From owner-freebsd-ports@FreeBSD.ORG Tue Jun 2 19:55:24 2015 Return-Path: Delivered-To: ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 67384F44; Tue, 2 Jun 2015 19:55:24 +0000 (UTC) (envelope-from zi@freebsd.org) Received: from exodus.zi0r.com (exodus.zi0r.com [71.179.14.195]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "exodus.zi0r.com", Issuer "Gandi Standard SSL CA 2" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3D5CA1DB8; Tue, 2 Jun 2015 19:55:24 +0000 (UTC) (envelope-from zi@freebsd.org) Received: from exodus.zi0r.com (localhost [127.0.0.1]) by exodus.zi0r.com (Postfix) with ESMTP id AC00DB90E7; Tue, 2 Jun 2015 15:55:22 -0400 (EDT) X-Virus-Scanned: amavisd-new at zi0r.com Received: from exodus.zi0r.com ([127.0.0.1]) by exodus.zi0r.com (exodus.zi0r.com [127.0.0.1]) (amavisd-new, port 10026) with LMTP id ySPaIYuq3jTH; Tue, 2 Jun 2015 15:55:21 -0400 (EDT) Received: from exodus.zi0r.com (syn.zi0r.com [71.179.14.194]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by exodus.zi0r.com (Postfix) with ESMTPSA id 9B3B8B90EA; Tue, 2 Jun 2015 15:55:21 -0400 (EDT) Date: Tue, 2 Jun 2015 15:55:20 -0400 From: Ryan Steinmetz To: Adam McDougall Cc: Bryan Drewery , ports@freebsd.org Subject: Re: Fwd: Re: svn commit: r386904 - in head/www/apache22: . files Message-ID: <20150602195520.GB56844@exodus.zi0r.com> References: <20150531132958.GB1034@egr.msu.edu> <556CB6C8.2070103@FreeBSD.org> <20150602115116.GA62387@exodus.zi0r.com> <556DC53D.8000208@egr.msu.edu> <20150602150702.GB62387@exodus.zi0r.com> <556DFDD1.8030404@egr.msu.edu> <20150602191941.GA56844@exodus.zi0r.com> <556E07E1.2070101@egr.msu.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <556E07E1.2070101@egr.msu.edu> User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jun 2015 19:55:24 -0000 Changes committed. Thanks. -r On (06/02/15 15:45), Adam McDougall wrote: >That is exactly what I am using right now, so it works. Thanks. > >On 06/02/2015 15:19, Ryan Steinmetz wrote: >> Adam, >> >> I've updated my patch once more. Please confirm. >> >> https://people.freebsd.org/~zi/patch-modules_ssl_ssl__engine__dh.c >> >> This removes the -rand bits and fixes the search/replace stuff. >> >> -r >> >> On (06/02/15 15:02), Adam McDougall wrote: >>> Thank you for the tip and the explanation. I found out what was causing >>> the difference. With libressl, the openssl gendh command no longer >>> accepts -rand because it assumes your random has sufficient quality to >>> start with: >>> >>> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/apps/Attic/gendh.c?rev=1.18&content-type=text/x-cvsweb-markup >>> >>> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/apps/Attic/gendh.c.diff?r1=1.17&r2=1.18 >>> >>> >>> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/apps/Attic/gendh.c?rev=1.25&content-type=text/x-cvsweb-markup >>> >>> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/apps/Attic/gendh.c.diff?r1=1.24&r2=1.25 >>> >>> >>> I don't know if there is a worthwhile benefit to using -rand with >>> openssl on supported FreeBSD versions. I took $rand out of these lines >>> and now apache works fine: >>> +system("openssl gendh $rand -out dh2048.pem 2048"); >>> +system("openssl gendh $rand -out dh3072.pem 3072"); >>> >>> On 06/02/2015 11:07, Ryan Steinmetz wrote: >>>> Adam, >>>> >>>> Does this work for you with openssl? I'm unable to re-create this on my >>>> side, but I'm also not testing with libressl. >>>> >>>> It isn't simply renaming them. There's a perl script that gets called >>>> at build time that generates everything. During the build phase, you >>>> should see a pair of messages indicating that it is generating the two >>>> DH param files. It should take a few minutes. >>>> >>>> The reason for the "rename" is to allow the search/replace magic in the >>>> perl to search/replace. >>>> >>>> Please send me the full build log. >>>> >>>> -r >>>> >>>> On (06/02/15 11:01), Adam McDougall wrote: >>>>> It still didn't work. Cannot load >>>>> /usr/local/libexec/apache22/mod_ssl.so into server: >>>>> /usr/local/libexec/apache22/mod_ssl.so: Undefined symbol "get_dh2048" >>>>> >>>>> Additionally I'm concerned about the validity of renaming small primes >>>>> and using them as if they were for much larger dh. When I do google >>>>> searches for dh3072_p and dh2048_p I find larger sets of numbers. >>>>> Renaming the existing primes doesn't feel right and worries me. >>>>> >>>>> On 06/02/2015 07:51, Ryan Steinmetz wrote: >>>>>> Adam, >>>>>> >>>>>> Please test the following patch. It should be placed in the files >>>>>> directory and should resolve the error you saw. >>>>>> >>>>>> https://people.freebsd.org/~zi/patch-modules_ssl_ssl__engine__dh.c >>>>>> >>>>>> You can then build the build as usual after running a 'make clean' >>>>>> >>>>>> -r >>>>>> >>>>>> On (06/01/15 14:47), Bryan Drewery wrote: >>>>>>> On 5/31/2015 8:29 AM, Adam McDougall wrote: >>>>>>>> Is anyone else getting this issue? I had to revert the change on my >>>>>>>> systems. >>>>>>>> Thanks. >>>>>>>> >>>>>>> >>>>>>> Yes it looks incomplete. Nothing is providing get_dh2048. >>>>>>> >>>>>>>> work/httpd-2.2.29/modules/ssl/ssl_engine_dh.c:static DH >>>>>>>> *get_dh512(void) >>>>>>>> work/httpd-2.2.29/modules/ssl/ssl_engine_dh.c:static DH >>>>>>>> *get_dh1024(void) >>>>>>>> work/httpd-2.2.29/modules/ssl/ssl_engine_dh.c: dh = >>>>>>>> get_dh2048(); >>>>>>>> work/httpd-2.2.29/modules/ssl/ssl_engine_dh.c: dh = >>>>>>>> get_dh3072(); >>>>>>>> work/httpd-2.2.29/modules/ssl/ssl_engine_dh.c: dh = >>>>>>>> get_dh3072(); >>>>>>> >>>>>>> The module is only providing 512 and 1024 but not 2048 and 3072 >>>>>>> symbols. >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Regards, >>>>>>> Bryan Drewery >>>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> > -- Ryan Steinmetz PGP: 9079 51A3 34EF 0CD4 F228 EDC6 1EF8 BA6B D028 46D7