Page MenuHomeFreeBSD

Fix apache24 to work with KTLS-enabled OpenSSL.
ClosedPublic

Authored by jhb on Feb 26 2021, 12:20 AM.

Details

Summary

Apache uses custom BIO classes to manage socket I/O on connections
using SSL via OpenSSL. These custom BIO classes contain a ctrl
method which should return 0 for unknown requests. However, the
custom BIO classes in Apache were returning non-zero values for
unknown requests. This resulted in OpenSSL believing that BIOs
were using KTLS when they were not.

Note that Apache will not take advantage of KTLS currently since
it does not use OpenSSL's built-in BIO classes for sockets.

Test Plan
  • tried to use apache24 on recent head with openssl s_client as the client. Previously this always failed during TLS negotiation even with KTLS disabled in the kernel. With the patch, simple requests now appear to work for me, but this needs more testing by folks who reported the initial breakage.

Diff Detail

Repository
rP FreeBSD ports repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

jhb requested review of this revision.Feb 26 2021, 12:20 AM

I've had one user confirm this fixes apache24 for them in a real-world use case.

The patch to ssl_engine_io.c is correct from an openssl perspective.
I'm not a ports committer, so technically I shouldn't approve the (trivial) Makefile update.

This revision is now accepted and ready to land.Feb 26 2021, 7:30 PM