Comment 2 for bug 1951476

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

I worked on this a little bit.

I backported the 10 patches that are currently present in the PR mentioned above (https://github.com/apache/httpd/pull/258), and verified that they seem to address the problem, at least in the sense that they make mod_ssl loadable again when using OpenSSL 3.

I ran apache2's autopkgtests and most of them succeeded; the only failure I'm seeing is actually not related to apache2, and is instead a problem with an uninstallable package currently in jammy-proposed.

The situation here is very similar to what's happening with net-snmp and squid: there are upstream patches that can "fix" the compatibility issue with OpenSSL, but upstream is still not entirely comfortable with them. In apache2's case, this situation a bit more complicated because there is apparently a behaviour change/regression that has been found with OpenSSL 3:

https://github.com/openssl/openssl/issues/15946

I will keep an eye on the progress of apache2's PR and see what happens. It'd probably be a good idea to have someone from the Security team take a look at this possible regression and assess it.