#if MODSSL_USE_OPENSSL_PRE_1_1_API
++     SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH);
+++#else
+++    SSL_CTX_set_dh_auto(ctx, 1);
+++#endif
++
++     SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
++
++@@ -2317,10 +2322,11 @@ apr_status_t ssl_init_ModuleKill(void *data)
++
++     }
++
++-#if !MODSSL_USE_OPENSSL_PRE_1_1_API
+++#if MODSSL_USE_OPENSSL_PRE_1_1_API
+++    free_dh_params();
+++#else
++     free_bio_methods();
++ #endif
++-    free_dh_params();
++
++     return APR_SUCCESS;
++ }
++diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
++index f2d49ad..aced92d 100644
++--- a/modules/ssl/ssl_engine_kernel.c
+++++ b/modules/ssl/ssl_engine_kernel.c
++@@ -1685,6 +1685,7 @@ const authz_provider ssl_authz_provider_verify_client =
++ **  _________________________________________________________________
++ */
++
+++#if MODSSL_USE_OPENSSL_PRE_1_1_API
++ /*
++  * Hand out standard DH parameters, based on the authentication strength
++  */
++@@ -1730,6 +1731,7 @@ DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
++
++     return modssl_get_dh_params(keylen);
++ }
+++#endif
++
++ /*
++  * This OpenSSL callback function is called when OpenSSL
++diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
++index 71d658c..b74d956 100644
++--- a/modules/ssl/ssl_private.h
+++++ b/modules/ssl/ssl_private.h
++@@ -1127,10 +1127,12 @@ void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx);
++
++ #endif
++
+++#if MODSSL_USE_OPENSSL_PRE_1_1_API
++ /* Retrieve DH parameters for given key length.  Return value should
++  * be treated as unmutable, since it is stored in process-global
++  * memory. */
++ DH *modssl_get_dh_params(unsigned keylen);
+++#endif
++
++ /* Returns non-zero if the request was made over SSL/TLS.  If sslconn
++  * is non-NULL and the request is using SSL/TLS, sets *sslconn to the
 diff --git a/debian/patches/support-openssl3-006.patch b/debian/patches/support-openssl3-006.patch
 new file mode 100644
 index 0000000..33e0c1f
 --- /dev/null
 +++ b/debian/patches/support-openssl3-006.patch
@@ -0,0 +1,33 @@
++From: Joe Orton <jorton@redhat.com>
++Date: Mon, 26 Jul 2021 12:29:32 +0100
++Subject: fix build with LibreSSL [Yann Ylavic] Github issue #188
++
++Submitted by: gbechis
++
++
++Forwarded: yes, https://github.com/apache/httpd/pull/258
++Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
++---
++ modules/ssl/ssl_private.h | 5 ++---
++ 1 file changed, 2 insertions(+), 3 deletions(-)
++
++diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
++index b74d956..b091c58 100644
++--- a/modules/ssl/ssl_private.h
+++++ b/modules/ssl/ssl_private.h
++@@ -137,13 +137,12 @@
++         SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
++ #define SSL_CTX_set_max_proto_version(ctx, version) \
++         SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
++-#elif LIBRESSL_VERSION_NUMBER < 0x2070000f
+++#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */
++ /* LibreSSL before 2.7 declares OPENSSL_VERSION_NUMBER == 2.0 but does not
++  * include most changes from OpenSSL >= 1.1 (new functions, macros,
++  * deprecations, ...), so we have to work around this...
++  */
++-#define MODSSL_USE_OPENSSL_PRE_1_1_API (1)
++-#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */
+++#define MODSSL_USE_OPENSSL_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2070000f)
++ #else /* defined(LIBRESSL_VERSION_NUMBER) */
++ #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
++ #endif
 diff --git a/debian/patches/support-openssl3-007.patch b/debian/patches/support-openssl3-007.patch
 new file mode 100644
 index 0000000..6f760b8
 --- /dev/null
 +++ b/debian/patches/support-openssl3-007.patch
@@ -0,0 +1,72 @@
++From: Joe Orton <jorton@redhat.com>
++Date: Mon, 26 Jul 2021 14:15:28 +0100
++Subject: Support for OpenSSL 1.1.0: - BIO was made opaque after OpenSSL
++ 1.1.0pre4.
++
++Submitted by: rjung
++
++
++Forwarded: yes, https://github.com/apache/httpd/pull/258
++Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
++---
++ modules/ssl/ssl_engine_io.c | 12 ++++++------
++ 1 file changed, 6 insertions(+), 6 deletions(-)
++
++diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
++index f7e5cfc..3db7077 100644
++--- a/modules/ssl/ssl_engine_io.c
+++++ b/modules/ssl/ssl_engine_io.c
++@@ -194,7 +194,7 @@ static int bio_filter_destroy(BIO *bio)
++ static int bio_filter_out_read(BIO *bio, char *out, int outl)
++ {
++     /* this is never called */
++-    bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
+++    bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
++     ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
++                   "BUG: %s() should not be called", "bio_filter_out_read");
++     AP_DEBUG_ASSERT(0);
++@@ -297,7 +297,7 @@ static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr)
++ static int bio_filter_out_gets(BIO *bio, char *buf, int size)
++ {
++     /* this is never called */
++-    bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
+++    bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
++     ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
++                   "BUG: %s() should not be called", "bio_filter_out_gets");
++     AP_DEBUG_ASSERT(0);
++@@ -307,7 +307,7 @@ static int bio_filter_out_gets(BIO *bio, char *buf, int size)
++ static int bio_filter_out_puts(BIO *bio, const char *str)
++ {
++     /* this is never called */
++-    bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
+++    bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
++     ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
++                   "BUG: %s() should not be called", "bio_filter_out_puts");
++     AP_DEBUG_ASSERT(0);
++@@ -545,7 +545,7 @@ static int bio_filter_in_read(BIO *bio, char *in, int inlen)
++
++ static int bio_filter_in_write(BIO *bio, const char *in, int inl)
++ {
++-    bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
+++    bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
++     ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
++                   "BUG: %s() should not be called", "bio_filter_in_write");
++     AP_DEBUG_ASSERT(0);
++@@ -554,7 +554,7 @@ static int bio_filter_in_write(BIO *bio, const char *in, int inl)
++
++ static int bio_filter_in_puts(BIO *bio, const char *str)
++ {
++-    bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
+++    bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
++     ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
++                   "BUG: %s() should not be called", "bio_filter_in_puts");
++     AP_DEBUG_ASSERT(0);
++@@ -563,7 +563,7 @@ static int bio_filter_in_puts(BIO *bio, const char *str)
++
++ static int bio_filter_in_gets(BIO *bio, char *buf, int size)
++ {
++-    bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
+++    bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
++     ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
++                   "BUG: %s() should not be called", "bio_filter_in_gets");
++     AP_DEBUG_ASSERT(0);
 diff --git a/debian/patches/support-openssl3-008.patch b/debian/patches/support-openssl3-008.patch
 new file mode 100644
 index 0000000..d04497f
 --- /dev/null
 +++ b/debian/patches/support-openssl3-008.patch
@@ -0,0 +1,29 @@
++From: Joe Orton <jorton@redhat.com>
++Date: Wed, 28 Jul 2021 12:28:59 +0100
++Subject: mod_ssl: follow up to r1876934: fix
++ !modssl_X509_STORE_load_locations() logic.
++
++Submitted by: ylavic
++
++
++Forwarded: yes, https://github.com/apache/httpd/pull/258
++Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
++---
++ modules/ssl/ssl_engine_init.c | 4 ++--
++ 1 file changed, 2 insertions(+), 2 deletions(-)
++
++diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
++index d0ef4ba..5d199cd 100644
++--- a/modules/ssl/ssl_engine_init.c
+++++ b/modules/ssl/ssl_engine_init.c
++@@ -1046,8 +1046,8 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s,
++     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01900)
++                  "Configuring certificate revocation facility");
++
++-    if (!store || modssl_X509_STORE_load_locations(store, mctx->crl_file,
++-                                                          mctx->crl_path)) {
+++    if (!store || !modssl_X509_STORE_load_locations(store, mctx->crl_file,
+++                                                           mctx->crl_path)) {
++         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01901)
++                      "Host %s: unable to configure X.509 CRL storage "
++                      "for certificate revocation", mctx->sc->vhost_id);
 diff --git a/debian/patches/support-openssl3-009.patch b/debian/patches/support-openssl3-009.patch
 new file mode 100644
 index 0000000..01687e9
 --- /dev/null
 +++ b/debian/patches/support-openssl3-009.patch
@@ -0,0 +1,36 @@
++From: Joe Orton <jorton@redhat.com>
++Date: Mon, 4 Oct 2021 14:26:49 +0100
++Subject: * modules/ssl/ssl_engine_init.c (ssl_init_server_certs): For OpenSSL
++   1.1+,
++ disable auto DH parameter selection if parameters have been   manually
++ configured.  This fixes a regression in r1890067 after   which manually
++ configured parameters are ignored.
++
++Submitted by: jorton
++
++
++Forwarded: yes, https://github.com/apache/httpd/pull/258
++Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
++---
++ modules/ssl/ssl_engine_init.c | 7 +++++++
++ 1 file changed, 7 insertions(+)
++
++diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
++index 5d199cd..3986ba7 100644
++--- a/modules/ssl/ssl_engine_init.c
+++++ b/modules/ssl/ssl_engine_init.c
++@@ -1496,7 +1496,14 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
++     certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
++     if (certfile && !modssl_is_engine_id(certfile)
++         && (dh = ssl_dh_GetParamFromFile(certfile))) {
+++        /* ### This should be replaced with SSL_CTX_set0_tmp_dh_pkey()
+++         * for OpenSSL 3.0+. */
++         SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
+++#if !MODSSL_USE_OPENSSL_PRE_1_1_API
+++        /* OpenSSL ignores manually configured DH params if automatic
+++         * selection if enabled, so disable auto selection here. */
+++        SSL_CTX_set_dh_auto(mctx->ssl_ctx, 0);
+++#endif
++         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
++                      "Custom DH parameters (%d bits) for %s loaded from %s",
++                      modssl_DH_bits(dh), vhost_id, certfile);
 diff --git a/debian/patches/support-openssl3-010.patch b/debian/patches/support-openssl3-010.patch
 new file mode 100644
 index 0000000..2791e96
 --- /dev/null
 +++ b/debian/patches/support-openssl3-010.patch
@@ -0,0 +1,54 @@
++From: Joe Orton <jorton@redhat.com>
++Date: Tue, 12 Oct 2021 13:48:55 +0100
++Subject: * modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks,
++   ssl_init_server_certs): Flip logic for enabling/disabling DH auto
++   parameter selection for OpenSSL 1.1+ to be simpler and consistent   with
++ auto ECDH curve selection.
++
++
++Forwarded: yes, https://github.com/apache/httpd/pull/258
++Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1951476
++---
++ modules/ssl/ssl_engine_init.c | 16 +++++++++-------
++ 1 file changed, 9 insertions(+), 7 deletions(-)
++
++diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
++index 3986ba7..f440a37 100644
++--- a/modules/ssl/ssl_engine_init.c
+++++ b/modules/ssl/ssl_engine_init.c
++@@ -836,9 +836,9 @@ static void ssl_init_ctx_callbacks(server_rec *s,
++     SSL_CTX *ctx = mctx->ssl_ctx;
++
++ #if MODSSL_USE_OPENSSL_PRE_1_1_API
+++    /* Note that for OpenSSL>=1.1, auto selection is enabled via
+++     * SSL_CTX_set_dh_auto(,1) if no parameter is configured. */
++     SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH);
++-#else
++-    SSL_CTX_set_dh_auto(ctx, 1);
++ #endif
++
++     SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
++@@ -1499,16 +1499,18 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
++         /* ### This should be replaced with SSL_CTX_set0_tmp_dh_pkey()
++          * for OpenSSL 3.0+. */
++         SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
++-#if !MODSSL_USE_OPENSSL_PRE_1_1_API
++-        /* OpenSSL ignores manually configured DH params if automatic
++-         * selection if enabled, so disable auto selection here. */
++-        SSL_CTX_set_dh_auto(mctx->ssl_ctx, 0);
++-#endif
++         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
++                      "Custom DH parameters (%d bits) for %s loaded from %s",
++                      modssl_DH_bits(dh), vhost_id, certfile);
++         DH_free(dh);
++     }
+++#if !MODSSL_USE_OPENSSL_PRE_1_1_API
+++    else {
+++        /* If no parameter is manually configured, enable auto
+++         * selection. */
+++        SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1);
+++    }
+++#endif
++
++ #ifdef HAVE_ECC
++     /*

Ubuntuapache2 package

Merge ~sergiodj/ubuntu/+source/apache2:openssl-3-support into ubuntu/+source/apache2:ubuntu/devel

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
apache2 package