diff --git a/net/apache/patches/020-openssl-deprecated.patch b/net/apache/patches/020-openssl-deprecated.patch new file mode 100644 index 000000000..e583cde19 --- /dev/null +++ b/net/apache/patches/020-openssl-deprecated.patch @@ -0,0 +1,177 @@ +--- a/modules/ssl/mod_ssl.c ++++ b/modules/ssl/mod_ssl.c +@@ -328,6 +328,7 @@ static int modssl_is_prelinked(void) + + static apr_status_t ssl_cleanup_pre_config(void *data) + { ++#if MODSSL_USE_OPENSSL_PRE_1_1_API + /* + * Try to kill the internals of the SSL library. + */ +@@ -343,11 +344,9 @@ static apr_status_t ssl_cleanup_pre_config(void *data) + #if OPENSSL_VERSION_NUMBER >= 0x1000200fL + #ifndef OPENSSL_NO_COMP + SSL_COMP_free_compression_methods(); +-#endif + #endif + + /* Usually needed per thread, but this parent process is single-threaded */ +-#if MODSSL_USE_OPENSSL_PRE_1_1_API + #if OPENSSL_VERSION_NUMBER >= 0x1000000fL + ERR_remove_thread_state(NULL); + #else +@@ -376,6 +375,7 @@ static apr_status_t ssl_cleanup_pre_config(void *data) + * (when enabled) at this late stage in the game: + * CRYPTO_mem_leaks_fp(stderr); + */ ++#endif + return APR_SUCCESS; + } + +@@ -400,14 +400,16 @@ static int ssl_hook_pre_config(apr_pool_t *pconf, + #else + OPENSSL_malloc_init(); + #endif ++#if MODSSL_USE_OPENSSL_PRE_1_1_API + ERR_load_crypto_strings(); + SSL_load_error_strings(); + SSL_library_init(); ++ OpenSSL_add_all_algorithms(); ++ OPENSSL_load_builtin_modules(); ++#endif + #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES + ENGINE_load_builtin_engines(); + #endif +- OpenSSL_add_all_algorithms(); +- OPENSSL_load_builtin_modules(); + + if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) { + (void)OBJ_create("1.3.6.1.5.5.7.8.7", "id-on-dnsSRV", +--- a/modules/ssl/ssl_engine_init.c ++++ b/modules/ssl/ssl_engine_init.c +@@ -88,6 +88,8 @@ static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) + + return 1; + } ++ ++#define OpenSSL_version_num SSLeay + #endif + + /* +@@ -223,7 +225,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, + apr_status_t rv; + apr_array_header_t *pphrases; + +- if (SSLeay() < MODSSL_LIBRARY_VERSION) { ++ if (OpenSSL_version_num() < MODSSL_LIBRARY_VERSION) { + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01882) + "Init: this version of mod_ssl was compiled against " + "a newer library (%s, version currently loaded is %s)" +--- a/modules/ssl/ssl_engine_io.c ++++ b/modules/ssl/ssl_engine_io.c +@@ -1255,9 +1255,9 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) + if (dc->proxy->ssl_check_peer_expire != FALSE) { + if (!cert + || (X509_cmp_current_time( +- X509_get_notBefore(cert)) >= 0) ++ X509_get0_notBefore(cert)) >= 0) + || (X509_cmp_current_time( +- X509_get_notAfter(cert)) <= 0)) { ++ X509_get0_notAfter(cert)) <= 0)) { + proxy_ssl_check_peer_ok = FALSE; + ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02004) + "SSL Proxy: Peer certificate is expired"); +--- a/modules/ssl/ssl_engine_log.c ++++ b/modules/ssl/ssl_engine_log.c +@@ -163,10 +163,10 @@ static void ssl_log_cert_error(const char *file, int line, int level, + BIO_puts(bio, "(ERROR)"); + + BIO_puts(bio, " / notbefore: "); +- ASN1_TIME_print(bio, X509_get_notBefore(cert)); ++ ASN1_TIME_print(bio, X509_get0_notBefore(cert)); + + BIO_puts(bio, " / notafter: "); +- ASN1_TIME_print(bio, X509_get_notAfter(cert)); ++ ASN1_TIME_print(bio, X509_get0_notAfter(cert)); + + BIO_puts(bio, "]"); + +--- a/modules/ssl/ssl_engine_vars.c ++++ b/modules/ssl/ssl_engine_vars.c +@@ -495,13 +495,13 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, + result = ssl_var_lookup_ssl_cert_serial(p, xs); + } + else if (strcEQ(var, "V_START")) { +- result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notBefore(xs)); ++ result = ssl_var_lookup_ssl_cert_valid(p, X509_getm_notBefore(xs)); + } + else if (strcEQ(var, "V_END")) { +- result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notAfter(xs)); ++ result = ssl_var_lookup_ssl_cert_valid(p, X509_getm_notAfter(xs)); + } + else if (strcEQ(var, "V_REMAIN")) { +- result = ssl_var_lookup_ssl_cert_remain(p, X509_get_notAfter(xs)); ++ result = ssl_var_lookup_ssl_cert_remain(p, X509_getm_notAfter(xs)); + resdup = FALSE; + } + else if (*var && strcEQ(var+1, "_DN")) { +--- a/modules/ssl/ssl_private.h ++++ b/modules/ssl/ssl_private.h +@@ -92,6 +92,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + #include +@@ -234,6 +236,10 @@ + #define BIO_get_shutdown(x) (x->shutdown) + #define BIO_set_shutdown(x,v) (x->shutdown=v) + #define DH_bits(x) (BN_num_bits(x->p)) ++#define X509_get0_notBefore X509_get_notBefore ++#define X509_get0_notAfter X509_get_notAfter ++#define X509_getm_notBefore X509_get_notBefore ++#define X509_getm_notAfter X509_get_notAfter + #else + void init_bio_methods(void); + void free_bio_methods(void); +--- a/support/ab.c ++++ b/support/ab.c +@@ -205,6 +205,10 @@ typedef STACK_OF(X509) X509_STACK_TYPE; + #define SSL_CTX_set_max_proto_version(ctx, version) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL) + #endif ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#define X509_get0_notBefore X509_get_notBefore ++#define X509_get0_notAfter X509_get_notAfter ++#endif + #endif + + #include +@@ -652,11 +656,11 @@ static void ssl_print_cert_info(BIO *bio, X509 *cert) + + BIO_printf(bio, "Certificate version: %ld\n", X509_get_version(cert)+1); + BIO_printf(bio,"Valid from: "); +- ASN1_UTCTIME_print(bio, X509_get_notBefore(cert)); ++ ASN1_UTCTIME_print(bio, X509_get0_notBefore(cert)); + BIO_printf(bio,"\n"); + + BIO_printf(bio,"Valid to : "); +- ASN1_UTCTIME_print(bio, X509_get_notAfter(cert)); ++ ASN1_UTCTIME_print(bio, X509_get0_notAfter(cert)); + BIO_printf(bio,"\n"); + + pk = X509_get_pubkey(cert); +@@ -2634,8 +2638,10 @@ int main(int argc, const char * const argv[]) + CRYPTO_malloc_init(); + #endif + #endif ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + SSL_load_error_strings(); + SSL_library_init(); ++#endif + bio_out=BIO_new_fp(stdout,BIO_NOCLOSE); + bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); +