packages icon indicating copy to clipboard operation
packages copied to clipboard
verified publisher icon openwrt

nginx: QUIC: Fix SSL 3.0 deprecated function

Open qosmio opened this issue 1 year ago • 4 comments

EVP_CIPHER_CTX_cipher() function was deprecated in OpenSSL 3.0. As per OpenSSL's recommendation (https://www.openssl.org/docs/manmaster/man3/EVP_CIPHER_CTX_get0_cipher.html) switch to using EVP_CIPHER_CTX_get0_cipher() instead.

This would remedy the following:

  -L/data/code/openwrt/ipq/staging_dir/target-aarch64_cortex-a53_musl/usr/lib -L/data/code/openwrt/ipq/staging_dir/toolchain-aarch64_cortex-a53_gcc-13.2.0_musl/usr/lib -L/data/code/openwr  t/ipq/staging_dir/toolchain-aarch64_cortex-a53_gcc-13.2.0_musl/lib -fuse-ld=mold -Wl,--gc-sections -flto=auto -fuse-linker-plugin -zrelro \
  -shared
  mold: error: undefined symbol: EVP_CIPHER_CTX_cipher
  >>> referenced by <artificial>
  >>>               /data/code/openwrt/ipq/tmp/ccBL6cZK.ltrans24.ltrans.o:(ngx_quic_crypto_common.isra.0)>>> referenced by <artificial>
  >>>               /data/code/openwrt/ipq/tmp/ccBL6cZK.ltrans24.ltrans.o:(ngx_quic_crypto_common.isra.0)
  collect2: error: ld returned 1 exit status
  make[4]: *** [objs/Makefile:325: objs/nginx] Error 1

With this change and recent commit to nginx-util #23935. We should now be able to build nginx + modules with fully compliant calls to OpenSSL 3.0+, with legacy features disabled.

Run tested: aarch64, Dynalink DL-WRX36, Master Branch Maintainer: Thomas Heil [email protected], Christian Marangi [email protected]

qosmio avatar Apr 24 '24 22:04 qosmio

@qosmio did we check if nginx already doesn't have this fix in some dev branch? Also can we think of proposing this fix to nginx mailing list?

Ansuel avatar Apr 26 '24 10:04 Ansuel

That's actually a good idea. I haven't submitted patches upstream, mostly due to NGINX team using Mercurial and patchbomb, neither of which I'm too familiar.

I'll take a stab at it though.

qosmio avatar Apr 26 '24 14:04 qosmio

@qosmio keep me informed... i also remember sending a patch but i lost track of it.

Ansuel avatar Apr 26 '24 18:04 Ansuel

@qosmio I checked how to send patch and it's not that hard...

the command i had to follow
sudo apt install mercurial
Follow https://wiki.mercurial-scm.org/QuickStart to fill the .hgrc

hg clone http://hg.nginx.org/nginx
cd nginx

make changes

hg commit
(same format of git commit... first line title... white line and then description... no SoB)

Follow https://wiki.mercurial-scm.org/PatchbombExtension for patchbomb (yes it's correct adding the
empty entry for patchbomb)

hg email -o

Send the mail to yourself first to make sure everything is OK.

Ansuel avatar Apr 27 '24 14:04 Ansuel

@qosmio can you refresh patch and also bump the nginx package?

Ansuel avatar May 06 '24 11:05 Ansuel

Sorry I didn't get a chance to reply before. Will clean up and increment the build today.

UPDATE: Done!

qosmio avatar May 06 '24 14:05 qosmio