[squid-dev] OpenSSL 1.1 regression

Christos Tsantilas christos at chtsanti.net
Wed May 17 16:35:42 UTC 2017


On 16/05/2017 03:04 μμ, Amos Jeffries wrote:
> Building Squid-5 r15136 against the latest libssl 1.1.0e on Ubuntu.
>
> src/ssl/support.cc: In function ‘bool
> Ssl::verifySslCertificate(Security::ContextPointer&, const
> Ssl::CertificateProperties&)’:
>
> src/ssl/support.cc:995:34: error: invalid use of incomplete type ‘struct
> ssl_ctx_st’
>      X509 ***pCert = (X509 ***)ctx->cert;


I am not getting this compile error when I am trying to use 
openSSL-1.1.0, but I am getting a crash when squid is running and uses 
server-first bumping mode.
The crash is caused because the SQUID_USE_SSLGETCERTIFICATE_HACK is 
false and SQUID_SSLGETCERTIFICATE_BUGGY is true.

I am attaching a patch which fixes this bug for squid-5.

>
>
> Should I just update this hack code to use the
> X509_STORE_CTX_get0_cert() getter ?
>
> or is this a sign of a deeper bug with the
> SQUID_USE_SSLGETCERTIFICATE_HACK autoconf test that needs to be fixed?

In my tests no, there is not need to be fixed.
Are you using an unmodified squid?

>
>
> Amos
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix-crash-with-openssl-1.1.0-squid-5-t1.patch
Type: text/x-patch
Size: 2120 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20170517/9d6db410/attachment.bin>


More information about the squid-dev mailing list