[squid-dev] OpenSSL 1.1 regression

[Amos Jeffries]

On 18/05/17 04:35, Christos Tsantilas wrote:
> On 16/05/2017 03:04 μμ, Amos Jeffries wrote:
>> Building Squid-5 r15136 against the latest libssl 1.1.0e on Ubuntu.
>>
>> src/ssl/support.cc: In function ‘bool
>> Ssl::verifySslCertificate(Security::ContextPointer&, const
>> Ssl::CertificateProperties&)’:
>>
>> src/ssl/support.cc:995:34: error: invalid use of incomplete type ‘struct
>> ssl_ctx_st’
>>      X509 ***pCert = (X509 ***)ctx->cert;
>
>
> I am not getting this compile error when I am trying to use 
> openSSL-1.1.0, but I am getting a crash when squid is running and uses 
> server-first bumping mode.
> The crash is caused because the SQUID_USE_SSLGETCERTIFICATE_HACK is 
> false and SQUID_SSLGETCERTIFICATE_BUGGY is true.
>

GCC-6 went through another update for me today, and after 
re-bootstrapping the problem is gone. So I'm now thinking this may have 
been a fluke or timing mixup in my library juggling act between v5/v4 
and v3.5 builds.


> I am attaching a patch which fixes this bug for squid-5.
>
>>
>>
>> Should I just update this hack code to use the
>> X509_STORE_CTX_get0_cert() getter ?
>>
>> or is this a sign of a deeper bug with the
>> SQUID_USE_SSLGETCERTIFICATE_HACK autoconf test that needs to be fixed?
>
> In my tests no, there is not need to be fixed.
> Are you using an unmodified squid?
>

Latest bzr checkout of Squid. But OpenSSL for me is ... well PITA is an 
understatement when it comes to Squid-3.5. I am beginning to think it 
was still setup for 3.5 when I built that v5.

I will see if it happens again and reevaluate the patch then.

Sorry for wasting time. :-(

Amos