On Sun, October 30, 2016 6:07 am, Axel Beckert wrote:
Hi,
Axel Beckert wrote:
this has been reported in Debian at https://bugs.debian.org/828611 [...] OpenSSL 1.1.0 is about to released. During a rebuild of all packages using OpenSSL this package fail to build. A log of that build can be found at: https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/xymon_4.3.27-...
On https://wiki.openssl.org/index.php/1.1_API_Changes you can see various of the reasons why it might fail. There are also updated man pages at https://www.openssl.org/docs/manmaster/ that should contain useful information.
While it took quite a while to figure it out, the patch to make it compile again against OpenSSL 1.1.0 is surprisingly tiny:
--- a/xymonnet/contest.c +++ b/xymonnet/contest.c @@ -648,7 +648,7 @@
certcn = X509_NAME_oneline(X509_get_subject_name(peercert), NULL, 0); certissuer = X509_NAME_oneline(X509_get_issuer_name(peercert), NULL, 0); - certsigalg = OBJ_nid2ln(OBJ_obj2nid(peercert->sig_alg->algorithm)); + certsigalg = OBJ_nid2ln(X509_get_signature_nid(peercert)); certstart = strdup(xymon_ASN1_UTCTIME(X509_get_notBefore(peercert))); certend = strdup(xymon_ASN1_UTCTIME(X509_get_notAfter(peercert))); {
See also https://anonscm.debian.org/cgit/collab-maint/xymon.git/tree/debian/patches/8... https://anonscm.debian.org/cgit/collab-maint/xymon.git/plain/debian/patches/...
I've got one (currently non-productive) Xymon server on a Raspberry Pi running(*) Debian Unstable with that patch and xymonnet properly reported SSL certificate and https:// URL states so far. So I believe, that patch is sufficient and working, despite I have not much of an idea what it actually does. I took the idea for the patch from here: https://github.com/bukka/php-src/commit/0598a8da2bc005b3a0be2801033b5347020f...
I would be happy if you could integrate the patch into the (probably upcoming) 4.3.28 release to allow others to compile Xymon against OpenSSL 1.1.0+. (And to spread it further to get more testing. :-)
(*) It's currently running with OpenSSL 1.0.2j though, but that proves that it's at least also backward compatible to 1.0.2. As soon as Debian Unstable switches to OpenSSL 1.1.0b or later, I'll continue to test it with that version.
Regards, Axel
Thanks! It seems I missed that back in July. This looks good. I wrapped it in a version check to hopefully DTRT when it's not present. This does lead to doing the new call between 1.0.2 and <1.1.0, but AFAICT the call itself is nothing more than that anyway... I think. Committed at https://sourceforge.net/p/xymon/code/7975/ Regards, -jc