Bugzilla – Bug 3713
mod_tls cannot be compiled using Openssl 0.9.6
Last modified: 2012-08-15 02:17:05 UTC
Created attachment 3680 [details] allows openssl 0.9.6 to continue compiling mod_tls In 1.3.3g, the use of the #define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS was introduced. This is not available in 0.9.6. I've supplied a patch to allow it to continue compiling, however it will also cause the local system to silently ignore the NoEmptyFragments option. Perhaps Check SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS and if 0 warn that the option is unsupported?
Given the age of OpenSSL-0.9.6, I'm going to mark this as a minor issue. Also, it will be fixed in the next 1.3.4 maint release, but not in any future 1.3.3 releases.
Created attachment 3681 [details] Fixes building of mod_tls against OpenSSL-0.9.6 or earlier Can you confirm that this patch fixes the issue, including logging a warning when the NoEmptyFragments TLSOption is used?
1.3.4 has multiple legacy GCC 2.9.5 issues with older distros (RH 7.3, RHEL 2, mandrake 8.3). it doesn't like: 1. struct { int foo; char * data[]}. you have to do struct { int foo; char * data[1]} instead. 2. also doesn't like when you do conditional before variable declarations, which happens in some of the nested ifdefs. Because of that, we opted to support legacy linux on 1.3.3 only. If you'd prefer, I can provide patches to fix all the 1.3.4 issues I found, but that just means the GCC 2.9.5 police will keep dogging you. I didn't want to do that to you. :) Also, does this mean if any new CVEs come up for 1.3.3, you will recommend upgrade to 1.3.4 for the fix? I'm ok with this, I was just looking for a tentative policy.
(In reply to comment #2) > Created attachment 3681 [details] [details] > Fixes building of mod_tls against OpenSSL-0.9.6 or earlier > > Can you confirm that this patch fixes the issue, including logging a warning > when the NoEmptyFragments TLSOption is used? I am testing this patch against on 1.3.3g now.
See: http://www.proftpd.org/docs/howto/Versioning.html for the project's versioning and branch support policy. So far, there's hasn't been a need to define the list of supported compiler versions et al, as it hasn't come up. I expect that most package distributors who have specific compiler version requirements handle the necessary changes themselves; no patches or mentions of issues have been reported back.
(In reply to comment #4) > (In reply to comment #2) > > Created attachment 3681 [details] [details] [details] > > Fixes building of mod_tls against OpenSSL-0.9.6 or earlier > > > > Can you confirm that this patch fixes the issue, including logging a warning > > when the NoEmptyFragments TLSOption is used? > > I am testing this patch against on 1.3.3g now. TJ, everything looks ok with the patch. Thanks, Todd
Thanks! I've committed the patch to CVS, and backported it to the 1.3.4 branch.
Resolved in 1.3.4b.