Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 02 Jun 2015 15:02:41 -0400
From:      Adam McDougall <mcdouga9@egr.msu.edu>
To:        Ryan Steinmetz <zi@freebsd.org>
Cc:        Bryan Drewery <bdrewery@FreeBSD.org>, ports@freebsd.org
Subject:   Re: Fwd: Re: svn commit: r386904 - in head/www/apache22: . files
Message-ID:  <556DFDD1.8030404@egr.msu.edu>
In-Reply-To: <20150602150702.GB62387@exodus.zi0r.com>
References:  <20150531132958.GB1034@egr.msu.edu> <556CB6C8.2070103@FreeBSD.org> <20150602115116.GA62387@exodus.zi0r.com> <556DC53D.8000208@egr.msu.edu> <20150602150702.GB62387@exodus.zi0r.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Thank you for the tip and the explanation.  I found out what was causing
the difference.  With libressl, the openssl gendh command no longer
accepts -rand because it assumes your random has sufficient quality to
start with:

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/apps/Attic/gendh.c?rev=1.18&content-type=text/x-cvsweb-markup
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/apps/Attic/gendh.c.diff?r1=1.17&r2=1.18

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/apps/Attic/gendh.c?rev=1.25&content-type=text/x-cvsweb-markup
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/apps/Attic/gendh.c.diff?r1=1.24&r2=1.25

I don't know if there is a worthwhile benefit to using -rand with
openssl on supported FreeBSD versions.  I took $rand out of these lines
and now apache works fine:
+system("openssl gendh $rand -out dh2048.pem 2048");
+system("openssl gendh $rand -out dh3072.pem 3072");

On 06/02/2015 11:07, Ryan Steinmetz wrote:
> Adam,
> 
> Does this work for you with openssl?  I'm unable to re-create this on my
> side, but I'm also not testing with libressl.
> 
> It isn't simply renaming them.  There's a perl script that gets called
> at build time that generates everything.  During the build phase, you
> should see a pair of messages indicating that it is generating the two
> DH param files.  It should take a few minutes.
> 
> The reason for the "rename" is to allow the search/replace magic in the
> perl to search/replace.
> 
> Please send me the full build log.
> 
> -r
> 
> On (06/02/15 11:01), Adam McDougall wrote:
>> It still didn't work.  Cannot load
>> /usr/local/libexec/apache22/mod_ssl.so into server:
>> /usr/local/libexec/apache22/mod_ssl.so: Undefined symbol "get_dh2048"
>>
>> Additionally I'm concerned about the validity of renaming small primes
>> and using them as if they were for much larger dh.  When I do google
>> searches for dh3072_p and dh2048_p I find larger sets of numbers.
>> Renaming the existing primes doesn't feel right and worries me.
>>
>> On 06/02/2015 07:51, Ryan Steinmetz wrote:
>>> Adam,
>>>
>>> Please test the following patch.  It should be placed in the files
>>> directory and should resolve the error you saw.
>>>
>>> https://people.freebsd.org/~zi/patch-modules_ssl_ssl__engine__dh.c
>>>
>>> You can then build the build as usual after running a 'make clean'
>>>
>>> -r
>>>
>>> On (06/01/15 14:47), Bryan Drewery wrote:
>>>> On 5/31/2015 8:29 AM, Adam McDougall wrote:
>>>>> Is anyone else getting this issue?  I had to revert the change on my
>>>>> systems.
>>>>> Thanks.
>>>>>
>>>>
>>>> Yes it looks incomplete. Nothing is providing get_dh2048.
>>>>
>>>>> work/httpd-2.2.29/modules/ssl/ssl_engine_dh.c:static DH
>>>>> *get_dh512(void)
>>>>> work/httpd-2.2.29/modules/ssl/ssl_engine_dh.c:static DH
>>>>> *get_dh1024(void)
>>>>> work/httpd-2.2.29/modules/ssl/ssl_engine_dh.c:        dh =
>>>>> get_dh2048();
>>>>> work/httpd-2.2.29/modules/ssl/ssl_engine_dh.c:        dh =
>>>>> get_dh3072();
>>>>> work/httpd-2.2.29/modules/ssl/ssl_engine_dh.c:        dh =
>>>>> get_dh3072();
>>>>
>>>> The module is only providing 512 and 1024 but not 2048 and 3072
>>>> symbols.
>>>>
>>>>
>>>> -- 
>>>> Regards,
>>>> Bryan Drewery
>>>>
>>>
>>>
>>>
>>
> 




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?556DFDD1.8030404>