From owner-freebsd-ports@FreeBSD.ORG Tue Jun 2 19:02:51 2015 Return-Path: Delivered-To: ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EBAB581C; Tue, 2 Jun 2015 19:02:50 +0000 (UTC) (envelope-from mcdouga9@egr.msu.edu) Received: from mail.egr.msu.edu (boomhauer.egr.msu.edu [35.9.37.167]) by mx1.freebsd.org (Postfix) with ESMTP id A61C010CE; Tue, 2 Jun 2015 19:02:49 +0000 (UTC) (envelope-from mcdouga9@egr.msu.edu) Received: from boomhauer (localhost [127.0.0.1]) by mail.egr.msu.edu (Postfix) with ESMTP id 6DBCB4F093; Tue, 2 Jun 2015 15:02:42 -0400 (EDT) X-Virus-Scanned: amavisd-new at egr.msu.edu Received: from mail.egr.msu.edu ([127.0.0.1]) by boomhauer (boomhauer.egr.msu.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K2RbWIXxiO5q; Tue, 2 Jun 2015 15:02:42 -0400 (EDT) Received: from EGR authenticated sender mcdouga9 Message-ID: <556DFDD1.8030404@egr.msu.edu> Date: Tue, 02 Jun 2015 15:02:41 -0400 From: Adam McDougall User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: Ryan Steinmetz CC: Bryan Drewery , ports@freebsd.org Subject: Re: Fwd: Re: svn commit: r386904 - in head/www/apache22: . files References: <20150531132958.GB1034@egr.msu.edu> <556CB6C8.2070103@FreeBSD.org> <20150602115116.GA62387@exodus.zi0r.com> <556DC53D.8000208@egr.msu.edu> <20150602150702.GB62387@exodus.zi0r.com> In-Reply-To: <20150602150702.GB62387@exodus.zi0r.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jun 2015 19:02:51 -0000 Thank you for the tip and the explanation. I found out what was causing the difference. With libressl, the openssl gendh command no longer accepts -rand because it assumes your random has sufficient quality to start with: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/apps/Attic/gendh.c?rev=1.18&content-type=text/x-cvsweb-markup http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/apps/Attic/gendh.c.diff?r1=1.17&r2=1.18 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/apps/Attic/gendh.c?rev=1.25&content-type=text/x-cvsweb-markup http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/apps/Attic/gendh.c.diff?r1=1.24&r2=1.25 I don't know if there is a worthwhile benefit to using -rand with openssl on supported FreeBSD versions. I took $rand out of these lines and now apache works fine: +system("openssl gendh $rand -out dh2048.pem 2048"); +system("openssl gendh $rand -out dh3072.pem 3072"); On 06/02/2015 11:07, Ryan Steinmetz wrote: > Adam, > > Does this work for you with openssl? I'm unable to re-create this on my > side, but I'm also not testing with libressl. > > It isn't simply renaming them. There's a perl script that gets called > at build time that generates everything. During the build phase, you > should see a pair of messages indicating that it is generating the two > DH param files. It should take a few minutes. > > The reason for the "rename" is to allow the search/replace magic in the > perl to search/replace. > > Please send me the full build log. > > -r > > On (06/02/15 11:01), Adam McDougall wrote: >> It still didn't work. Cannot load >> /usr/local/libexec/apache22/mod_ssl.so into server: >> /usr/local/libexec/apache22/mod_ssl.so: Undefined symbol "get_dh2048" >> >> Additionally I'm concerned about the validity of renaming small primes >> and using them as if they were for much larger dh. When I do google >> searches for dh3072_p and dh2048_p I find larger sets of numbers. >> Renaming the existing primes doesn't feel right and worries me. >> >> On 06/02/2015 07:51, Ryan Steinmetz wrote: >>> Adam, >>> >>> Please test the following patch. It should be placed in the files >>> directory and should resolve the error you saw. >>> >>> https://people.freebsd.org/~zi/patch-modules_ssl_ssl__engine__dh.c >>> >>> You can then build the build as usual after running a 'make clean' >>> >>> -r >>> >>> On (06/01/15 14:47), Bryan Drewery wrote: >>>> On 5/31/2015 8:29 AM, Adam McDougall wrote: >>>>> Is anyone else getting this issue? I had to revert the change on my >>>>> systems. >>>>> Thanks. >>>>> >>>> >>>> Yes it looks incomplete. Nothing is providing get_dh2048. >>>> >>>>> work/httpd-2.2.29/modules/ssl/ssl_engine_dh.c:static DH >>>>> *get_dh512(void) >>>>> work/httpd-2.2.29/modules/ssl/ssl_engine_dh.c:static DH >>>>> *get_dh1024(void) >>>>> work/httpd-2.2.29/modules/ssl/ssl_engine_dh.c: dh = >>>>> get_dh2048(); >>>>> work/httpd-2.2.29/modules/ssl/ssl_engine_dh.c: dh = >>>>> get_dh3072(); >>>>> work/httpd-2.2.29/modules/ssl/ssl_engine_dh.c: dh = >>>>> get_dh3072(); >>>> >>>> The module is only providing 512 and 1024 but not 2048 and 3072 >>>> symbols. >>>> >>>> >>>> -- >>>> Regards, >>>> Bryan Drewery >>>> >>> >>> >>> >> >