Skip to content

Fix OCSP detection during build (9.2.x) #9754

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bryancall merged 1 commit into from
Jun 26, 2023
Merged

Fix OCSP detection during build (9.2.x) #9754

bryancall merged 1 commit into from
Jun 26, 2023

Conversation

@midchildan
Copy link
Contributor

@midchildan midchildan commented May 28, 2023

The configure script fails to detect OCSP support when building ATS with OpenSSL 3.0.

This isn't a problem in the master branch, which copied OpenSSL's OCSP code into ATS itself in #9624. However, this remains a problem on existing releases and downstream packages seem to be affected by it. Here's a list of the few I checked:

  • Alpine
  • Debian 12
  • Fedora 37
  • Homebrew
  • Nixpkgs

This happens because OpenSSL 3.0 made changes to its APIs that affected how ATS detects OCSP support. ATS checks the existence of a few functions, including OCSP_REQ_CTX_add1_header and OCSP_REQ_CTX_set1_req, by attempting to link to them using AC_CHECK_FUNCS. In OpenSSL 3.0, these functions were turned into macros making them uneligible for detection with AC_CHECK_FUNCS.

This change fixes that problem by instead using AC_LANG_PROGRAM to check that code using the aforementioned functions compile. This approach works for OpenSSL both before and after 3.0.

@midchildan
Fix OCSP detection during build
41a1c1c 
The configure script fails to detect OCSP support when building ATS with
OpenSSL 3.0.

This isn't a problem in the `master` branch, which copied OpenSSL's OCSP code
into ATS itself in apache#9624. However, this remains a problem on existing releases
and downstream packages seem to be affected by it. Here's a list of the few I
checked:

- Alpine
- Debian 12
- Fedora 37
- Homebrew
- Nixpkgs

This happens because OpenSSL 3.0 made changes to its APIs that affected how ATS
detects OCSP support. ATS checks the existence of a few functions, including
`OCSP_REQ_CTX_add1_header` and `OCSP_REQ_CTX_set1_req`, by attempting to link to
them using `AC_CHECK_FUNCS`. In OpenSSL 3.0, these functions were turned into
macros making them uneligible for detection with `AC_CHECK_FUNCS`.

This change fixes that problem by instead using `AC_LANG_PROGRAM` to check that
code using the aforementioned functions compile. This approach works for OpenSSL
both before and after 3.0.
@midchildan midchildan requested a review from bryancall as a code owner May 28, 2023 16:28
@midchildan midchildan mentioned this pull request May 28, 2023
Closed
@midchildan midchildan changed the title Fix OCSP detection during build Fix OCSP detection during build (9.2.x) May 28, 2023
@bryancall bryancall added the TLS label Jun 2, 2023
@bryancall bryancall modified the milestones: 10.0.0, 9.2.1 Jun 2, 2023
@bryancall bryancall modified the milestones: 9.2.1, 9.2.2 Jun 7, 2023
@bryancall bryancall merged commit e079d20 into apache:9.2.x Jun 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bneradt bneradt bneradt approved these changes

@bryancall bryancall Awaiting requested review from bryancall bryancall is a code owner

Assignees

@midchildan midchildan

Labels

TLS

Projects

None yet

Milestone

9.2.2

Development

Successfully merging this pull request may close these issues.

3 participants

@midchildan @bneradt @bryancall