apache2: mod_ssl fails to load with OpenSSL 3.0

Bug #1951476 reported by Sergio Durigan Junior
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
High
Sergio Durigan Junior

Bug Description

Installing apache2 in a system with OpenSSL 3.0 makes the service fail to start if mod_ssl is enabled:

Nov 18 21:55:43 autopkgtest-lxd-apkgtd systemd[1]: Starting The Apache HTTP Server...
Nov 18 21:55:43 autopkgtest-lxd-apkgtd apachectl[2199]: apache2: Syntax error on line 146 of /etc/apache2/apache2.conf: Syntax error on line 2 of /etc/apache2/mods-enabled/ssl.load: Cannot load /usr/lib/apache2/modules/mod_ssl.so into server: /usr/lib/apache2/modules/mod_ssl.so: undefined symbol: ERR_GET_FUNC
Nov 18 21:55:43 autopkgtest-lxd-apkgtd apachectl[2196]: Action 'start' failed.
Nov 18 21:55:43 autopkgtest-lxd-apkgtd apachectl[2196]: The Apache error log may have more information.
Nov 18 21:55:43 autopkgtest-lxd-apkgtd systemd[1]: apache2.service: Control process exited, code=exited, status=1/FAILURE
Nov 18 21:55:43 autopkgtest-lxd-apkgtd systemd[1]: apache2.service: Failed with result 'exit-code'.
Nov 18 21:55:43 autopkgtest-lxd-apkgtd systemd[1]: Failed to start The Apache HTTP Server.

We're planning to transition to OpenSSL 3.0 for the 22.04 release, and consider
this issue as blocking for this transition.

You can find general migration informations at
https://www.openssl.org/docs/manmaster/man7/migration_guide.html
For your tests, you can build against libssl-dev as found in the PPA
schopin/openssl-3.0.0

You can test this by using the follow PPA:

ppa:schopin/openssl-3.0.0

Upstream has apparently fixed the issue with the following commit:

https://svn.apache.org/viewvc?view=revision&revision=1894716

Related branches

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Actually, a better reference for an upstream fix is:

https://github.com/apache/httpd/pull/258

Note that, as of this writing, the PR is still open and apparently a regression has been found with OpenSSL 3. We should take a closer look.

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

I worked on this a little bit.

I backported the 10 patches that are currently present in the PR mentioned above (https://github.com/apache/httpd/pull/258), and verified that they seem to address the problem, at least in the sense that they make mod_ssl loadable again when using OpenSSL 3.

I ran apache2's autopkgtests and most of them succeeded; the only failure I'm seeing is actually not related to apache2, and is instead a problem with an uninstallable package currently in jammy-proposed.

The situation here is very similar to what's happening with net-snmp and squid: there are upstream patches that can "fix" the compatibility issue with OpenSSL, but upstream is still not entirely comfortable with them. In apache2's case, this situation a bit more complicated because there is apparently a behaviour change/regression that has been found with OpenSSL 3:

https://github.com/openssl/openssl/issues/15946

I will keep an eye on the progress of apache2's PR and see what happens. It'd probably be a good idea to have someone from the Security team take a look at this possible regression and assess it.

Changed in apache2 (Ubuntu):
assignee: nobody → Sergio Durigan Junior (sergiodj)
Changed in apache2 (Ubuntu):
status: New → In Progress
Bryce Harrington (bryce)
Changed in apache2 (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.4.48-3.1ubuntu4

---------------
apache2 (2.4.48-3.1ubuntu4) jammy; urgency=medium

  * d/p/support-openssl3-*.patch: Backport various patches from
    https://github.com/apache/httpd/pull/258 in order to fix mod_ssl's
    failure to load when using OpenSSL 3. (LP: #1951476)

 -- Sergio Durigan Junior <email address hidden> Fri, 26 Nov 2021 16:07:56 -0500

Changed in apache2 (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.