Debian Bug report logs - #462596
openssl: Please include support for tls extensions / server name indication

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: openssl: Please include support for tls extensions / server name indication

Date: Sat, 26 Jan 2008 00:25:02 +0100

Package: openssl
Version: 0.9.8g-4
Severity: wishlist


Apache will probably start to support server name indication (SNI) in one of the
next 2.2.x releases. To use it,  TLS extension support needs to be compiled into
openssl. This has been added to openssl 0.9.8f but is not activated by default.

Please activate TLS extension support in the Debian package.

Message #12 received at 462596@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: Stefan Fritsch <sf@sfritsch.de>, 462596@bugs.debian.org, "Package Development List for OpenSSL packages." <pkg-openssl-devel@lists.alioth.debian.org>

Subject: Re: [Pkg-openssl-devel] Bug#462596: openssl: Please include support for tls extensions / server name indication

Date: Sat, 26 Jan 2008 13:15:14 +0100

On Sat, Jan 26, 2008 at 12:25:02AM +0100, Stefan Fritsch wrote:
> Package: openssl
> Version: 0.9.8g-4
> Severity: wishlist
> 
> 
> Apache will probably start to support server name indication (SNI) in one of the
> next 2.2.x releases. To use it,  TLS extension support needs to be compiled into
> openssl. This has been added to openssl 0.9.8f but is not activated by default.
> 
> Please activate TLS extension support in the Debian package.

The problem with that option (and others) is that it changes struct
layouts, which means ABI changes.  I'm afraid I can't do such a change
without changing the soname.  It seems that only the end of struct's are
changed so we might get away with it for some cases, but someone will
need to take a good look before doing that.


Kurt

Message #17 received at 462596@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: Kurt Roeckx <kurt@roeckx.be>

Cc: 462596@bugs.debian.org

Subject: Bug#462596: openssl: Please include support for tls extensions / server name indication

Date: Sat, 26 Jan 2008 15:15:18 +0100

Hi Kurt,

On Saturday 26 January 2008, Kurt Roeckx wrote:
> The problem with that option (and others) is that it changes struct
> layouts, which means ABI changes.  I'm afraid I can't do such a
> change without changing the soname.  It seems that only the end of
> struct's are changed so we might get away with it for some cases,
> but someone will need to take a good look before doing that.

IMNSHO we want this for lenny, even if it needs a soname change.

Cheers,
Stefan

Message #22 received at 462596@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: Stefan Fritsch <sf@sfritsch.de>

Cc: 462596@bugs.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#462596: openssl: Please include support for tls extensions / server name indication

Date: Sun, 27 Jan 2008 15:03:14 +0100

On Sat, Jan 26, 2008 at 03:15:18PM +0100, Stefan Fritsch wrote:
> Hi Kurt,
> 
> On Saturday 26 January 2008, Kurt Roeckx wrote:
> > The problem with that option (and others) is that it changes struct
> > layouts, which means ABI changes.  I'm afraid I can't do such a
> > change without changing the soname.  It seems that only the end of
> > struct's are changed so we might get away with it for some cases,
> > but someone will need to take a good look before doing that.
> 
> IMNSHO we want this for lenny, even if it needs a soname change.

If we're going to do that, I think we need to clear this with the release
team in any case.

I'm not really in favour of doing any change that requires us to rebuild
everything against a new openssl version.  The last migration started
with the upload of 0.9.8-1 which was uploaded on 2005-09-29, the latest
package depending on 0.9.7 was removed from testing on 2008-01-05.
I think the release team would like to see atleast 2 source packages
again for such a migration.

Anyway, looking at the structs that changed, we have those structs:
SSL_SESSION / struct ssl_session_st
SSL_CTX / struct ssl_ctx_st
SSL / struct ssl_st / ssl_crock_st

They all add new members at the end of the struct.

They all have functions to allocate/free them:
SSL_SESSION_new / SSL_SESSION_free
SSL_CTX_new / SSL_CTX_free
SSL_new / SSL_free

Those structs are always passed as pointers.

I think that it should be safe to turn on this feature without breaking
something.


Kurt

Message #27 received at 462596@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: 462596@bugs.debian.org

Subject: Re: [Pkg-openssl-devel] Bug#462596: openssl: Please include support for tls extensions / server name indication

Date: Tue, 29 Jan 2008 19:47:38 +0100

On Sunday 27 January 2008, Kurt Roeckx wrote:
> They all add new members at the end of the struct.
>
> They all have functions to allocate/free them:
> SSL_SESSION_new / SSL_SESSION_free
> SSL_CTX_new / SSL_CTX_free
> SSL_new / SSL_free
>
> Those structs are always passed as pointers.
>
> I think that it should be safe to turn on this feature without
> breaking something.

Yes, this looks sane.

A quick test showed that at least apache2, konqueror, and the openssl 
command line client seem to work fine with a libssl-0.9.8 with tlsext 
enabled.

Cheers,
Stefan

Message #32 received at 462596@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Kurt Roeckx <kurt@roeckx.be>

Cc: Stefan Fritsch <sf@sfritsch.de>, 462596@bugs.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#462596: openssl: Please include support for tls extensions / server name indication

Date: Tue, 29 Jan 2008 13:35:38 -0800

On Sun, Jan 27, 2008 at 03:03:14PM +0100, Kurt Roeckx wrote:
> On Sat, Jan 26, 2008 at 03:15:18PM +0100, Stefan Fritsch wrote:
> > Hi Kurt,

> > On Saturday 26 January 2008, Kurt Roeckx wrote:
> > > The problem with that option (and others) is that it changes struct
> > > layouts, which means ABI changes.  I'm afraid I can't do such a
> > > change without changing the soname.  It seems that only the end of
> > > struct's are changed so we might get away with it for some cases,
> > > but someone will need to take a good look before doing that.

> > IMNSHO we want this for lenny, even if it needs a soname change.

> If we're going to do that, I think we need to clear this with the release
> team in any case.

> I'm not really in favour of doing any change that requires us to rebuild
> everything against a new openssl version.  The last migration started
> with the upload of 0.9.8-1 which was uploaded on 2005-09-29, the latest
> package depending on 0.9.7 was removed from testing on 2008-01-05.
> I think the release team would like to see atleast 2 source packages
> again for such a migration.

Yes, for a library as core as openssl, a forklift soname change would be
very, very painful.

> Anyway, looking at the structs that changed, we have those structs:
> SSL_SESSION / struct ssl_session_st
> SSL_CTX / struct ssl_ctx_st
> SSL / struct ssl_st / ssl_crock_st

> They all add new members at the end of the struct.

> They all have functions to allocate/free them:
> SSL_SESSION_new / SSL_SESSION_free
> SSL_CTX_new / SSL_CTX_free
> SSL_new / SSL_free

> Those structs are always passed as pointers.

Well, that /should/ be sufficient to preserve ABI compatibility, but
unfortunately these aren't opaque pointers -- the struct internals are
exported in the openssl headers, so it's possible for an application to make
assumptions about the size of the structures (sizeof, etc) which will fail
if this option is enabled.

Yet another example of how making ABIs a compile-time option is a bad idea.
:/

> I think that it should be safe to turn on this feature without breaking
> something.

It should at least be possible to turn it on on a provisional basis, as the
most realistic way of finding out if anything *does* depend on the size of
these structs.  (Auditing the code of all reverse-deps is not very practical
in this case.)

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Message #37 received at 462596@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: Stefan Fritsch <sf@sfritsch.de>, 462596@bugs.debian.org, "Package Development List for OpenSSL packages." <pkg-openssl-devel@lists.alioth.debian.org>

Subject: Re: [Pkg-openssl-devel] Bug#462596: Bug#462596: openssl: Please include support for tls extensions / server name indication

Date: Tue, 29 Jan 2008 23:22:05 +0100

On Tue, Jan 29, 2008 at 07:47:38PM +0100, Stefan Fritsch wrote:
> On Sunday 27 January 2008, Kurt Roeckx wrote:
> > They all add new members at the end of the struct.
> >
> > They all have functions to allocate/free them:
> > SSL_SESSION_new / SSL_SESSION_free
> > SSL_CTX_new / SSL_CTX_free
> > SSL_new / SSL_free
> >
> > Those structs are always passed as pointers.
> >
> > I think that it should be safe to turn on this feature without
> > breaking something.
> 
> Yes, this looks sane.
> 
> A quick test showed that at least apache2, konqueror, and the openssl 
> command line client seem to work fine with a libssl-0.9.8 with tlsext 
> enabled.

I'm planning on upload to experimental soon.


Kurt

Message #42 received at 462596-close@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: 462596-close@bugs.debian.org

Subject: Bug#462596: fixed in openssl 0.9.8g-5

Date: Sat, 09 Feb 2008 13:32:05 +0000

Source: openssl
Source-Version: 0.9.8g-5

We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive:

libcrypto0.9.8-udeb_0.9.8g-5_amd64.udeb
  to pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-5_amd64.udeb
libssl-dev_0.9.8g-5_amd64.deb
  to pool/main/o/openssl/libssl-dev_0.9.8g-5_amd64.deb
libssl0.9.8-dbg_0.9.8g-5_amd64.deb
  to pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-5_amd64.deb
libssl0.9.8_0.9.8g-5_amd64.deb
  to pool/main/o/openssl/libssl0.9.8_0.9.8g-5_amd64.deb
openssl_0.9.8g-5.diff.gz
  to pool/main/o/openssl/openssl_0.9.8g-5.diff.gz
openssl_0.9.8g-5.dsc
  to pool/main/o/openssl/openssl_0.9.8g-5.dsc
openssl_0.9.8g-5_amd64.deb
  to pool/main/o/openssl/openssl_0.9.8g-5_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 462596@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kurt Roeckx <kurt@roeckx.be> (supplier of updated openssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 09 Feb 2008 13:32:49 +0100
Source: openssl
Binary: openssl libssl0.9.8 libcrypto0.9.8-udeb libssl-dev libssl0.9.8-dbg
Architecture: source amd64
Version: 0.9.8g-5
Distribution: experimental
Urgency: low
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Changed-By: Kurt Roeckx <kurt@roeckx.be>
Description: 
 libcrypto0.9.8-udeb - crypto shared library - udeb (udeb)
 libssl-dev - SSL development libraries, header files and documentation
 libssl0.9.8 - SSL shared libraries
 libssl0.9.8-dbg - Symbol tables for libssl and libcrypto
 openssl    - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 462596
Changes: 
 openssl (0.9.8g-5) experimental; urgency=low
 .
   * Enable tlsext.  This changes the ABI, but should hopefully
     not cause any problems. (Closes: #462596)
Files: 
 59456d4b314b11c91a936965fccede5c 797 utils optional openssl_0.9.8g-5.dsc
 6c79a834ff5fc562137164d5f4072c2e 51475 utils optional openssl_0.9.8g-5.diff.gz
 e8df1f9cab25f5b4770cf501260fd0ff 1029852 utils optional openssl_0.9.8g-5_amd64.deb
 3eb23e2a09acba3c396d428fd7861d82 949802 libs important libssl0.9.8_0.9.8g-5_amd64.deb
 34487c4589e6a5ea4382909cd7d10833 617252 debian-installer optional libcrypto0.9.8-udeb_0.9.8g-5_amd64.udeb
 fa60102810b8cd85fe39730593505d71 2207212 libdevel optional libssl-dev_0.9.8g-5_amd64.deb
 3b5d9d8e877edf6d879d79a7cad16635 1612312 libdevel extra libssl0.9.8-dbg_0.9.8g-5_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHrabQQdwckHJElwsRAjbqAKCf/E+vMAvN38zx7MIihNMV4THY5gCgtzWq
BoceEfnPghWInmidPljGFeA=
=Lw0X
-----END PGP SIGNATURE-----

Message #47 received at 462596@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: 462596@bugs.debian.org

Cc: Stefan Fritsch <sf@sfritsch.de>

Subject: Re: openssl: Please include support for tls extensions / server name indication

Date: Sat, 9 Feb 2008 14:58:38 +0100

>    * Enable tlsext.  This changes the ABI, but should hopefully
>      not cause any problems. (Closes: #462596)

I should probably have bumped shlibs.  If you'll upload something
to experimental linked against this version it will not depend
on the version which has support for it.


Kurt

Message #52 received at 462596@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: debian-devel@lists.debian.org

Cc: 462596@bugs.debian.org

Subject: Openssl in experimental: please test.

Date: Tue, 12 Feb 2008 20:54:26 +0100

Hi,

I've uploaded openssl 0.9.8g-6 to experimental.  It adds support for TLS
extensions.  This changes some structs in the public header files
causing ABI changes.  I believe those are harmless and shouldn't cause
any problems.  But I'd like some people to test it before I upload this
to unstable.

Please see bug #462596 for more info.


Kurt

Message #57 received at 462596@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Kurt Roeckx <kurt@roeckx.be>

Cc: debian-devel@lists.debian.org, 462596@bugs.debian.org

Subject: Re: Openssl in experimental: please test.

Date: Tue, 12 Feb 2008 12:19:04 -0800

On Tue, Feb 12, 2008 at 08:54:26PM +0100, Kurt Roeckx wrote:

> I've uploaded openssl 0.9.8g-6 to experimental.  It adds support for TLS
> extensions.  This changes some structs in the public header files
> causing ABI changes.  I believe those are harmless and shouldn't cause
> any problems.  But I'd like some people to test it before I upload this
> to unstable.

> Please see bug #462596 for more info.

FWIW, I expect that this is a waste of time.  Packages in experimental don't
get any significant amount of testing, and if any packages are affected by
the ABI change, it's going to be lesser-used packages which are doing
relatively naughty things with OpenSSL structs.

So I highly recommend uploading this to unstable ASAP, since the only thing
that's likely to get you sensible feedback is a reasonable length of time
spent in unstable.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Send a report that this bug log contains spam.