From 4eee244d55fee6e7b5ed79591f2e097e00e3cc1e Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Fri, 26 Jul 2024 09:14:40 +0000 Subject: [PATCH] CI: Fix OpenSSL tarball download URLs after openssl.org site refresh CI: Update to latest OpenSSL releases. CI: Build OpenSSL with RPATH set so that the installed ./bin/openssl works without LD_LIBRARY_PATH set. Use LD_RUN_PATH during the httpd build to achieve the same with binaries from the httpd build, but unset it after so that it doesn't affect running e.g. php-fpm or perl later. Should fix warning from logs when php-fpm is executed -- [26-Jul-2024 07:43:34] NOTICE: PHP message: PHP Warning: PHP Startup: Unable to load dynamic library 'curl.so' (tried: /usr/lib/php/20210902/curl.so (/lib/x86_64-linux-gnu/libcurl.so.4: undefined symbol: ENGINE_init, version OPENSSL_3.0.0), /usr/lib/php/20210902/curl.so.so (/usr/lib/php/20210902/curl.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0 CI: Test that php-fpm works if available before testing. CI: For paranoia/future debugging, log the OpenSSL version from compile-time and run-time as reported by mod_ssl. Github: closes #466 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1919524 13f79535-47bb-0310-9956-ffa450edef68 --- .github/workflows/linux.yml | 8 ++++---- test/travis_before_linux.sh | 7 +++++-- test/travis_run_linux.sh | 27 +++++++++++++++++++++++---- 3 files changed, 32 insertions(+), 10 deletions(-) diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 0e42a0d3497..5942e143ced 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -273,7 +273,7 @@ jobs: - name: OpenSSL 3.1 config: --enable-mods-shared=most --enable-maintainer-mode --disable-md --disable-http2 --disable-ldap --disable-crypto env: | - TEST_OPENSSL3=3.1.5 + TEST_OPENSSL3=3.1.6 APR_VERSION=1.7.4 APU_VERSION=1.6.3 APU_CONFIG="--without-crypto" @@ -282,7 +282,7 @@ jobs: config: --enable-mods-shared=most --enable-maintainer-mode --disable-md --disable-http2 --disable-ldap --disable-crypto notest-cflags: -Werror -O2 -Wno-deprecated-declarations env: | - TEST_OPENSSL3=3.2.1 + TEST_OPENSSL3=3.2.2 APR_VERSION=1.7.4 APU_VERSION=1.6.3 APU_CONFIG="--without-crypto" @@ -290,7 +290,7 @@ jobs: - name: OpenSSL 3.2 no-engine config: --enable-mods-shared=most --enable-maintainer-mode --disable-md --disable-http2 --disable-ldap --disable-crypto env: | - TEST_OPENSSL3=3.2.1 + TEST_OPENSSL3=3.2.2 OPENSSL_CONFIG=no-engine APR_VERSION=1.7.4 APU_VERSION=1.6.3 @@ -300,7 +300,7 @@ jobs: config: --enable-mods-shared=most --enable-maintainer-mode --disable-md --disable-http2 --disable-ldap --disable-crypto notest-cflags: -Werror -O2 env: | - TEST_OPENSSL3=3.3.0 + TEST_OPENSSL3=3.3.1 OPENSSL_CONFIG=no-engine APR_VERSION=1.7.4 APU_VERSION=1.6.3 diff --git a/test/travis_before_linux.sh b/test/travis_before_linux.sh index 4094959b509..79b983c0abb 100755 --- a/test/travis_before_linux.sh +++ b/test/travis_before_linux.sh @@ -119,10 +119,13 @@ if test -v TEST_OPENSSL3; then mkdir -p build/openssl pushd build/openssl - curl "https://www.openssl.org/source/openssl-${TEST_OPENSSL3}.tar.gz" | + curl -L "https://github.com/openssl/openssl/releases/download/openssl-${TEST_OPENSSL3}/openssl-${TEST_OPENSSL3}.tar.gz" | tar -xzf - cd openssl-${TEST_OPENSSL3} - ./Configure --prefix=$HOME/root/openssl3 shared no-tests ${OPENSSL_CONFIG} + # Build with RPATH so ./bin/openssl doesn't require $LD_LIBRARY_PATH + ./Configure --prefix=$HOME/root/openssl3 \ + shared no-tests ${OPENSSL_CONFIG} \ + '-Wl,-rpath=$(LIBRPATH)' make $MFLAGS make install_sw touch $HOME/root/openssl-is-${TEST_OPENSSL3} diff --git a/test/travis_run_linux.sh b/test/travis_run_linux.sh index 89b2cd8e6f0..7f99b234155 100755 --- a/test/travis_run_linux.sh +++ b/test/travis_run_linux.sh @@ -61,7 +61,9 @@ fi if test -v TEST_OPENSSL3; then CONFIG="$CONFIG --with-ssl=$HOME/root/openssl3" - export LD_LIBRARY_PATH=$HOME/root/openssl3/lib:$HOME/root/openssl3/lib64 + # Temporarily set LD_RUN_PATH so that httpd/mod_ssl binaries pick + # up the custom OpenSSL build + export LD_RUN_PATH=$HOME/root/openssl3/lib:$HOME/root/openssl3/lib64 export PATH=$HOME/root/openssl3/bin:$PATH openssl version fi @@ -78,6 +80,14 @@ builddir=$PWD $srcdir/configure --prefix=$PREFIX $CONFIG make $MFLAGS +if test -v TEST_OPENSSL3; then + # Clear the library/run paths so that anything else run during + # testing is not forced to use the custom OpenSSL build; e.g. perl, + # php-fpm, ... + unset LD_LIBRARY_PATH + unset LD_RUN_PATH +fi + if test -v TEST_INSTALL; then make install pushd $PREFIX @@ -119,6 +129,11 @@ if test -v TEST_ASAN; then export ASAN_OPTIONS="log_path=$PWD/asan.log:detect_leaks=0" fi +if test -v PHP_FPM; then + # Sanity test the executable exists. + $PHP_FPM --version +fi + # Try to keep all potential coredumps from all processes sudo sysctl -w kernel.core_uses_pid=1 2>/dev/null || true # Systemd based systems might process core dumps via systemd-coredump. @@ -176,15 +191,19 @@ if ! test -v NO_TEST_FRAMEWORK; then fi fi +if test \( -v TEST_SSL -o -v TEST_OPENSSL3 \) \ + -a -f test/perl-framework/t/logs/error_log; then + : -- Check OpenSSL version used by mod_ssl at compile- and run-time -- + grep 'mod_ssl.*compiled against' test/perl-framework/t/logs/error_log | tail -n1 | grep --color=always 'OpenSSL/[^ ]*' + grep 'resuming normal operations' test/perl-framework/t/logs/error_log | tail -n1 | grep --color=always 'OpenSSL/[^ ]*' +fi + if test -v TEST_SSL -a $RV -eq 0; then pushd test/perl-framework # Test loading encrypted private keys ./t/TEST -defines "TEST_SSL_DES3_KEY TEST_SSL_PASSPHRASE_EXEC" t/ssl RV=$? - # Log the OpenSSL version. - grep 'mod_ssl.*compiled against' t/logs/error_log | tail -n 1 - # Test various session cache backends for cache in shmcb redis:localhost:6379 memcache:localhost:11211; do test $RV -eq 0 || break -- 2.47.3