Date: Tue, 02 Jun 2015 15:45:37 -0400 From: Adam McDougall <mcdouga9@egr.msu.edu> To: Ryan Steinmetz <zi@freebsd.org> Cc: Bryan Drewery <bdrewery@FreeBSD.org>, ports@freebsd.org Subject: Re: Fwd: Re: svn commit: r386904 - in head/www/apache22: . files Message-ID: <556E07E1.2070101@egr.msu.edu> In-Reply-To: <20150602191941.GA56844@exodus.zi0r.com> References: <20150531132958.GB1034@egr.msu.edu> <556CB6C8.2070103@FreeBSD.org> <20150602115116.GA62387@exodus.zi0r.com> <556DC53D.8000208@egr.msu.edu> <20150602150702.GB62387@exodus.zi0r.com> <556DFDD1.8030404@egr.msu.edu> <20150602191941.GA56844@exodus.zi0r.com>
next in thread | previous in thread | raw e-mail | index | archive | help
That is exactly what I am using right now, so it works. Thanks. On 06/02/2015 15:19, Ryan Steinmetz wrote: > Adam, > > I've updated my patch once more. Please confirm. > > https://people.freebsd.org/~zi/patch-modules_ssl_ssl__engine__dh.c > > This removes the -rand bits and fixes the search/replace stuff. > > -r > > On (06/02/15 15:02), Adam McDougall wrote: >> Thank you for the tip and the explanation. I found out what was causing >> the difference. With libressl, the openssl gendh command no longer >> accepts -rand because it assumes your random has sufficient quality to >> start with: >> >> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/apps/Attic/gendh.c?rev=1.18&content-type=text/x-cvsweb-markup >> >> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/apps/Attic/gendh.c.diff?r1=1.17&r2=1.18 >> >> >> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/apps/Attic/gendh.c?rev=1.25&content-type=text/x-cvsweb-markup >> >> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/apps/Attic/gendh.c.diff?r1=1.24&r2=1.25 >> >> >> I don't know if there is a worthwhile benefit to using -rand with >> openssl on supported FreeBSD versions. I took $rand out of these lines >> and now apache works fine: >> +system("openssl gendh $rand -out dh2048.pem 2048"); >> +system("openssl gendh $rand -out dh3072.pem 3072"); >> >> On 06/02/2015 11:07, Ryan Steinmetz wrote: >>> Adam, >>> >>> Does this work for you with openssl? I'm unable to re-create this on my >>> side, but I'm also not testing with libressl. >>> >>> It isn't simply renaming them. There's a perl script that gets called >>> at build time that generates everything. During the build phase, you >>> should see a pair of messages indicating that it is generating the two >>> DH param files. It should take a few minutes. >>> >>> The reason for the "rename" is to allow the search/replace magic in the >>> perl to search/replace. >>> >>> Please send me the full build log. >>> >>> -r >>> >>> On (06/02/15 11:01), Adam McDougall wrote: >>>> It still didn't work. Cannot load >>>> /usr/local/libexec/apache22/mod_ssl.so into server: >>>> /usr/local/libexec/apache22/mod_ssl.so: Undefined symbol "get_dh2048" >>>> >>>> Additionally I'm concerned about the validity of renaming small primes >>>> and using them as if they were for much larger dh. When I do google >>>> searches for dh3072_p and dh2048_p I find larger sets of numbers. >>>> Renaming the existing primes doesn't feel right and worries me. >>>> >>>> On 06/02/2015 07:51, Ryan Steinmetz wrote: >>>>> Adam, >>>>> >>>>> Please test the following patch. It should be placed in the files >>>>> directory and should resolve the error you saw. >>>>> >>>>> https://people.freebsd.org/~zi/patch-modules_ssl_ssl__engine__dh.c >>>>> >>>>> You can then build the build as usual after running a 'make clean' >>>>> >>>>> -r >>>>> >>>>> On (06/01/15 14:47), Bryan Drewery wrote: >>>>>> On 5/31/2015 8:29 AM, Adam McDougall wrote: >>>>>>> Is anyone else getting this issue? I had to revert the change on my >>>>>>> systems. >>>>>>> Thanks. >>>>>>> >>>>>> >>>>>> Yes it looks incomplete. Nothing is providing get_dh2048. >>>>>> >>>>>>> work/httpd-2.2.29/modules/ssl/ssl_engine_dh.c:static DH >>>>>>> *get_dh512(void) >>>>>>> work/httpd-2.2.29/modules/ssl/ssl_engine_dh.c:static DH >>>>>>> *get_dh1024(void) >>>>>>> work/httpd-2.2.29/modules/ssl/ssl_engine_dh.c: dh = >>>>>>> get_dh2048(); >>>>>>> work/httpd-2.2.29/modules/ssl/ssl_engine_dh.c: dh = >>>>>>> get_dh3072(); >>>>>>> work/httpd-2.2.29/modules/ssl/ssl_engine_dh.c: dh = >>>>>>> get_dh3072(); >>>>>> >>>>>> The module is only providing 512 and 1024 but not 2048 and 3072 >>>>>> symbols. >>>>>> >>>>>> >>>>>> -- >>>>>> Regards, >>>>>> Bryan Drewery >>>>>> >>>>> >>>>> >>>>> >>>> >>> >> >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?556E07E1.2070101>