cpp-httplib (ccache dependency) requires SSL_get1_peer_certificate #1092
Comments
|
https://github.com/yhirose/cpp-httplib/blob/v0.16.0/httplib.h#L9032
Is it possible that LibreSSL can add `SSL_get1_peer_certificate` in the future? Or is there a better way to avoid this?
It would be easy to add (but it's too late for the 4.0.0 release. We
generally avoid adding OpenSSL 3 API. SSL_get1_peer_certificate is the
OpenSSL 3 name for SSL_get_peer_certificate. Does this build if you pass
…-DSSL_get1_peer_certificate=SSL_get_peer_certificate
in CXXFLAGS? Or is there more missing?
|
|
It seems in OpenBSD the `ccache` package uses the vendored copy of `cpp-httplib`which doesn't have this problem (Yet?).
The OpenBSD port does use the bundled cpp-httplib version which appears
to have these problems, but it seems it doesn't hit this issue because
CPPHTTPLIB_OPENSSL_SUPPORT isn't set for whatever reason.
As you can see in WANTLIB it doesn't link against `crypto` or `ssl`:
https://github.com/openbsd/ports/blob/d80b8b5d70f0efcdc592035d0990787ccc04386c/devel/ccache/Makefile#L13
|
|
Since this is a header only library, CXX flags won't work. I would
probably work around this this by adding something like
#if defined(LIBRESSL_VERSION_NUMBER)
#define SSL_get1_peer_certificate SSL_get_peer_certificate
#endif
and see if that's enough.
|
|
For building cpp-httplib itself it is enough to add |
|
This patch is enough to build httplib-cpp, but if possible it would be nice to have this working more out of the box in the future. |
|
subject=/C=US/ST=Test State or Province/L=Test Locality/O=Organization Name/OU=Organizational Unit Name/CN=Common ***@***.***
openssl req -x509 -config test.conf -key key.pem -sha256 -days 3650 -nodes -out cert2.pem -extensions SAN
unable to load X509 request
Not sure where that message comes from, but it smells like an
incompatibility in the horrible openssl command line utility.
|
|
I should of checked more recent versions than the version marked as stable by Gentoo, with Note that with more recent versions they are using the previous solution for BoringSSL already. https://github.com/yhirose/cpp-httplib/blob/80fb03628bb57ca9d3ab855a7feec2876249bb61/httplib.h#L280
I suppose for |
|
On Fri, Sep 06, 2024 at 09:30:16AM -0700, orbea wrote:
This patch is enough to build httplib-cpp, but if possible it would be nice to have this working more out of the box in the future.
It's not the first time this specific API comes up. As mentioned, it's
trivial to add. In this case we might even consider it if it doesn't
have ill effects in our ports tree. As also mentioned, it's not possible
to do this before 4.1.
It seems a weirdly aggressive decision by the upstream dev to make using
alternatives to OpenSSL 3 harder than necessary. There are still plenty
of LTS distros that provide 1.1.1 libraries (and these will remain
supported for many years to come). The version check will also bite
BoringSSL who announce themselves as OpenSSL 1.1.1.
|
|
What apart form ccache uses this and needs the OpenSSL support?
BoringSSL also doesn't currently have OPENSSL_thread_stop.
|
|
I could not find how they avoid the version check for BoringSSL even if they have checks for it in httplib.h where they also disable Also I am not sure there is anything in Gentoo that needs ssl support in cpp-httplib even though its enabled by default. Its a dependency for openrgb, ccache and indilib as well as an optional dependency for lldb and llvm. However if any of them require ssl support its undocumented by the ebuilds. |
|
This patch works for |
|
ok, thanks for the report and the info. The patch for 0.16.3 looks good.
I assume that OpenSSL support is enabled simply because it's the
upstream's default.
|
|
With the cpp-httplib git repo (yhirose/cpp-httplib@80fb036) the tests do not fail, they just hang on an This is |
|
This diff makes the hanging openssl command work: --- apps/openssl/req.c.orig Fri Sep 6 13:24:38 2024
+++ apps/openssl/req.c Fri Sep 6 15:42:00 2024
@@ -586,6 +586,9 @@ req_main(int argc, char **argv)
req_conf = NULL;
cipher = EVP_aes_256_cbc();
+ if (cfg.infile == NULL && cfg.x509)
+ cfg.newreq = 1;
+
if (!app_passwd(bio_err, cfg.passargin, cfg.passargout, &passin, &passout)) {
BIO_printf(bio_err, "Error getting passwords\n");
goto end; |
|
Thanks, that patch allows the tests to run, a few fail. I tried to send some of the fixes upstream, but they weren't interested. |
|
Kind of expected. The argument makes a lot of sense since they added
support for BoringSSL which also doesn't support the OpenSSL 3 API.
|
|
So I'll see that I can get this req diff into the next release. I don't think the error codes are a particularly interesting thing to look into. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
OS:
GentooLibreSSL:
3.9.2cpp-httplib:
0.16.0ccacheadded a new dependency ofcpp-httplibwhich Gentoo installs system-wide and it fails during cmake.https://github.com/yhirose/cpp-httplib/blob/v0.16.0/CMakeLists.txt#L82-L84
This is easy to workaround.
But then it fails because LibreSSL doesn't have
SSL_get1_peer_certificate.https://github.com/yhirose/cpp-httplib/blob/v0.16.0/httplib.h#L9032
Is it possible that LibreSSL can add
SSL_get1_peer_certificatein the future? Or is there a better way to avoid this?It seems in OpenBSD the
ccachepackage uses the vendored copy ofcpp-httplibwhich doesn't have this problem (Yet?).The text was updated successfully, but these errors were encountered: