From 0d708eba112ce37ecdc29c1dc5054c2e61a2e2c4 Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Mon, 14 Nov 2016 10:46:52 +0000 Subject: [PATCH] fix build with OpenSSL 1.1 (#1392900) - fix typos in ssl.conf (josef randinger, #1379407) Resolves: rhbz#1392900 Resolves: rhbz#1379407 --- httpd-2.4.23-openssl11.patch | 1297 ++++++++++++++++++++++++++++++++++ httpd.spec | 8 +- ssl.conf | 4 +- 3 files changed, 1306 insertions(+), 3 deletions(-) create mode 100644 httpd-2.4.23-openssl11.patch diff --git a/httpd-2.4.23-openssl11.patch b/httpd-2.4.23-openssl11.patch new file mode 100644 index 0000000..48044d8 --- /dev/null +++ b/httpd-2.4.23-openssl11.patch @@ -0,0 +1,1297 @@ + +Diff to https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/ +as of upstream r1769589. + +diff -uap httpd-2.4.23/acinclude.m4.openssl11 httpd-2.4.23/acinclude.m4 +--- httpd-2.4.23/acinclude.m4.openssl11 ++++ httpd-2.4.23/acinclude.m4 +@@ -586,7 +586,7 @@ + dnl Run library and function checks + liberrors="" + AC_CHECK_HEADERS([openssl/engine.h]) +- AC_CHECK_FUNCS([SSLeay_version SSL_CTX_new], [], [liberrors="yes"]) ++ AC_CHECK_FUNCS([SSL_CTX_new], [], [liberrors="yes"]) + AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines RAND_egd]) + if test "x$liberrors" != "x"; then + AC_MSG_WARN([OpenSSL libraries are unusable]) +diff -uap httpd-2.4.23/modules/ssl/mod_ssl.c.openssl11 httpd-2.4.23/modules/ssl/mod_ssl.c +--- httpd-2.4.23/modules/ssl/mod_ssl.c.openssl11 ++++ httpd-2.4.23/modules/ssl/mod_ssl.c +@@ -312,7 +312,13 @@ + #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES + ENGINE_cleanup(); + #endif ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x1000000fL ++ ERR_remove_thread_state(NULL); ++#else + ERR_remove_state(0); ++#endif ++#endif + + /* Don't call ERR_free_strings in earlier versions, ERR_load_*_strings only + * actually loaded the error strings once per process due to static +@@ -342,7 +348,11 @@ + /* We must register the library in full, to ensure our configuration + * code can successfully test the SSL environment. + */ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + CRYPTO_malloc_init(); ++#else ++ OPENSSL_malloc_init(); ++#endif + ERR_load_crypto_strings(); + SSL_load_error_strings(); + SSL_library_init(); +diff -uap httpd-2.4.23/modules/ssl/ssl_engine_init.c.openssl11 httpd-2.4.23/modules/ssl/ssl_engine_init.c +--- httpd-2.4.23/modules/ssl/ssl_engine_init.c.openssl11 ++++ httpd-2.4.23/modules/ssl/ssl_engine_init.c +@@ -47,21 +47,50 @@ + #define KEYTYPES "RSA or DSA" + #endif + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++/* OpenSSL Pre-1.1.0 compatibility */ ++/* Taken from OpenSSL 1.1.0 snapshot 20160410 */ ++static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) ++{ ++ /* q is optional */ ++ if (p == NULL || g == NULL) ++ return 0; ++ BN_free(dh->p); ++ BN_free(dh->q); ++ BN_free(dh->g); ++ dh->p = p; ++ dh->q = q; ++ dh->g = g; ++ ++ if (q != NULL) { ++ dh->length = BN_num_bits(q); ++ } ++ ++ return 1; ++} ++#endif ++ + /* +- * Grab well-defined DH parameters from OpenSSL, see the get_rfc* ++ * Grab well-defined DH parameters from OpenSSL, see the BN_get_rfc* + * functions in for all available primes. + */ +-static DH *make_dh_params(BIGNUM *(*prime)(BIGNUM *), const char *gen) ++static DH *make_dh_params(BIGNUM *(*prime)(BIGNUM *)) + { + DH *dh = DH_new(); ++ BIGNUM *p, *g; + + if (!dh) { + return NULL; + } +- dh->p = prime(NULL); +- BN_dec2bn(&dh->g, gen); +- if (!dh->p || !dh->g) { ++ p = prime(NULL); ++ g = BN_new(); ++ if (g != NULL) { ++ BN_set_word(g, 2); ++ } ++ if (!p || !g || !DH_set0_pqg(dh, p, NULL, g)) { + DH_free(dh); ++ BN_free(p); ++ BN_free(g); + return NULL; + } + return dh; +@@ -73,12 +102,12 @@ + DH *dh; /* ...this, used for keys.... */ + const unsigned int min; /* ...of length >= this. */ + } dhparams[] = { +- { get_rfc3526_prime_8192, NULL, 6145 }, +- { get_rfc3526_prime_6144, NULL, 4097 }, +- { get_rfc3526_prime_4096, NULL, 3073 }, +- { get_rfc3526_prime_3072, NULL, 2049 }, +- { get_rfc3526_prime_2048, NULL, 1025 }, +- { get_rfc2409_prime_1024, NULL, 0 } ++ { BN_get_rfc3526_prime_8192, NULL, 6145 }, ++ { BN_get_rfc3526_prime_6144, NULL, 4097 }, ++ { BN_get_rfc3526_prime_4096, NULL, 3073 }, ++ { BN_get_rfc3526_prime_3072, NULL, 2049 }, ++ { BN_get_rfc3526_prime_2048, NULL, 1025 }, ++ { BN_get_rfc2409_prime_1024, NULL, 0 } + }; + + static void init_dh_params(void) +@@ -86,7 +115,7 @@ + unsigned n; + + for (n = 0; n < sizeof(dhparams)/sizeof(dhparams[0]); n++) +- dhparams[n].dh = make_dh_params(dhparams[n].prime, "2"); ++ dhparams[n].dh = make_dh_params(dhparams[n].prime); + } + + static void free_dh_params(void) +@@ -153,7 +182,7 @@ + "Init: this version of mod_ssl was compiled against " + "a newer library (%s, version currently loaded is %s)" + " - may result in undefined or erroneous behavior", +- MODSSL_LIBRARY_TEXT, SSLeay_version(SSLEAY_VERSION)); ++ MODSSL_LIBRARY_TEXT, MODSSL_LIBRARY_DYNTEXT); + } + + /* We initialize mc->pid per-process in the child init, +@@ -228,9 +257,11 @@ + #endif + } + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + #if APR_HAS_THREADS + ssl_util_thread_setup(p); + #endif ++#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ + + /* + * SSL external crypto device ("engine") support +@@ -351,6 +382,9 @@ + modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */ + + init_dh_params(); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ init_bio_methods(); ++#endif + + return OK; + } +@@ -481,6 +515,9 @@ + char *cp; + int protocol = mctx->protocol; + SSLSrvConfigRec *sc = mySrvConfig(s); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ int prot; ++#endif + + /* + * Create the new per-server SSL context +@@ -506,6 +543,7 @@ + ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s, + "Creating new SSL context (protocols: %s)", cp); + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + #ifndef OPENSSL_NO_SSL3 + if (protocol == SSL_PROTOCOL_SSLV3) { + method = mctx->pkp ? +@@ -536,12 +574,18 @@ + SSLv23_client_method() : /* proxy */ + SSLv23_server_method(); /* server */ + } ++#else ++ method = mctx->pkp ? ++ TLS_client_method() : /* proxy */ ++ TLS_server_method(); /* server */ ++#endif + ctx = SSL_CTX_new(method); + + mctx->ssl_ctx = ctx; + + SSL_CTX_set_options(ctx, SSL_OP_ALL); + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + /* always disable SSLv2, as per RFC 6176 */ + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); + +@@ -565,6 +609,43 @@ + } + #endif + ++#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ ++ /* We first determine the maximum protocol version we should provide */ ++ if (protocol & SSL_PROTOCOL_TLSV1_2) { ++ prot = TLS1_2_VERSION; ++ } else if (protocol & SSL_PROTOCOL_TLSV1_1) { ++ prot = TLS1_1_VERSION; ++ } else if (protocol & SSL_PROTOCOL_TLSV1) { ++ prot = TLS1_VERSION; ++#ifndef OPENSSL_NO_SSL3 ++ } else if (protocol & SSL_PROTOCOL_SSLV3) { ++ prot = SSL3_VERSION; ++#endif ++ } else { ++ SSL_CTX_free(ctx); ++ mctx->ssl_ctx = NULL; ++ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378) ++ "No SSL protocols available [hint: SSLProtocol]"); ++ return ssl_die(s); ++ } ++ SSL_CTX_set_max_proto_version(ctx, prot); ++ ++ /* Next we scan for the minimal protocol version we should provide, ++ * but we do not allow holes between max and min */ ++ if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) { ++ prot = TLS1_1_VERSION; ++ } ++ if (prot == TLS1_1_VERSION && protocol & SSL_PROTOCOL_TLSV1) { ++ prot = TLS1_VERSION; ++ } ++#ifndef OPENSSL_NO_SSL3 ++ if (prot == TLS1_VERSION && protocol & SSL_PROTOCOL_SSLV3) { ++ prot = SSL3_VERSION; ++ } ++#endif ++ SSL_CTX_set_min_proto_version(ctx, prot); ++#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */ ++ + #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE + if (sc->cipher_server_pref == TRUE) { + SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); +@@ -858,7 +939,7 @@ + unsigned long err; + int n; + +- if ((bio = BIO_new(BIO_s_file_internal())) == NULL) ++ if ((bio = BIO_new(BIO_s_file())) == NULL) + return -1; + if (BIO_read_filename(bio, file) <= 0) { + BIO_free(bio); +@@ -1200,7 +1281,7 @@ + SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams); + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540) + "Custom DH parameters (%d bits) for %s loaded from %s", +- BN_num_bits(dhparams->p), vhost_id, certfile); ++ DH_bits(dhparams), vhost_id, certfile); + DH_free(dhparams); + } + +@@ -1721,7 +1802,7 @@ + "an OpenSSL version with support for TLS extensions " + "(RFC 6066 - Server Name Indication / SNI), " + "but the currently used library version (%s) is " +- "lacking this feature", SSLeay_version(SSLEAY_VERSION)); ++ "lacking this feature", MODSSL_LIBRARY_DYNTEXT); + } + #endif + +@@ -1917,6 +1998,9 @@ + ssl_init_ctx_cleanup(sc->server); + } + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ free_bio_methods(); ++#endif + free_dh_params(); + + return APR_SUCCESS; +diff -uap httpd-2.4.23/modules/ssl/ssl_engine_io.c.openssl11 httpd-2.4.23/modules/ssl/ssl_engine_io.c +--- httpd-2.4.23/modules/ssl/ssl_engine_io.c.openssl11 ++++ httpd-2.4.23/modules/ssl/ssl_engine_io.c +@@ -149,7 +149,7 @@ + * success, -1 on failure. */ + static int bio_filter_out_flush(BIO *bio) + { +- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr); ++ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio); + apr_bucket *e; + + AP_DEBUG_ASSERT(APR_BRIGADE_EMPTY(outctx->bb)); +@@ -162,10 +162,16 @@ + + static int bio_filter_create(BIO *bio) + { +- bio->shutdown = 1; +- bio->init = 1; ++ BIO_set_shutdown(bio, 1); ++ BIO_set_init(bio, 1); ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ /* No setter method for OpenSSL 1.1.0 available, ++ * but I can't find any functional use of the ++ * "num" field there either. ++ */ + bio->num = -1; +- bio->ptr = NULL; ++#endif ++ BIO_set_data(bio, NULL); + + return 1; + } +@@ -190,7 +196,7 @@ + + static int bio_filter_out_write(BIO *bio, const char *in, int inl) + { +- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr); ++ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio); + apr_bucket *e; + int need_flush; + +@@ -241,7 +247,7 @@ + static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr) + { + long ret = 1; +- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr); ++ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio); + + switch (cmd) { + case BIO_CTRL_RESET: +@@ -257,10 +263,10 @@ + ret = 0; + break; + case BIO_CTRL_GET_CLOSE: +- ret = (long)bio->shutdown; ++ ret = (long)BIO_get_shutdown(bio); + break; + case BIO_CTRL_SET_CLOSE: +- bio->shutdown = (int)num; ++ BIO_set_shutdown(bio, (int)num); + break; + case BIO_CTRL_FLUSH: + ret = bio_filter_out_flush(bio); +@@ -294,19 +300,6 @@ + return -1; + } + +-static BIO_METHOD bio_filter_out_method = { +- BIO_TYPE_MEM, +- "APR output filter", +- bio_filter_out_write, +- bio_filter_out_read, /* read is never called */ +- bio_filter_out_puts, /* puts is never called */ +- bio_filter_out_gets, /* gets is never called */ +- bio_filter_out_ctrl, +- bio_filter_create, +- bio_filter_destroy, +- NULL +-}; +- + typedef struct { + int length; + char *value; +@@ -456,7 +449,7 @@ + static int bio_filter_in_read(BIO *bio, char *in, int inlen) + { + apr_size_t inl = inlen; +- bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr); ++ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio); + apr_read_type_e block = inctx->block; + + inctx->rc = APR_SUCCESS; +@@ -536,20 +529,86 @@ + return -1; + } + ++static int bio_filter_in_write(BIO *bio, const char *in, int inl) ++{ ++ return -1; ++} ++ ++static int bio_filter_in_puts(BIO *bio, const char *str) ++{ ++ return -1; ++} ++ ++static int bio_filter_in_gets(BIO *bio, char *buf, int size) ++{ ++ return -1; ++} ++ ++static long bio_filter_in_ctrl(BIO *bio, int cmd, long num, void *ptr) ++{ ++ return -1; ++} ++ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ ++static BIO_METHOD bio_filter_out_method = { ++ BIO_TYPE_MEM, ++ "APR output filter", ++ bio_filter_out_write, ++ bio_filter_out_read, /* read is never called */ ++ bio_filter_out_puts, /* puts is never called */ ++ bio_filter_out_gets, /* gets is never called */ ++ bio_filter_out_ctrl, ++ bio_filter_create, ++ bio_filter_destroy, ++ NULL ++}; + + static BIO_METHOD bio_filter_in_method = { + BIO_TYPE_MEM, + "APR input filter", +- NULL, /* write is never called */ ++ bio_filter_in_write, /* write is never called */ + bio_filter_in_read, +- NULL, /* puts is never called */ +- NULL, /* gets is never called */ +- NULL, /* ctrl is never called */ ++ bio_filter_in_puts, /* puts is never called */ ++ bio_filter_in_gets, /* gets is never called */ ++ bio_filter_in_ctrl, /* ctrl is never called */ + bio_filter_create, + bio_filter_destroy, + NULL + }; + ++#else ++ ++static BIO_METHOD *bio_filter_out_method = NULL; ++static BIO_METHOD *bio_filter_in_method = NULL; ++ ++void init_bio_methods(void) ++{ ++ bio_filter_out_method = BIO_meth_new(BIO_TYPE_MEM, "APR output filter"); ++ BIO_meth_set_write(bio_filter_out_method, &bio_filter_out_write); ++ BIO_meth_set_read(bio_filter_out_method, &bio_filter_out_read); /* read is never called */ ++ BIO_meth_set_puts(bio_filter_out_method, &bio_filter_out_puts); /* puts is never called */ ++ BIO_meth_set_gets(bio_filter_out_method, &bio_filter_out_gets); /* gets is never called */ ++ BIO_meth_set_ctrl(bio_filter_out_method, &bio_filter_out_ctrl); ++ BIO_meth_set_create(bio_filter_out_method, &bio_filter_create); ++ BIO_meth_set_destroy(bio_filter_out_method, &bio_filter_destroy); ++ ++ bio_filter_in_method = BIO_meth_new(BIO_TYPE_MEM, "APR input filter"); ++ BIO_meth_set_write(bio_filter_in_method, &bio_filter_in_write); /* write is never called */ ++ BIO_meth_set_read(bio_filter_in_method, &bio_filter_in_read); ++ BIO_meth_set_puts(bio_filter_in_method, &bio_filter_in_puts); /* puts is never called */ ++ BIO_meth_set_gets(bio_filter_in_method, &bio_filter_in_gets); /* gets is never called */ ++ BIO_meth_set_ctrl(bio_filter_in_method, &bio_filter_in_ctrl); /* ctrl is never called */ ++ BIO_meth_set_create(bio_filter_in_method, &bio_filter_create); ++ BIO_meth_set_destroy(bio_filter_in_method, &bio_filter_destroy); ++} ++ ++void free_bio_methods(void) ++{ ++ BIO_meth_free(bio_filter_out_method); ++ BIO_meth_free(bio_filter_in_method); ++} ++#endif + + static apr_status_t ssl_io_input_read(bio_filter_in_ctx_t *inctx, + char *buf, +@@ -779,7 +838,7 @@ + return APR_EGENERAL; + } + +- outctx = (bio_filter_out_ctx_t *)filter_ctx->pbioWrite->ptr; ++ outctx = (bio_filter_out_ctx_t *)BIO_get_data(filter_ctx->pbioWrite); + res = SSL_write(filter_ctx->pssl, (unsigned char *)data, len); + + if (res < 0) { +@@ -1252,9 +1311,9 @@ + + if ((n = SSL_accept(filter_ctx->pssl)) <= 0) { + bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *) +- (filter_ctx->pbioRead->ptr); ++ BIO_get_data(filter_ctx->pbioRead); + bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *) +- (filter_ctx->pbioWrite->ptr); ++ BIO_get_data(filter_ctx->pbioWrite); + apr_status_t rc = inctx->rc ? inctx->rc : outctx->rc ; + ssl_err = SSL_get_error(filter_ctx->pssl, n); + +@@ -1667,8 +1726,8 @@ + return ap_pass_brigade(f->next, bb); + } + +- inctx = (bio_filter_in_ctx_t *)filter_ctx->pbioRead->ptr; +- outctx = (bio_filter_out_ctx_t *)filter_ctx->pbioWrite->ptr; ++ inctx = (bio_filter_in_ctx_t *)BIO_get_data(filter_ctx->pbioRead); ++ outctx = (bio_filter_out_ctx_t *)BIO_get_data(filter_ctx->pbioWrite); + + /* When we are the writer, we must initialize the inctx + * mode so that we block for any required ssl input, because +@@ -1949,8 +2008,12 @@ + + filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r, c); + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + filter_ctx->pbioRead = BIO_new(&bio_filter_in_method); +- filter_ctx->pbioRead->ptr = (void *)inctx; ++#else ++ filter_ctx->pbioRead = BIO_new(bio_filter_in_method); ++#endif ++ BIO_set_data(filter_ctx->pbioRead, (void *)inctx); + + inctx->ssl = ssl; + inctx->bio_out = filter_ctx->pbioWrite; +@@ -1980,8 +2043,12 @@ + filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter, + filter_ctx, r, c); + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + filter_ctx->pbioWrite = BIO_new(&bio_filter_out_method); +- filter_ctx->pbioWrite->ptr = (void *)bio_filter_out_ctx_new(filter_ctx, c); ++#else ++ filter_ctx->pbioWrite = BIO_new(bio_filter_out_method); ++#endif ++ BIO_set_data(filter_ctx->pbioWrite, (void *)bio_filter_out_ctx_new(filter_ctx, c)); + + /* write is non blocking for the benefit of async mpm */ + if (c->cs) { +diff -uap httpd-2.4.23/modules/ssl/ssl_engine_kernel.c.openssl11 httpd-2.4.23/modules/ssl/ssl_engine_kernel.c +--- httpd-2.4.23/modules/ssl/ssl_engine_kernel.c.openssl11 ++++ httpd-2.4.23/modules/ssl/ssl_engine_kernel.c +@@ -80,7 +80,7 @@ + SSL_set_accept_state(ssl); + SSL_do_handshake(ssl); + +- if (SSL_get_state(ssl) != SSL_ST_OK) { ++ if (!SSL_is_init_finished(ssl)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030) + "TLS upgrade handshake failed"); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); +@@ -114,6 +114,7 @@ + return result; + } + ++#ifdef HAVE_TLSEXT + static int ap_array_same_str_set(apr_array_header_t *s1, apr_array_header_t *s2) + { + int i; +@@ -215,6 +216,7 @@ + + return 1; + } ++#endif + + /* + * Post Read Request Handler +@@ -432,7 +434,7 @@ + X509 *cert; + X509 *peercert; + X509_STORE *cert_store = NULL; +- X509_STORE_CTX cert_store_ctx; ++ X509_STORE_CTX *cert_store_ctx; + STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL; + const SSL_CIPHER *cipher = NULL; + int depth, verify_old, verify, n, is_slave = 0; +@@ -456,7 +458,7 @@ + * forbidden in the latter case, let ap_die() handle + * this recursive (same) error. + */ +- if (SSL_get_state(ssl) != SSL_ST_OK) { ++ if (!SSL_is_init_finished(ssl)) { + return HTTP_FORBIDDEN; + } + ctx = SSL_get_SSL_CTX(ssl); +@@ -622,7 +624,7 @@ + !renegotiate && (n < sk_SSL_CIPHER_num(cipher_list)); + n++) + { +- SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list, n); ++ const SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list, n); + + if (sk_SSL_CIPHER_find(cipher_list_old, value) < 0) { + renegotiate = TRUE; +@@ -633,7 +635,7 @@ + !renegotiate && (n < sk_SSL_CIPHER_num(cipher_list_old)); + n++) + { +- SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list_old, n); ++ const SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list_old, n); + + if (sk_SSL_CIPHER_find(cipher_list, value) < 0) { + renegotiate = TRUE; +@@ -914,25 +916,27 @@ + cert = sk_X509_value(cert_stack, 0); + } + +- X509_STORE_CTX_init(&cert_store_ctx, cert_store, cert, cert_stack); ++ cert_store_ctx = X509_STORE_CTX_new(); ++ X509_STORE_CTX_init(cert_store_ctx, cert_store, cert, cert_stack); + depth = SSL_get_verify_depth(ssl); + + if (depth >= 0) { +- X509_STORE_CTX_set_depth(&cert_store_ctx, depth); ++ X509_STORE_CTX_set_depth(cert_store_ctx, depth); + } + +- X509_STORE_CTX_set_ex_data(&cert_store_ctx, ++ X509_STORE_CTX_set_ex_data(cert_store_ctx, + SSL_get_ex_data_X509_STORE_CTX_idx(), + (char *)ssl); + +- if (!X509_verify_cert(&cert_store_ctx)) { ++ if (!X509_verify_cert(cert_store_ctx)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02224) + "Re-negotiation verification step failed"); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); + } + +- SSL_set_verify_result(ssl, cert_store_ctx.error); +- X509_STORE_CTX_cleanup(&cert_store_ctx); ++ SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(cert_store_ctx)); ++ X509_STORE_CTX_cleanup(cert_store_ctx); ++ X509_STORE_CTX_free(cert_store_ctx); + + if (cert_stack != SSL_get_peer_cert_chain(ssl)) { + /* we created this ourselves, so free it */ +@@ -940,6 +944,7 @@ + } + } + else { ++ char peekbuf[1]; + const char *reneg_support; + request_rec *id = r->main ? r->main : r; + +@@ -983,7 +988,7 @@ + SSL_renegotiate(ssl); + SSL_do_handshake(ssl); + +- if (SSL_get_state(ssl) != SSL_ST_OK) { ++ if (!SSL_is_init_finished(ssl)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02225) + "Re-negotiation request failed"); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); +@@ -999,16 +1004,15 @@ + * However, this causes failures in perl-framework currently, + * perhaps pre-test if we have already negotiated? + */ +-#ifdef OPENSSL_NO_SSL_INTERN +- SSL_set_state(ssl, SSL_ST_ACCEPT); +-#else +- ssl->state = SSL_ST_ACCEPT; +-#endif +- SSL_do_handshake(ssl); ++ /* Need to trigger renegotiation handshake by reading. ++ * Peeking 0 bytes actually works. ++ * See: http://marc.info/?t=145493359200002&r=1&w=2 ++ */ ++ SSL_peek(ssl, peekbuf, 0); + + sslconn->reneg_state = RENEG_REJECT; + +- if (SSL_get_state(ssl) != SSL_ST_OK) { ++ if (!SSL_is_init_finished(ssl)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261) + "Re-negotiation handshake failed"); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); +@@ -1513,7 +1517,11 @@ + SSL_set_current_cert(ssl, SSL_CERT_SET_SERVER); + #endif + pkey = SSL_get_privatekey(ssl); ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE; ++#else ++ type = pkey ? EVP_PKEY_base_id(pkey) : EVP_PKEY_NONE; ++#endif + + /* + * OpenSSL will call us with either keylen == 512 or keylen == 1024 +@@ -1725,11 +1733,19 @@ + * so we need to increment here to prevent them from + * being freed. + */ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + #define modssl_set_cert_info(info, cert, pkey) \ + *cert = info->x509; \ + CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \ + *pkey = info->x_pkey->dec_pkey; \ + CRYPTO_add(&(*pkey)->references, +1, CRYPTO_LOCK_X509_PKEY) ++#else ++#define modssl_set_cert_info(info, cert, pkey) \ ++ *cert = info->x509; \ ++ X509_up_ref(*cert); \ ++ *pkey = info->x_pkey->dec_pkey; \ ++ EVP_PKEY_up_ref(*pkey); ++#endif + + int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey) + { +@@ -1823,7 +1839,7 @@ + + static void ssl_session_log(server_rec *s, + const char *request, +- unsigned char *id, ++ IDCONST unsigned char *id, + unsigned int idlen, + const char *status, + const char *result, +@@ -1863,7 +1879,7 @@ + SSLSrvConfigRec *sc = mySrvConfig(s); + long timeout = sc->session_cache_timeout; + BOOL rc; +- unsigned char *id; ++ IDCONST unsigned char *id; + unsigned int idlen; + + /* +@@ -1907,7 +1923,7 @@ + * of our other Apache pre-forked server processes. + */ + SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *ssl, +- unsigned char *id, ++ IDCONST unsigned char *id, + int idlen, int *do_copy) + { + /* Get Apache context back through OpenSSL context */ +@@ -1946,7 +1962,7 @@ + { + server_rec *s; + SSLSrvConfigRec *sc; +- unsigned char *id; ++ IDCONST unsigned char *id; + unsigned int idlen; + + /* +@@ -2067,15 +2083,12 @@ + /* If the reneg state is to reject renegotiations, check the SSL + * state machine and move to ABORT if a Client Hello is being + * read. */ +- if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) { +- int state = SSL_get_state((SSL *)ssl); +- +- if (state == SSL3_ST_SR_CLNT_HELLO_A +- || state == SSL23_ST_SR_CLNT_HELLO_A) { ++ if (!scr->is_proxy && ++ (where & SSL_CB_HANDSHAKE_START) && ++ scr->reneg_state == RENEG_REJECT) { + scr->reneg_state = RENEG_ABORT; + ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042) + "rejecting client initiated renegotiation"); +- } + } + /* If the first handshake is complete, change state to reject any + * subsequent client-initiated renegotiation. */ +@@ -2279,7 +2292,7 @@ + } + + memcpy(keyname, ticket_key->key_name, 16); +- RAND_pseudo_bytes(iv, EVP_MAX_IV_LENGTH); ++ RAND_bytes(iv, EVP_MAX_IV_LENGTH); + EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL, + ticket_key->aes_key, iv); + HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL); +@@ -2416,17 +2429,27 @@ + SRP_user_pwd *u; + + if (username == NULL ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + || (u = SRP_VBASE_get_by_user(mctx->srp_vbase, username)) == NULL) { ++#else ++ || (u = SRP_VBASE_get1_by_user(mctx->srp_vbase, username)) == NULL) { ++#endif + *ad = SSL_AD_UNKNOWN_PSK_IDENTITY; + return SSL3_AL_FATAL; + } + + if (SSL_set_srp_server_param(ssl, u->N, u->g, u->s, u->v, u->info) < 0) { ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ SRP_user_pwd_free(u); ++#endif + *ad = SSL_AD_INTERNAL_ERROR; + return SSL3_AL_FATAL; + } + + /* reset all other options */ ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ SRP_user_pwd_free(u); ++#endif + SSL_set_verify(ssl, SSL_VERIFY_NONE, ssl_callback_SSLVerify); + return SSL_ERROR_NONE; + } +diff -uap httpd-2.4.23/modules/ssl/ssl_engine_ocsp.c.openssl11 httpd-2.4.23/modules/ssl/ssl_engine_ocsp.c +--- httpd-2.4.23/modules/ssl/ssl_engine_ocsp.c.openssl11 ++++ httpd-2.4.23/modules/ssl/ssl_engine_ocsp.c +@@ -109,7 +109,7 @@ + { + OCSP_REQUEST *req = OCSP_REQUEST_new(); + +- *certid = OCSP_cert_to_id(NULL, cert, ctx->current_issuer); ++ *certid = OCSP_cert_to_id(NULL, cert, X509_STORE_CTX_get0_current_issuer(ctx)); + if (!*certid || !OCSP_request_add0_id(req, *certid)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01921) + "could not retrieve certificate id"); +@@ -184,7 +184,7 @@ + + if (rc == V_OCSP_CERTSTATUS_GOOD) { + /* TODO: allow flags configuration. */ +- if (OCSP_basic_verify(basicResponse, NULL, ctx->ctx, 0) != 1) { ++ if (OCSP_basic_verify(basicResponse, NULL, X509_STORE_CTX_get0_store(ctx), 0) != 1) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01925) + "failed to verify the OCSP response"); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); +@@ -262,7 +262,7 @@ + "No cert available to check with OCSP"); + return 1; + } +- else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) { ++ else if (X509_check_issued(cert,cert) == X509_V_OK) { + /* don't do OCSP checking for valid self-issued certs */ + ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, + "Skipping OCSP check for valid self-issued cert"); +diff -uap httpd-2.4.23/modules/ssl/ssl_engine_vars.c.openssl11 httpd-2.4.23/modules/ssl/ssl_engine_vars.c +--- httpd-2.4.23/modules/ssl/ssl_engine_vars.c.openssl11 ++++ httpd-2.4.23/modules/ssl/ssl_engine_vars.c +@@ -380,7 +380,7 @@ + char buf[MODSSL_SESSION_ID_STRING_LEN]; + SSL_SESSION *pSession = SSL_get_session(ssl); + if (pSession) { +- unsigned char *id; ++ IDCONST unsigned char *id; + unsigned int idlen; + + #ifdef OPENSSL_NO_SSL_INTERN +@@ -545,13 +545,25 @@ + resdup = FALSE; + } + else if (strcEQ(var, "A_SIG")) { ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm)); ++#else ++ ASN1_OBJECT *paobj; ++ X509_ALGOR_get0(&paobj, NULL, NULL, X509_get0_tbs_sigalg(xs)); ++ nid = OBJ_obj2nid(paobj); ++#endif + result = apr_pstrdup(p, + (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid)); + resdup = FALSE; + } + else if (strcEQ(var, "A_KEY")) { ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->key->algor->algorithm)); ++#else ++ ASN1_OBJECT *paobj; ++ X509_PUBKEY_get0_param(&paobj, NULL, 0, NULL, X509_get_X509_PUBKEY(xs)); ++ nid = OBJ_obj2nid(paobj); ++#endif + result = apr_pstrdup(p, + (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid)); + resdup = FALSE; +@@ -613,11 +625,8 @@ + for (i = 0; ssl_var_lookup_ssl_cert_dn_rec[i].name != NULL; i++) { + if (strEQn(var, ssl_var_lookup_ssl_cert_dn_rec[i].name, varlen) + && strlen(ssl_var_lookup_ssl_cert_dn_rec[i].name) == varlen) { +- for (j = 0; j < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *) +- xsname->entries); +- j++) { +- xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *) +- xsname->entries, j); ++ for (j = 0; j < X509_NAME_entry_count(xsname); j++) { ++ xsne = X509_NAME_get_entry(xsname, j); + + n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne)); + +@@ -919,7 +928,6 @@ + static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx, + X509_NAME *xn, apr_pool_t *p) + { +- STACK_OF(X509_NAME_ENTRY) *ents = xn->entries; + X509_NAME_ENTRY *xsne; + apr_hash_t *count; + int i, nid; +@@ -929,10 +937,9 @@ + count = apr_hash_make(p); + + /* For each RDN... */ +- for (i = 0; i < sk_X509_NAME_ENTRY_num(ents); i++) { ++ for (i = 0; i < X509_NAME_entry_count(xn); i++) { + const char *tag; +- +- xsne = sk_X509_NAME_ENTRY_value(ents, i); ++ xsne = X509_NAME_get_entry(xn, i); + + /* Retrieve the nid, and check whether this is one of the nids + * which are to be extracted. */ +@@ -1106,7 +1113,7 @@ + for (j = 0; j < count; j++) { + X509_EXTENSION *ext = X509_get_ext(xs, j); + +- if (OBJ_cmp(ext->object, oid) == 0) { ++ if (OBJ_cmp(X509_EXTENSION_get_object(ext), oid) == 0) { + BIO *bio = BIO_new(BIO_s_mem()); + + /* We want to obtain a string representation of the extensions +diff -uap httpd-2.4.23/modules/ssl/ssl_private.h.openssl11 httpd-2.4.23/modules/ssl/ssl_private.h +--- httpd-2.4.23/modules/ssl/ssl_private.h.openssl11 ++++ httpd-2.4.23/modules/ssl/ssl_private.h +@@ -135,6 +135,13 @@ + #define HAVE_SSL_CONF_CMD + #endif + ++/* session id constness */ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#define IDCONST ++#else ++#define IDCONST const ++#endif ++ + /** + * The following features all depend on TLS extension support. + * Within this block, check again for features (not version numbers). +@@ -151,6 +158,8 @@ + /* OCSP stapling */ + #if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb) + #define HAVE_OCSP_STAPLING ++/* All exist but are no longer macros since OpenSSL 1.1.0 */ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + /* backward compatibility with OpenSSL < 1.0 */ + #ifndef sk_OPENSSL_STRING_num + #define sk_OPENSSL_STRING_num sk_num +@@ -161,7 +170,8 @@ + #ifndef sk_OPENSSL_STRING_pop + #define sk_OPENSSL_STRING_pop sk_pop + #endif +-#endif ++#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */ ++#endif /* if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb) */ + + /* TLS session tickets */ + #if defined(SSL_CTX_set_tlsext_ticket_key_cb) +@@ -189,6 +199,36 @@ + + #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */ + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#define BN_get_rfc2409_prime_768 get_rfc2409_prime_768 ++#define BN_get_rfc2409_prime_1024 get_rfc2409_prime_1024 ++#define BN_get_rfc3526_prime_1536 get_rfc3526_prime_1536 ++#define BN_get_rfc3526_prime_2048 get_rfc3526_prime_2048 ++#define BN_get_rfc3526_prime_3072 get_rfc3526_prime_3072 ++#define BN_get_rfc3526_prime_4096 get_rfc3526_prime_4096 ++#define BN_get_rfc3526_prime_6144 get_rfc3526_prime_6144 ++#define BN_get_rfc3526_prime_8192 get_rfc3526_prime_8192 ++#define BIO_set_init(x,v) (x->init=v) ++#define BIO_get_data(x) (x->ptr) ++#define BIO_set_data(x,v) (x->ptr=v) ++#define BIO_get_shutdown(x) (x->shutdown) ++#define BIO_set_shutdown(x,v) (x->shutdown=v) ++#define DH_bits(x) (BN_num_bits(x->p)) ++#else ++void init_bio_methods(void); ++void free_bio_methods(void); ++#endif ++ ++#if OPENSSL_VERSION_NUMBER < 0x10002000L ++#define X509_STORE_CTX_get0_store(x) (x->ctx) ++#endif ++ ++#if OPENSSL_VERSION_NUMBER < 0x10000000L ++#ifndef X509_STORE_CTX_get0_current_issuer ++#define X509_STORE_CTX_get0_current_issuer(x) (x->current_issuer) ++#endif ++#endif ++ + /* mod_ssl headers */ + #include "ssl_util_ssl.h" + +@@ -454,12 +494,12 @@ + * partial fix for CVE-2009-3555. */ + enum { + RENEG_INIT = 0, /* Before initial handshake */ +- RENEG_REJECT, /* After initial handshake; any client-initiated +- * renegotiation should be rejected */ +- RENEG_ALLOW, /* A server-initiated renegotiation is taking +- * place (as dictated by configuration) */ +- RENEG_ABORT /* Renegotiation initiated by client, abort the +- * connection */ ++ RENEG_REJECT, /* After initial handshake; any client-initiated ++ * renegotiation should be rejected */ ++ RENEG_ALLOW, /* A server-initiated renegotiation is taking ++ * place (as dictated by configuration) */ ++ RENEG_ABORT /* Renegotiation initiated by client, abort the ++ * connection */ + } reneg_state; + + server_rec *server; +@@ -810,7 +850,7 @@ + int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *); + int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey); + int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *); +-SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); ++SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, IDCONST unsigned char *, int, int *); + void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); + void ssl_callback_Info(const SSL *, int, int); + #ifdef HAVE_TLSEXT +@@ -831,10 +871,10 @@ + apr_status_t ssl_scache_init(server_rec *, apr_pool_t *); + void ssl_scache_status_register(apr_pool_t *p); + void ssl_scache_kill(server_rec *); +-BOOL ssl_scache_store(server_rec *, UCHAR *, int, ++BOOL ssl_scache_store(server_rec *, IDCONST UCHAR *, int, + apr_time_t, SSL_SESSION *, apr_pool_t *); +-SSL_SESSION *ssl_scache_retrieve(server_rec *, UCHAR *, int, apr_pool_t *); +-void ssl_scache_remove(server_rec *, UCHAR *, int, ++SSL_SESSION *ssl_scache_retrieve(server_rec *, IDCONST UCHAR *, int, apr_pool_t *); ++void ssl_scache_remove(server_rec *, IDCONST UCHAR *, int, + apr_pool_t *); + + /** Proxy Support */ +@@ -882,7 +922,9 @@ + char *ssl_util_readfilter(server_rec *, apr_pool_t *, const char *, + const char * const *); + BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *); ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + void ssl_util_thread_setup(apr_pool_t *); ++#endif + int ssl_init_ssl_connection(conn_rec *c, request_rec *r); + + BOOL ssl_util_vhost_matches(const char *servername, server_rec *s); +diff -uap httpd-2.4.23/modules/ssl/ssl_scache.c.openssl11 httpd-2.4.23/modules/ssl/ssl_scache.c +--- httpd-2.4.23/modules/ssl/ssl_scache.c.openssl11 ++++ httpd-2.4.23/modules/ssl/ssl_scache.c +@@ -110,7 +110,7 @@ + + } + +-BOOL ssl_scache_store(server_rec *s, UCHAR *id, int idlen, ++BOOL ssl_scache_store(server_rec *s, IDCONST UCHAR *id, int idlen, + apr_time_t expiry, SSL_SESSION *sess, + apr_pool_t *p) + { +@@ -144,7 +144,7 @@ + return rv == APR_SUCCESS ? TRUE : FALSE; + } + +-SSL_SESSION *ssl_scache_retrieve(server_rec *s, UCHAR *id, int idlen, ++SSL_SESSION *ssl_scache_retrieve(server_rec *s, IDCONST UCHAR *id, int idlen, + apr_pool_t *p) + { + SSLModConfigRec *mc = myModConfig(s); +@@ -173,7 +173,7 @@ + return d2i_SSL_SESSION(NULL, &ptr, destlen); + } + +-void ssl_scache_remove(server_rec *s, UCHAR *id, int idlen, ++void ssl_scache_remove(server_rec *s, IDCONST UCHAR *id, int idlen, + apr_pool_t *p) + { + SSLModConfigRec *mc = myModConfig(s); +diff -uap httpd-2.4.23/modules/ssl/ssl_util.c.openssl11 httpd-2.4.23/modules/ssl/ssl_util.c +--- httpd-2.4.23/modules/ssl/ssl_util.c.openssl11 ++++ httpd-2.4.23/modules/ssl/ssl_util.c +@@ -247,6 +247,7 @@ + } + + #if APR_HAS_THREADS ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + /* + * To ensure thread-safetyness in OpenSSL - work in progress + */ +@@ -362,6 +363,28 @@ + apr_pool_destroy(l->pool); + } + ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++ ++static void ssl_util_thr_id(CRYPTO_THREADID *id) ++{ ++ /* OpenSSL needs this to return an unsigned long. On OS/390, the pthread ++ * id is a structure twice that big. Use the TCB pointer instead as a ++ * unique unsigned long. ++ */ ++#ifdef __MVS__ ++ struct PSA { ++ char unmapped[540]; /* PSATOLD is at offset 540 in the PSA */ ++ unsigned long PSATOLD; ++ } *psaptr = 0; /* PSA is at address 0 */ ++ ++ CRYPTO_THREADID_set_numeric(id, psaptr->PSATOLD); ++#else ++ CRYPTO_THREADID_set_numeric(id, (unsigned long) apr_os_thread_current()); ++#endif ++} ++ ++#else ++ + static unsigned long ssl_util_thr_id(void) + { + /* OpenSSL needs this to return an unsigned long. On OS/390, the pthread +@@ -380,10 +403,16 @@ + #endif + } + ++#endif ++ + static apr_status_t ssl_util_thread_cleanup(void *data) + { + CRYPTO_set_locking_callback(NULL); ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++ CRYPTO_THREADID_set_callback(NULL); ++#else + CRYPTO_set_id_callback(NULL); ++#endif + + CRYPTO_set_dynlock_create_callback(NULL); + CRYPTO_set_dynlock_lock_callback(NULL); +@@ -407,7 +436,11 @@ + apr_thread_mutex_create(&(lock_cs[i]), APR_THREAD_MUTEX_DEFAULT, p); + } + ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++ CRYPTO_THREADID_set_callback(ssl_util_thr_id); ++#else + CRYPTO_set_id_callback(ssl_util_thr_id); ++#endif + + CRYPTO_set_locking_callback(ssl_util_thr_lock); + +@@ -422,4 +455,5 @@ + apr_pool_cleanup_register(p, NULL, ssl_util_thread_cleanup, + apr_pool_cleanup_null); + } +-#endif ++#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ ++#endif /* #if APR_HAS_THREADS */ +diff -uap httpd-2.4.23/modules/ssl/ssl_util_ssl.c.openssl11 httpd-2.4.23/modules/ssl/ssl_util_ssl.c +--- httpd-2.4.23/modules/ssl/ssl_util_ssl.c.openssl11 ++++ httpd-2.4.23/modules/ssl/ssl_util_ssl.c +@@ -488,7 +488,7 @@ + ** _________________________________________________________________ + */ + +-char *modssl_SSL_SESSION_id2sz(unsigned char *id, int idlen, ++char *modssl_SSL_SESSION_id2sz(IDCONST unsigned char *id, int idlen, + char *str, int strsize) + { + if (idlen > SSL_MAX_SSL_SESSION_ID_LENGTH) +diff -uap httpd-2.4.23/modules/ssl/ssl_util_ssl.h.openssl11 httpd-2.4.23/modules/ssl/ssl_util_ssl.h +--- httpd-2.4.23/modules/ssl/ssl_util_ssl.h.openssl11 ++++ httpd-2.4.23/modules/ssl/ssl_util_ssl.h +@@ -41,7 +41,11 @@ + #define MODSSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER + #define MODSSL_LIBRARY_NAME "OpenSSL" + #define MODSSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + #define MODSSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION) ++#else ++#define MODSSL_LIBRARY_DYNTEXT OpenSSL_version(OPENSSL_VERSION) ++#endif + + /** + * Maximum length of a DER encoded session. +@@ -67,7 +71,7 @@ + char *modssl_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int); + BOOL modssl_X509_getSAN(apr_pool_t *, X509 *, int, const char *, int, apr_array_header_t **); + BOOL modssl_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *); +-char *modssl_SSL_SESSION_id2sz(unsigned char *, int, char *, int); ++char *modssl_SSL_SESSION_id2sz(IDCONST unsigned char *, int, char *, int); + + #endif /* __SSL_UTIL_SSL_H__ */ + /** @} */ +diff -uap httpd-2.4.23/modules/ssl/ssl_util_stapling.c.openssl11 httpd-2.4.23/modules/ssl/ssl_util_stapling.c +--- httpd-2.4.23/modules/ssl/ssl_util_stapling.c.openssl11 ++++ httpd-2.4.23/modules/ssl/ssl_util_stapling.c +@@ -79,7 +79,7 @@ + X509 *issuer = NULL; + int i; + X509_STORE *st = SSL_CTX_get_cert_store(mctx->ssl_ctx); +- X509_STORE_CTX inctx; ++ X509_STORE_CTX *inctx; + STACK_OF(X509) *extra_certs = NULL; + + #ifdef OPENSSL_NO_SSL_INTERN +@@ -91,18 +91,23 @@ + for (i = 0; i < sk_X509_num(extra_certs); i++) { + issuer = sk_X509_value(extra_certs, i); + if (X509_check_issued(issuer, x) == X509_V_OK) { ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); ++#else ++ X509_up_ref(issuer); ++#endif + return issuer; + } + } + +- if (!X509_STORE_CTX_init(&inctx, st, NULL, NULL)) ++ inctx = X509_STORE_CTX_new(); ++ if (!X509_STORE_CTX_init(inctx, st, NULL, NULL)) + return 0; +- if (X509_STORE_CTX_get1_issuer(&issuer, &inctx, x) <= 0) ++ if (X509_STORE_CTX_get1_issuer(&issuer, inctx, x) <= 0) + issuer = NULL; +- X509_STORE_CTX_cleanup(&inctx); ++ X509_STORE_CTX_cleanup(inctx); ++ X509_STORE_CTX_free(inctx); + return issuer; +- + } + + int ssl_stapling_init_cert(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, +@@ -398,7 +403,9 @@ + + if (bio) { + int n; +- if ((i2a_ASN1_INTEGER(bio, cinf->cid->serialNumber) != -1) && ++ ASN1_INTEGER *pserial; ++ OCSP_id_get0_info(NULL, NULL, NULL, &pserial, cinf->cid); ++ if ((i2a_ASN1_INTEGER(bio, pserial) != -1) && + ((n = BIO_read(bio, snum, sizeof snum - 1)) > 0)) + snum[n] = '\0'; + BIO_free(bio); +diff -uap httpd-2.4.23/support/ab.c.openssl11 httpd-2.4.23/support/ab.c +--- httpd-2.4.23/support/ab.c.openssl11 ++++ httpd-2.4.23/support/ab.c +@@ -2133,6 +2133,14 @@ + apr_getopt_t *opt; + const char *opt_arg; + char c; ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ int max_prot = TLS1_2_VERSION; ++#ifndef OPENSSL_NO_SSL3 ++ int min_prot = SSL3_VERSION; ++#else ++ int min_prot = TLS1_VERSION; ++#endif ++#endif /* #if OPENSSL_VERSION_NUMBER >= 0x10100000L */ + #ifdef USE_SSL + AB_SSL_METHOD_CONST SSL_METHOD *meth = SSLv23_client_method(); + #endif +@@ -2350,6 +2358,7 @@ + method_str[CUSTOM_METHOD] = strdup(opt_arg); + break; + case 'f': ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + if (strncasecmp(opt_arg, "ALL", 3) == 0) { + meth = SSLv23_client_method(); + #ifndef OPENSSL_NO_SSL2 +@@ -2369,6 +2378,31 @@ + } else if (strncasecmp(opt_arg, "TLS1", 4) == 0) { + meth = TLSv1_client_method(); + } ++#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ ++ meth = TLS_client_method(); ++ if (strncasecmp(opt_arg, "ALL", 3) == 0) { ++ max_prot = TLS1_2_VERSION; ++#ifndef OPENSSL_NO_SSL3 ++ min_prot = SSL3_VERSION; ++#else ++ min_prot = TLS1_VERSION; ++#endif ++#ifndef OPENSSL_NO_SSL3 ++ } else if (strncasecmp(opt_arg, "SSL3", 4) == 0) { ++ max_prot = SSL3_VERSION; ++ min_prot = SSL3_VERSION; ++#endif ++ } else if (strncasecmp(opt_arg, "TLS1.1", 6) == 0) { ++ max_prot = TLS1_1_VERSION; ++ min_prot = TLS1_1_VERSION; ++ } else if (strncasecmp(opt_arg, "TLS1.2", 6) == 0) { ++ max_prot = TLS1_2_VERSION; ++ min_prot = TLS1_2_VERSION; ++ } else if (strncasecmp(opt_arg, "TLS1", 4) == 0) { ++ max_prot = TLS1_VERSION; ++ min_prot = TLS1_VERSION; ++ } ++#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ + break; + #endif + } +@@ -2413,7 +2447,11 @@ + #ifdef RSAREF + R_malloc_init(); + #else ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + CRYPTO_malloc_init(); ++#else ++ OPENSSL_malloc_init(); ++#endif + #endif + SSL_load_error_strings(); + SSL_library_init(); +@@ -2426,6 +2464,10 @@ + exit(1); + } + SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ SSL_CTX_set_max_proto_version(ssl_ctx, max_prot); ++ SSL_CTX_set_min_proto_version(ssl_ctx, min_prot); ++#endif + #ifdef SSL_MODE_RELEASE_BUFFERS + /* Keep memory usage as low as possible */ + SSL_CTX_set_mode (ssl_ctx, SSL_MODE_RELEASE_BUFFERS); diff --git a/httpd.spec b/httpd.spec index 0f983b1..f23b8fa 100644 --- a/httpd.spec +++ b/httpd.spec @@ -8,7 +8,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.23 -Release: 5%{?dist} +Release: 6%{?dist} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html @@ -48,6 +48,7 @@ Patch2: httpd-2.4.9-apxs.patch Patch3: httpd-2.4.1-deplibs.patch Patch5: httpd-2.4.3-layout.patch Patch6: httpd-2.4.3-apctl-systemd.patch +Patch7: httpd-2.4.23-openssl11.patch # Needed for socket activation and mod_systemd patch Patch19: httpd-2.4.10-detect-systemd.patch # Features/functional changes @@ -193,6 +194,7 @@ interface for storing and accessing per-user session data. %patch3 -p1 -b .deplibs %patch5 -p1 -b .layout %patch6 -p1 -b .apctlsystemd +%patch7 -p1 -b .openssl11 %patch19 -p1 -b .detectsystemd @@ -682,6 +684,10 @@ rm -rf $RPM_BUILD_ROOT %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Mon Nov 14 2016 Joe Orton - 2.4.23-6 +- fix build with OpenSSL 1.1 (#1392900) +- fix typos in ssl.conf (josef randinger, #1379407) + * Wed Nov 2 2016 Joe Orton - 2.4.23-5 - no longer package /etc/sysconfig/httpd - synch ssl.conf with upstream diff --git a/ssl.conf b/ssl.conf index c07d614..a07bd8f 100644 --- a/ssl.conf +++ b/ssl.conf @@ -1,6 +1,6 @@ # # When we also provide SSL we have to listen to the -# the HTTPS port in addition. +# standard HTTPS port in addition. # Listen 443 https @@ -216,5 +216,5 @@ BrowserMatch "MSIE [2-5]" \ CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" - +