From solo-conserver@goeswhere.com Tue Jul 25 20:47:28 2017 Received: from blind.goeswhere.com (fau.xxx [94.23.43.98]) by underdog.stansell.org (8.15.2/8.15.2) with ESMTPS id v6PKlOb0014658 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 25 Jul 2017 20:47:27 GMT Received: by blind.goeswhere.com (Postfix, from userid 1000) id 51C8FE0745; Tue, 25 Jul 2017 21:47:22 +0100 (BST) Date: Tue, 25 Jul 2017 21:47:22 +0100 From: Chris West To: users@conserver.com Subject: Porting conserver to OpenSSL 1.1 Message-ID: <20170725204722.GA22747@blind.goeswhere.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="FCuugMFkClbJLl1L" Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.5.24 (2015-08-30) X-Spam-Score: 2.422 (**) BAYES_50,SPF_PASS,URIBL_SBL X-Scanned-By: MIMEDefang 2.72 on 198.151.248.21 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.23 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jul 2017 20:47:29 -0000 --FCuugMFkClbJLl1L Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi, I've been trying to get conserver to work with OpenSSL 1.1, as this will soon be the only version available in Debian Linux: https://bugs.debian.org/851085 The attached patch fixes a few trivial compile errors caused by API changes. With the attached patch applied, the code builds against Debian sid's libssl-dev (1.1). However, the server rejects all connections with a "handshake error", and a pretty generic error message that just means something is wrong with ciphers, certificates, or something like that. This causes all the tests to fail. The code doesn't even reach the place the patch changes, so it's unlikely to be the cause. Has anyone made any further progress? Does anyone know what the problem is? Any help greatly appreciated. Chris. --- The errors are: 140691693188864:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1399:SSL alert number 40 error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher --FCuugMFkClbJLl1L Content-Type: text/x-diff; charset=iso-8859-1 Content-Disposition: attachment; filename="conserver-ssl11.patch" Content-Transfer-Encoding: 8bit >From 2a3aad60bea93bc849881983b6f5cb930b900334 Mon Sep 17 00:00:00 2001 From: "Chris West (Faux)" Date: Tue, 25 Jul 2017 19:04:22 +0000 Subject: [PATCH] new openssl api for generating DH --- conserver-8.2.1/conserver/main.c | 76 +++++++++++++++++++--------------------- conserver-8.2.1/debian/control | 2 +- 2 files changed, 37 insertions(+), 41 deletions(-) diff --git a/conserver-8.2.1/conserver/main.c b/conserver-8.2.1/conserver/main.c index cb9af46..c5d9ca7 100644 --- a/conserver-8.2.1/conserver/main.c +++ b/conserver-8.2.1/conserver/main.c @@ -92,6 +92,38 @@ DH *dh1024 = (DH *)0; DH *dh2048 = (DH *)0; DH *dh4096 = (DH *)0; +DH * +DHFromArray(char *dh_p, size_t dh_p_size, char *dh_g, size_t dh_g_size) { + DH *dh; + BIGNUM *p, *g; + + p = BN_bin2bn(dh_p, dh_p_size, NULL); + if (p == NULL) { + BN_free(p); + return (NULL); + } + + g = BN_bin2bn(dh_g, dh_g_size, NULL); + if (g == NULL) { + BN_free(g); + return (NULL); + } + + if ((dh = DH_new()) == NULL) { + BN_free(p); + BN_free(g); + return (NULL); + } + + if (!DH_set0_pqg(dh, p, NULL, g)) { + BN_free(p); + BN_free(g); + DH_free(dh); + return (NULL); + } + + return (dh); +} DH * GetDH512(void) @@ -108,17 +140,8 @@ GetDH512(void) static unsigned char dh512_g[] = { 0x02, }; - DH *dh; - if ((dh = DH_new()) == NULL) - return (NULL); - dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); - dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); - if ((dh->p == NULL) || (dh->g == NULL)) { - DH_free(dh); - return (NULL); - } - return (dh); + return DHFromArray(dh512_p, sizeof(dh512_p), dh512_g, sizeof(dh512_g)); } DH * @@ -142,17 +165,8 @@ GetDH1024(void) static unsigned char dh1024_g[] = { 0x02, }; - DH *dh; - if ((dh = DH_new()) == NULL) - return (NULL); - dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); - dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); - if ((dh->p == NULL) || (dh->g == NULL)) { - DH_free(dh); - return (NULL); - } - return (dh); + return DHFromArray(dh1024_p, sizeof(dh1024_p), dh1024_g, sizeof(dh1024_g)); } DH * @@ -189,17 +203,8 @@ GetDH2048(void) static unsigned char dh2048_g[] = { 0x02, }; - DH *dh; - if ((dh = DH_new()) == NULL) - return (NULL); - dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL); - dh->g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL); - if ((dh->p == NULL) || (dh->g == NULL)) { - DH_free(dh); - return (NULL); - } - return (dh); + return DHFromArray(dh2048_p, sizeof(dh2048_p), dh2048_g, sizeof(dh2048_g)); } DH * @@ -262,17 +267,8 @@ GetDH4096(void) static unsigned char dh4096_g[] = { 0x02, }; - DH *dh; - if ((dh = DH_new()) == NULL) - return (NULL); - dh->p = BN_bin2bn(dh4096_p, sizeof(dh4096_p), NULL); - dh->g = BN_bin2bn(dh4096_g, sizeof(dh4096_g), NULL); - if ((dh->p == NULL) || (dh->g == NULL)) { - DH_free(dh); - return (NULL); - } - return (dh); + return DHFromArray(dh4096_p, sizeof(dh4096_p), dh4096_g, sizeof(dh4096_g)); } DH * diff --git a/conserver-8.2.1/debian/control b/conserver-8.2.1/debian/control index 6e78071..59e8e01 100644 --- a/conserver-8.2.1/debian/control +++ b/conserver-8.2.1/debian/control @@ -2,7 +2,7 @@ Source: conserver Section: non-free/comm Priority: optional Maintainer: Jörgen Hägg -Build-Depends: debhelper (>= 7.0.50), po-debconf, libpam0g-dev, libwrap0-dev, libssl1.0-dev +Build-Depends: debhelper (>= 7.0.50), po-debconf, libpam0g-dev, libwrap0-dev, libssl-dev Standards-Version: 3.9.8 XS-Autobuild: yes Homepage: http://www.conserver.com/ -- 2.13.3 --FCuugMFkClbJLl1L-- From john@stoffel.org Tue Jul 25 21:41:55 2017 Received: from mail.stoffel.org (mail.stoffel.org [104.236.43.127]) by underdog.stansell.org (8.15.2/8.15.2) with ESMTPS id v6PLfq6L016908 (version=TLSv1.2 cipher=ADH-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 25 Jul 2017 21:41:54 GMT Received: from quad.stoffel.org (66-189-75-104.dhcp.oxfr.ma.charter.com [66.189.75.104]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.stoffel.org (Postfix) with ESMTPSA id 0DBA55FA14; Tue, 25 Jul 2017 17:41:52 -0400 (EDT) Received: by quad.stoffel.org (Postfix, from userid 1000) id B57E8B6C21; Tue, 25 Jul 2017 17:41:51 -0400 (EDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <22903.47903.715240.505621@quad.stoffel.home> Date: Tue, 25 Jul 2017 17:41:51 -0400 From: "John Stoffel" To: Chris West Cc: users@conserver.com Subject: Re: Porting conserver to OpenSSL 1.1 In-Reply-To: <20170725204722.GA22747@blind.goeswhere.com> References: <20170725204722.GA22747@blind.goeswhere.com> X-Mailer: VM 8.2.0b under 24.4.1 (x86_64-pc-linux-gnu) X-Spam-Score: 0.798 () BAYES_50,RP_MATCHES_RCVD,SPF_HELO_PASS X-Scanned-By: MIMEDefang 2.72 on 198.151.248.21 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.23 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jul 2017 21:41:56 -0000 From john@stoffel.org Tue Jul 25 21:43:09 2017 Received: from mail.stoffel.org (mail.stoffel.org [104.236.43.127]) by underdog.stansell.org (8.15.2/8.15.2) with ESMTPS id v6PLh7Lm016980 (version=TLSv1.2 cipher=ADH-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 25 Jul 2017 21:43:08 GMT Received: from quad.stoffel.org (66-189-75-104.dhcp.oxfr.ma.charter.com [66.189.75.104]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.stoffel.org (Postfix) with ESMTPSA id AFAF85FA14; Tue, 25 Jul 2017 17:43:06 -0400 (EDT) Received: by quad.stoffel.org (Postfix, from userid 1000) id 60368B6C23; Tue, 25 Jul 2017 17:43:06 -0400 (EDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <22903.47978.285864.899377@quad.stoffel.home> Date: Tue, 25 Jul 2017 17:43:06 -0400 From: "John Stoffel" To: Chris West Cc: users@conserver.com Subject: Re: Porting conserver to OpenSSL 1.1 In-Reply-To: <20170725204722.GA22747@blind.goeswhere.com> References: <20170725204722.GA22747@blind.goeswhere.com> X-Mailer: VM 8.2.0b under 24.4.1 (x86_64-pc-linux-gnu) X-Spam-Score: 1.62 (*) BAYES_20,RP_MATCHES_RCVD,SPF_HELO_PASS,URIBL_SBL X-Scanned-By: MIMEDefang 2.72 on 198.151.248.21 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.23 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jul 2017 21:43:09 -0000 Chris> I've been trying to get conserver to work with OpenSSL 1.1, as this will Chris> soon be the only version available in Debian Linux: Chris> https://bugs.debian.org/851085 Awesome news! Chris> The attached patch fixes a few trivial compile errors caused by API Chris> changes. With the attached patch applied, the code builds against Chris> Debian sid's libssl-dev (1.1). However, the server rejects all Chris> connections with a "handshake error", and a pretty generic error Chris> message that just means something is wrong with ciphers, certificates, Chris> or something like that. This causes all the tests to fail. The code Chris> doesn't even reach the place the patch changes, so it's unlikely to be Chris> the cause. I wonder if the issue is that it looks like you're trying to use sslv3, but I bet you need to change to using TLSv1 or v2 instead, since ssl2 and ssl3 are deprecated now. Can you post your patches? Or a link to a git repo I could pull and glance over? But I warn you all, I'm not a strong C hacker at all... Chris> Has anyone made any further progress? Does anyone know what the problem Chris> is? Chris> Any help greatly appreciated. Chris> Chris. Chris> --- Chris> The errors are: Chris> 140691693188864:error:14094410:SSL routines:ssl3_read_bytes:sslv3 Chris> alert handshake failure:../ssl/record/rec_layer_s3.c:1399:SSL alert number 40 Chris> error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher Chris> [DELETED ATTACHMENT conserver-ssl11.patch, text/x-diff] Chris> _______________________________________________ Chris> users mailing list Chris> users@conserver.com Chris> https://www.conserver.com/mailman/listinfo/users From solo-conserver@goeswhere.com Wed Jul 26 21:09:19 2017 Received: from blind.goeswhere.com (fau.xxx [94.23.43.98]) by underdog.stansell.org (8.15.2/8.15.2) with ESMTPS id v6QL9EJv000869 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Wed, 26 Jul 2017 21:09:17 GMT Received: by blind.goeswhere.com (Postfix, from userid 1000) id 47B65E0424; Wed, 26 Jul 2017 22:09:11 +0100 (BST) Date: Wed, 26 Jul 2017 22:09:11 +0100 From: solo-conserver@goeswhere.com To: John Stoffel , Matthew Huff Cc: users@conserver.com Subject: Re: Porting conserver to OpenSSL 1.1 Message-ID: <20170726210911.GA16352@blind.goeswhere.com> References: <20170725204722.GA22747@blind.goeswhere.com> <22903.47978.285864.899377@quad.stoffel.home> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <22903.47978.285864.899377@quad.stoffel.home> User-Agent: Mutt/1.5.24 (2015-08-30) X-Spam-Score: -0.501 () BAYES_05,SPF_PASS X-Scanned-By: MIMEDefang 2.72 on 198.151.248.21 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.23 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2017 21:09:19 -0000 On Tue, Jul 25, 2017 at 05:43:06PM -0400, John Stoffel wrote: > I wonder if the issue is that it looks like you're trying to use > sslv3, but I bet you need to change to using TLSv1 or v2 instead, > since ssl2 and ssl3 are deprecated now. This is fixed by OpenSSL itself by macros; requests for SSL2/3 are just requests for "the latest TLS version" now: https://github.com/openssl/openssl/blob/d445302418b41b76c15e103954b1311d98077480/include/openssl/ssl.h#L1750 I can see this in the tcpdump; the client is happily talking 1.2. > Can you post your patches? Or a link to a git repo I could pull and > glance over? But I warn you all, I'm not a strong C hacker at all... I didn't realise the mailing list would strip the patch, bah! Here's a repo: https://github.com/FauxFaux/conserver The patch: https://github.com/FauxFaux/conserver/commit/08be145f18fe4dda5e7cb4cd8fc65420e45348f3 You can see the problem just by running: autoreconf -vf ./configure --with-openssl make make test .. executing test #1...failed (diffs in test1.diff) .. -- Chris. From john@stoffel.org Fri Jul 28 16:01:02 2017 Received: from mail.stoffel.org (mail.stoffel.org [104.236.43.127]) by underdog.stansell.org (8.15.2/8.15.2) with ESMTPS id v6SG0xvn021490 (version=TLSv1.2 cipher=ADH-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 28 Jul 2017 16:01:01 GMT Received: from quad.stoffel.org (66-189-75-104.dhcp.oxfr.ma.charter.com [66.189.75.104]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.stoffel.org (Postfix) with ESMTPSA id AED6760025; Fri, 28 Jul 2017 12:00:55 -0400 (EDT) Received: by quad.stoffel.org (Postfix, from userid 1000) id 5A67EB6CA9; Fri, 28 Jul 2017 12:00:55 -0400 (EDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <22907.24503.333092.530949@quad.stoffel.home> Date: Fri, 28 Jul 2017 12:00:55 -0400 From: "John Stoffel" To: solo-conserver@goeswhere.com Cc: John Stoffel , Matthew Huff , users@conserver.com Subject: Re: Porting conserver to OpenSSL 1.1 In-Reply-To: <20170726210911.GA16352@blind.goeswhere.com> References: <20170725204722.GA22747@blind.goeswhere.com> <22903.47978.285864.899377@quad.stoffel.home> <20170726210911.GA16352@blind.goeswhere.com> X-Mailer: VM 8.2.0b under 24.4.1 (x86_64-pc-linux-gnu) X-Spam-Score: -0.003 () BAYES_20,RP_MATCHES_RCVD,SPF_HELO_PASS X-Scanned-By: MIMEDefang 2.72 on 198.151.248.21 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.23 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jul 2017 16:01:03 -0000 >>>>> "solo-conserver" == solo-conserver writes: solo-conserver> On Tue, Jul 25, 2017 at 05:43:06PM -0400, John Stoffel wrote: >> I wonder if the issue is that it looks like you're trying to use >> sslv3, but I bet you need to change to using TLSv1 or v2 instead, >> since ssl2 and ssl3 are deprecated now. solo-conserver> This is fixed by OpenSSL itself by macros; requests for SSL2/3 are just solo-conserver> requests for "the latest TLS version" now: solo-conserver> https://github.com/openssl/openssl/blob/d445302418b41b76c15e103954b1311d98077480/include/openssl/ssl.h#L1750 solo-conserver> I can see this in the tcpdump; the client is happily talking 1.2. That's good to know. >> Can you post your patches? Or a link to a git repo I could pull and >> glance over? But I warn you all, I'm not a strong C hacker at all... solo-conserver> I didn't realise the mailing list would strip the patch, bah! Here's a repo: solo-conserver> https://github.com/FauxFaux/conserver solo-conserver> The patch: solo-conserver> https://github.com/FauxFaux/conserver/commit/08be145f18fe4dda5e7cb4cd8fc65420e45348f3 I'm looking at this now. Got busy with other stuff past few days... solo-conserver> You can see the problem just by running: solo-conserver> autoreconf -vf solo-conserver> ./configure --with-openssl solo-conserver> make solo-conserver> make test Can you give more details on your evironment, and the exact version of openssl you have installed? Also, looking at your patch, I see that you removed DH_new() call, but never replaced it. So I wonder if that's part of the problem? John From john@stoffel.org Fri Jul 28 16:12:11 2017 Received: from mail.stoffel.org (mail.stoffel.org [104.236.43.127]) by underdog.stansell.org (8.15.2/8.15.2) with ESMTPS id v6SGC9KQ022516 (version=TLSv1.2 cipher=ADH-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 28 Jul 2017 16:12:11 GMT Received: from quad.stoffel.org (66-189-75-104.dhcp.oxfr.ma.charter.com [66.189.75.104]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.stoffel.org (Postfix) with ESMTPSA id B14345FF47; Fri, 28 Jul 2017 12:12:08 -0400 (EDT) Received: by quad.stoffel.org (Postfix, from userid 1000) id 57997B6CAB; Fri, 28 Jul 2017 12:12:08 -0400 (EDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <22907.25176.324672.579313@quad.stoffel.home> Date: Fri, 28 Jul 2017 12:12:08 -0400 From: "John Stoffel" To: solo-conserver@goeswhere.com Cc: John Stoffel , Matthew Huff , users@conserver.com Subject: Re: Porting conserver to OpenSSL 1.1 In-Reply-To: <20170726210911.GA16352@blind.goeswhere.com> References: <20170725204722.GA22747@blind.goeswhere.com> <22903.47978.285864.899377@quad.stoffel.home> <20170726210911.GA16352@blind.goeswhere.com> X-Mailer: VM 8.2.0b under 24.4.1 (x86_64-pc-linux-gnu) X-Spam-Score: -1.902 () BAYES_00,RP_MATCHES_RCVD,SPF_HELO_PASS X-Scanned-By: MIMEDefang 2.72 on 198.151.248.21 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.23 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jul 2017 16:12:12 -0000 And my initial poking at this on Debian Jessie x86_64 ended in failure, since I'm not running the sid and it's openssl-110 packages anywhere yet. Also, we will need to make sure that conserver using the new version of openssl will be able to talk with clients/servers using the older version of openssl as well. >From looking at the discussions, as long as we don't have CTX structures around, we should be ok. And I suspect we will be ok. And another thing, this patch also breaks compiles on openssl-1.0.x systems, so that needs to be addressed down the line as well, with some sort of switch of #ifdef to handle the transition cleanly. John From solo-conserver@goeswhere.com Sat Jul 29 12:07:49 2017 Received: from blind.goeswhere.com (fau.xxx [94.23.43.98]) by underdog.stansell.org (8.15.2/8.15.2) with ESMTPS id v6TC7irZ028691 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sat, 29 Jul 2017 12:07:47 GMT Received: by blind.goeswhere.com (Postfix, from userid 1000) id 8272AE0688; Sat, 29 Jul 2017 13:07:42 +0100 (BST) Date: Sat, 29 Jul 2017 13:07:42 +0100 From: Chris To: John Stoffel Cc: solo-conserver@goeswhere.com, Matthew Huff , users@conserver.com Subject: Re: Porting conserver to OpenSSL 1.1 Message-ID: <20170729120742.GA10144@blind.goeswhere.com> References: <20170725204722.GA22747@blind.goeswhere.com> <22903.47978.285864.899377@quad.stoffel.home> <20170726210911.GA16352@blind.goeswhere.com> <22907.24503.333092.530949@quad.stoffel.home> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <22907.24503.333092.530949@quad.stoffel.home> User-Agent: Mutt/1.5.24 (2015-08-30) X-Spam-Score: -1.901 () BAYES_00,SPF_PASS X-Scanned-By: MIMEDefang 2.72 on 198.151.248.21 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.23 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Jul 2017 12:07:49 -0000 On Fri, Jul 28, 2017 at 12:00:55PM -0400, John Stoffel wrote: > Can you give more details on your evironment, and the exact version of > openssl you have installed? The packages installed are: https://paste.debian.net/978748/ Specifically: libssl-dev/unstable,now 1.1.0f-3 amd64 [installed] The build is being done in a Debian Sid chroot, which is how Debian packages are typically developed. It's essentially the most minimal environment in which you could expect things to build; minimal other distractions, and a really good idea about exactly what has changed. In this environment, conserver's tests pass fine with openssl 1.0. The easiest way to simulate this on other systems is probably with Docker, instead of trying to use pbuilder: Start a Debian Sid container, interactively: $ docker run -it debian:sid And, inside, download the dependencies, the code, then try and build: apt update && \ apt upgrade --yes && \ apt install --yes git ca-certificates debhelper build-essential && \ apt install --yes libpam0g-dev libwrap0-dev libssl-dev && \ git clone https://github.com/FauxFaux/conserver && \ cd conserver && \ autoreconf -fvi && \ ./configure --with-openssl && \ make && \ make test > Also, looking at your patch, I see that you removed DH_new() call, but > never replaced it. So I wonder if that's part of the problem? The DH_new() call has been moved down the method, to make the error handling easier. But, it can't be the problem anyway: the new code is never hit; the log statement in `TmpDHCallback` is never reached, so the new code cannot be the problem. Chris. From john@stoffel.org Sat Jul 29 13:39:00 2017 Received: from mail.stoffel.org (mail.stoffel.org [104.236.43.127]) by underdog.stansell.org (8.15.2/8.15.2) with ESMTPS id v6TDcugI001742 (version=TLSv1.2 cipher=ADH-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sat, 29 Jul 2017 13:38:59 GMT Received: from quad.stoffel.org (66-189-75-104.dhcp.oxfr.ma.charter.com [66.189.75.104]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.stoffel.org (Postfix) with ESMTPSA id 6FFEE5FF6F; Sat, 29 Jul 2017 09:38:53 -0400 (EDT) Received: by quad.stoffel.org (Postfix, from userid 1000) id 0DAD3B6CCF; Sat, 29 Jul 2017 09:38:53 -0400 (EDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <22908.36845.14420.421353@quad.stoffel.home> Date: Sat, 29 Jul 2017 09:38:53 -0400 From: "John Stoffel" To: Chris Cc: John Stoffel , Matthew Huff , users@conserver.com Subject: Re: Porting conserver to OpenSSL 1.1 In-Reply-To: <20170729120742.GA10144@blind.goeswhere.com> References: <20170725204722.GA22747@blind.goeswhere.com> <22903.47978.285864.899377@quad.stoffel.home> <20170726210911.GA16352@blind.goeswhere.com> <22907.24503.333092.530949@quad.stoffel.home> <20170729120742.GA10144@blind.goeswhere.com> X-Mailer: VM 8.2.0b under 24.4.1 (x86_64-pc-linux-gnu) X-Spam-Score: -0.003 () BAYES_20,RP_MATCHES_RCVD,SPF_HELO_PASS X-Scanned-By: MIMEDefang 2.72 on 198.151.248.21 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.23 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Jul 2017 13:39:00 -0000 >>>>> "Chris" == Chris writes: Chris> On Fri, Jul 28, 2017 at 12:00:55PM -0400, John Stoffel wrote: >> Can you give more details on your evironment, and the exact version of >> openssl you have installed? Chris> The packages installed are: https://paste.debian.net/978748/ Chris> Specifically: Chris> libssl-dev/unstable,now 1.1.0f-3 amd64 [installed] Chris> The build is being done in a Debian Sid chroot, which is how Debian Chris> packages are typically developed. It's essentially the most minimal Chris> environment in which you could expect things to build; minimal other Chris> distractions, and a really good idea about exactly what has changed. Chris> In this environment, conserver's tests pass fine with openssl 1.0. Chris> The easiest way to simulate this on other systems is probably with Chris> Docker, instead of trying to use pbuilder: Ok, I spent some time yesterday spinning up a Debian SID VM instead, haven't had the chance to play with docker, etc yet. And I do the build problem there (base 8.2.1 without your changes). I also tried widening the allowed set of certficates in the SetupSSL() function to "ALL:!eNULL" but that didn't make a difference. Haven't had the time to poke deeper. I'm also more of a SysAdmin hacker, not a developer, so my C skills are rusty. And my openssl hacking... non-existent. LOL. So I'll be slow in my helping here. We probably need to break is down more to just the bare bones SSL setup and configuration, to make sure it's working. I figure the openssl tool might be a help here. Chris> Start a Debian Sid container, interactively: Chris> $ docker run -it debian:sid Chris> And, inside, download the dependencies, the code, then try and build: Chris> apt update && \ Chris> apt upgrade --yes && \ Chris> apt install --yes git ca-certificates debhelper build-essential && \ Chris> apt install --yes libpam0g-dev libwrap0-dev libssl-dev && \ Chris> git clone https://github.com/FauxFaux/conserver && \ Chris> cd conserver && \ Chris> autoreconf -fvi && \ Chris> ./configure --with-openssl && \ Chris> make && \ Chris> make test >> Also, looking at your patch, I see that you removed DH_new() call, but >> never replaced it. So I wonder if that's part of the problem? Chris> The DH_new() call has been moved down the method, to make the error handling Chris> easier. But, it can't be the problem anyway: the new code is never hit; the Chris> log statement in `TmpDHCallback` is never reached, so the new code cannot Chris> be the problem. Chris> Chris.