Browse Source

build with libressl

libressl defines SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3 as 0x0
  (thx Christian Heckendorf)

libressl matches ERR_remove_thread_state() signature from openssl 1.0.2
  (libressl pretends that libressl is openssl version 2.0.0,
   but openssl 1.1.0 changes signature of ERR_remove_thread_state())

libressl does not yet provide compatibility interfaces for the new
  prototypes introduced in openssl 1.1.0, including
  DH_set0_pqg() and DH_set_length()

remove OPENSSL_NO_KRB5 from build config (added in 5fab991b in 2005)
  (define USE_OPENSSL_KERBEROS if required)
  (Note: OPENSSL_NO_KRB5 removed in openssl 1.1.0)
tags/lighttpd-1.4.40
Glenn Strauss 4 years ago
parent
commit
1ca52fdce3
8 changed files with 15 additions and 12 deletions
  1. +0
    -3
      README.FreeBSD
  2. +2
    -2
      configure.ac
  3. +0
    -1
      src/CMakeLists.txt
  4. +1
    -1
      src/SConscript
  5. +6
    -0
      src/base.h
  6. +0
    -1
      src/config.h.cmake
  7. +4
    -3
      src/network.c
  8. +2
    -1
      src/server.c

+ 0
- 3
README.FreeBSD View File

@@ -46,6 +46,3 @@ Configure:

To help autotools find libraries and headers:
CPPFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib ./configure ...

With ssl the compiler might warn about OPENSSL_NO_KRB5 redefinitions, just
configure "--with-kerberos5" for now.

+ 2
- 2
configure.ac View File

@@ -346,8 +346,8 @@ AC_ARG_WITH(kerberos5,
)

if test "x$use_openssl" = "xyes"; then
if test "x$use_kerberos" != "xyes"; then
CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_KRB5"
if test "x$use_kerberos" = "xyes"; then
AC_DEFINE([USE_OPENSSL_KERBEROS], [1], [with kerberos])
fi

AC_CHECK_HEADERS([openssl/ssl.h])


+ 0
- 1
src/CMakeLists.txt View File

@@ -225,7 +225,6 @@ if(WITH_OPENSSL)
if(HAVE_OPENSSL_SSL_H)
check_library_exists(crypto BIO_f_base64 "" HAVE_LIBCRYPTO)
if(HAVE_LIBCRYPTO)
set(OPENSSL_NO_KRB5 1)
check_library_exists(ssl SSL_new "" HAVE_LIBSSL)
endif()
endif()


+ 1
- 1
src/SConscript View File

@@ -120,7 +120,7 @@ if env['with_memcached']:
if env['with_lua']:
modules['mod_magnet'] = { 'src' : [ 'mod_magnet.c', 'mod_magnet_cache.c' ], 'lib' : [ env['LIBLUA'] ] }

staticenv = env.Clone(CPPFLAGS=[ env['CPPFLAGS'], '-DLIGHTTPD_STATIC', '-DOPENSSL_NO_KRB5'])
staticenv = env.Clone(CPPFLAGS=[ env['CPPFLAGS'], '-DLIGHTTPD_STATIC' ])

## all the core-sources + the modules
staticsrc = src + common_src


+ 6
- 0
src/base.h View File

@@ -30,6 +30,12 @@

#if defined HAVE_LIBSSL && defined HAVE_OPENSSL_SSL_H
# define USE_OPENSSL
# include <openssl/opensslconf.h>
# ifndef USE_OPENSSL_KERBEROS
# ifndef OPENSSL_NO_KRB5
# define OPENSSL_NO_KRB5
# endif
# endif
# include <openssl/ssl.h>
# if ! defined OPENSSL_NO_TLSEXT && ! defined SSL_CTRL_SET_TLSEXT_HOSTNAME
# define OPENSSL_NO_TLSEXT


+ 0
- 1
src/config.h.cmake View File

@@ -40,7 +40,6 @@
/* OpenSSL */
#cmakedefine HAVE_OPENSSL_SSL_H
#cmakedefine HAVE_LIBCRYPTO
#cmakedefine OPENSSL_NO_KRB5
#cmakedefine HAVE_LIBSSL

/* BZip */


+ 4
- 3
src/network.c View File

@@ -780,7 +780,7 @@ int network_init(server *srv) {

if (!s->ssl_use_sslv2) {
/* disable SSLv2 */
if (!(SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2))) {
if ((SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) != SSL_OP_NO_SSLv2) {
log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
ERR_error_string(ERR_get_error(), NULL));
return -1;
@@ -789,7 +789,7 @@ int network_init(server *srv) {

if (!s->ssl_use_sslv3) {
/* disable SSLv3 */
if (!(SSL_OP_NO_SSLv3 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv3))) {
if ((SSL_OP_NO_SSLv3 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv3)) != SSL_OP_NO_SSLv3) {
log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
ERR_error_string(ERR_get_error(), NULL));
return -1;
@@ -839,7 +839,8 @@ int network_init(server *srv) {
log_error_write(srv, __FILE__, __LINE__, "s", "SSL: BN_bin2bn () failed");
return -1;
}
#if OPENSSL_VERSION_NUMBER < 0x10100000L
#if OPENSSL_VERSION_NUMBER < 0x10100000L \
|| defined(LIBRESSL_VERSION_NUMBER)
dh->p = dh_p;
dh->g = dh_g;
dh->length = 160;


+ 2
- 1
src/server.c View File

@@ -387,7 +387,8 @@ static void server_free(server *srv) {
if (srv->ssl_is_init) {
CRYPTO_cleanup_all_ex_data();
ERR_free_strings();
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
#if OPENSSL_VERSION_NUMBER >= 0x10100000L \
&& !defined(LIBRESSL_VERSION_NUMBER)
ERR_remove_thread_state();
#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
ERR_remove_thread_state(NULL);


Loading…
Cancel
Save