Fwd: Bug#828611: xymon: Fails to build from source with OpenSSL 1.1.0
Hi,
this has been reported in Debian at https://bugs.debian.org/828611
----- Forwarded message from Kurt Roeckx <kurt at roeckx.be> ----- Date: Sun, 26 Jun 2016 12:24:54 +0200 From: Kurt Roeckx <kurt at roeckx.be> To: submit at bugs.debian.org Subject: Bug#828611: xymon: FTBFS with openssl 1.1.0 Reply-To: Kurt Roeckx <kurt at roeckx.be>, 828611 at bugs.debian.org
Source: xymon Version: 4.3.27-1 Severity: important Control: block 827061 by -1
Hi,
OpenSSL 1.1.0 is about to released. During a rebuild of all packages using OpenSSL this package fail to build. A log of that build can be found at: https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/xymon_4.3.27-...
On https://wiki.openssl.org/index.php/1.1_API_Changes you can see various of the reasons why it might fail. There are also updated man pages at https://www.openssl.org/docs/manmaster/ that should contain useful information.
There is a libssl-dev package available in experimental that contains a recent snapshot, I suggest you try building against that to see if everything works.
If you have problems making things work, feel free to contact us.
Kurt ----- End forwarded message -----
Regards, Axel--
,''. | Axel Beckert <abe at debian.org>, http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin . ' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 - | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Hi, Axel Beckert wrote:
this has been reported in Debian at https://bugs.debian.org/828611 [...] OpenSSL 1.1.0 is about to released. During a rebuild of all packages using OpenSSL this package fail to build. A log of that build can be found at: https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/xymon_4.3.27-...
On https://wiki.openssl.org/index.php/1.1_API_Changes you can see various of the reasons why it might fail. There are also updated man pages at https://www.openssl.org/docs/manmaster/ that should contain useful information.
While it took quite a while to figure it out, the patch to make it compile again against OpenSSL 1.1.0 is surprisingly tiny: --- a/xymonnet/contest.c +++ b/xymonnet/contest.c @@ -648,7 +648,7 @@ certcn = X509_NAME_oneline(X509_get_subject_name(peercert), NULL, 0); certissuer = X509_NAME_oneline(X509_get_issuer_name(peercert), NULL, 0); - certsigalg = OBJ_nid2ln(OBJ_obj2nid(peercert->sig_alg->algorithm)); + certsigalg = OBJ_nid2ln(X509_get_signature_nid(peercert)); certstart = strdup(xymon_ASN1_UTCTIME(X509_get_notBefore(peercert))); certend = strdup(xymon_ASN1_UTCTIME(X509_get_notAfter(peercert))); { See also https://anonscm.debian.org/cgit/collab-maint/xymon.git/tree/debian/patches/8... https://anonscm.debian.org/cgit/collab-maint/xymon.git/plain/debian/patches/... I've got one (currently non-productive) Xymon server on a Raspberry Pi running(*) Debian Unstable with that patch and xymonnet properly reported SSL certificate and https:// URL states so far. So I believe, that patch is sufficient and working, despite I have not much of an idea what it actually does. I took the idea for the patch from here: https://github.com/bukka/php-src/commit/0598a8da2bc005b3a0be2801033b5347020f... I would be happy if you could integrate the patch into the (probably upcoming) 4.3.28 release to allow others to compile Xymon against OpenSSL 1.1.0+. (And to spread it further to get more testing. :-) (*) It's currently running with OpenSSL 1.0.2j though, but that proves that it's at least also backward compatible to 1.0.2. As soon as Debian Unstable switches to OpenSSL 1.1.0b or later, I'll continue to test it with that version. Regards, Axel -- ,''`. | Axel Beckert <abe at debian.org>, http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
On Sun, October 30, 2016 6:07 am, Axel Beckert wrote:
Hi,
Axel Beckert wrote:
this has been reported in Debian at https://bugs.debian.org/828611 [...] OpenSSL 1.1.0 is about to released. During a rebuild of all packages using OpenSSL this package fail to build. A log of that build can be found at: https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/xymon_4.3.27-...
On https://wiki.openssl.org/index.php/1.1_API_Changes you can see various of the reasons why it might fail. There are also updated man pages at https://www.openssl.org/docs/manmaster/ that should contain useful information.
While it took quite a while to figure it out, the patch to make it compile again against OpenSSL 1.1.0 is surprisingly tiny:
--- a/xymonnet/contest.c +++ b/xymonnet/contest.c @@ -648,7 +648,7 @@
certcn = X509_NAME_oneline(X509_get_subject_name(peercert), NULL, 0); certissuer = X509_NAME_oneline(X509_get_issuer_name(peercert), NULL, 0); - certsigalg = OBJ_nid2ln(OBJ_obj2nid(peercert->sig_alg->algorithm)); + certsigalg = OBJ_nid2ln(X509_get_signature_nid(peercert)); certstart = strdup(xymon_ASN1_UTCTIME(X509_get_notBefore(peercert))); certend = strdup(xymon_ASN1_UTCTIME(X509_get_notAfter(peercert))); {
See also https://anonscm.debian.org/cgit/collab-maint/xymon.git/tree/debian/patches/8... https://anonscm.debian.org/cgit/collab-maint/xymon.git/plain/debian/patches/...
I've got one (currently non-productive) Xymon server on a Raspberry Pi running(*) Debian Unstable with that patch and xymonnet properly reported SSL certificate and https:// URL states so far. So I believe, that patch is sufficient and working, despite I have not much of an idea what it actually does. I took the idea for the patch from here: https://github.com/bukka/php-src/commit/0598a8da2bc005b3a0be2801033b5347020f...
I would be happy if you could integrate the patch into the (probably upcoming) 4.3.28 release to allow others to compile Xymon against OpenSSL 1.1.0+. (And to spread it further to get more testing. :-)
(*) It's currently running with OpenSSL 1.0.2j though, but that proves that it's at least also backward compatible to 1.0.2. As soon as Debian Unstable switches to OpenSSL 1.1.0b or later, I'll continue to test it with that version.
Regards, Axel
Thanks! It seems I missed that back in July. This looks good. I wrapped it in a version check to hopefully DTRT when it's not present. This does lead to doing the new call between 1.0.2 and <1.1.0, but AFAICT the call itself is nothing more than that anyway... I think. Committed at https://sourceforge.net/p/xymon/code/7975/ Regards, -jc
participants (2)
-
abe@debian.org
-
cleaver@terabithia.org