On Sun, October 30, 2016 6:07 am, Axel Beckert wrote:
Hi,
Axel Beckert wrote:
this has been reported in Debian at https://bugs.debian.org/828611
[...]
OpenSSL 1.1.0 is about to released. During a rebuild of all packages
using
OpenSSL this package fail to build. A log of that build can be found
at:
https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/xymon_4.3.27-1_amd64-20160529-1558
On https://wiki.openssl.org/index.php/1.1_API_Changes you can see
various of the
reasons why it might fail. There are also updated man pages at
https://www.openssl.org/docs/manmaster/ that should contain useful
information.
While it took quite a while to figure it out, the patch to make it
compile again against OpenSSL 1.1.0 is surprisingly tiny:
--- a/xymonnet/contest.c
+++ b/xymonnet/contest.c
@@ -648,7 +648,7 @@
certcn = X509_NAME_oneline(X509_get_subject_name(peercert), NULL, 0);
certissuer = X509_NAME_oneline(X509_get_issuer_name(peercert), NULL, 0);
- certsigalg = OBJ_nid2ln(OBJ_obj2nid(peercert->sig_alg->algorithm));
+ certsigalg = OBJ_nid2ln(X509_get_signature_nid(peercert));
certstart = strdup(xymon_ASN1_UTCTIME(X509_get_notBefore(peercert)));
certend = strdup(xymon_ASN1_UTCTIME(X509_get_notAfter(peercert)));
{
See also
https://anonscm.debian.org/cgit/collab-maint/xymon.git/tree/debian/patches/81_fix_compilation_with_OpenSSL_1.1+.patch
https://anonscm.debian.org/cgit/collab-maint/xymon.git/plain/debian/patches/81_fix_compilation_with_OpenSSL_1.1+.patch
I've got one (currently non-productive) Xymon server on a Raspberry Pi
running(*) Debian Unstable with that patch and xymonnet properly
reported SSL certificate and https:// URL states so far. So I believe,
that patch is sufficient and working, despite I have not much of an
idea what it actually does. I took the idea for the patch from here:
https://github.com/bukka/php-src/commit/0598a8da2bc005b3a0be2801033b5347020f8316#diff-69bad938d17f4283faa5f7fea17fa627L2174
I would be happy if you could integrate the patch into the (probably
upcoming) 4.3.28 release to allow others to compile Xymon against
OpenSSL 1.1.0+. (And to spread it further to get more testing. :-)
(*) It's currently running with OpenSSL 1.0.2j though, but that proves
that it's at least also backward compatible to 1.0.2. As soon as
Debian Unstable switches to OpenSSL 1.1.0b or later, I'll continue
to test it with that version.
Regards, Axel
Thanks! It seems I missed that back in July.
This looks good. I wrapped it in a version check to hopefully DTRT when
it's not present. This does lead to doing the new call between 1.0.2 and
<1.1.0, but AFAICT the call itself is nothing more than that anyway... I
think.
Committed at https://sourceforge.net/p/xymon/code/7975/
Regards,
-jc