Closed dhruvrauthan closed 3 years ago
I forgot to add the versions of the software sorry
OpenSSL: OpenSSL 1.1.1 11 Sep 2018 Apache Server: Apache/2.4.29 (Ubuntu) Ubuntu: Ubuntu 18.04.5 LTS
Hiya,
On 26/03/2021 07:51, Dhruv Rauthan wrote:
Hey, I was trying to enable eSNI on my Apache server and am following the steps as given in https://github.com/sftcd/openssl/blob/master/esnistuff/apache2.md
It's worth noting that ESNI has evolved into ECH over the last year, and so e.g. I don't think firefox nightly now includes support for ESNI, but will hopefully add ECH soonish. (There is NSS code for ECH but afaik not yet integrated with ff.)
As a bit of background: ESNI just encrypted the SNI in a TLS handshake extension, whereas ECH (Encrypted ClientHello) allows for encryption of an entire "inner" ClientHello within an "outer" ClientHello, and seems overall a better (if more complex) design.
All that being to say that if you're doing this in an expectation that ESNI will be part of e.g. browsers in the future, that might not be a great plan. ECH however isn't yet present in browsers as we're just at the point of ironing out the last interoperability issues. But the hope is that ECH will become part of browsers and web servers going forward.
After "./configure --enable-ssl --with-ssl=$HOME/code/openssl-for-apache --with-libxml2" when i try make, it gives the following error:
......warnings....... ssl_engine_init.c:334:17: error: too few arguments to function ‘SSL_CTX_esni_server_enable’ if (SSL_CTX_esni_server_enable(ctx,privname,pubname)!=1) {
If (given the above) you still want to try this out, I can take a look at that as I'm nearly back at the point of doing application integrations for ECH again.
All the deprecations below are basically changes to upstream over the last year. I've not yet bothered to fix them as the ESNI code in my fork is likely to disappear once ECH is a bit more developed. For now, I've left it in just in case;-)
So if you're happy to wait a month(-ish) more and then try out ECH, that'd maybe be a more useful thing for you longer term. If you have a pressing need for trying out ESNI, I'd be happy to look at the error above but it probably doesn't make sense to try fix the deprecation warnings.
Cheers, S.
^~~~~~~~~~~~~~~~~~~~~~~~~~
......warnings.......
/home/azureuser/code/httpd/build/rules.mk:213: recipe for target 'ssl_engine_init.slo' failed make[4]: [ssl_engine_init.slo] Error 1 make[4]: Leaving directory '/home/azureuser/code/httpd/modules/ssl' /home/azureuser/code/httpd/build/rules.mk:117: recipe for target 'shared-build-recursive' failed make[3]: [shared-build-recursive] Error 1 make[3]: Leaving directory '/home/azureuser/code/httpd/modules/ssl' /home/azureuser/code/httpd/build/rules.mk:117: recipe for target 'shared-build-recursive' failed make[2]: [shared-build-recursive] Error 1 make[2]: Leaving directory '/home/azureuser/code/httpd/modules' /home/azureuser/code/httpd/build/rules.mk:117: recipe for target 'shared-build-recursive' failed make[1]: [shared-build-recursive] Error 1 make[1]: Leaving directory '/home/azureuser/code/httpd' /home/azureuser/code/httpd/build/rules.mk:75: recipe for target 'all-recursive' failed make: *** [all-recursive] Error 1
There are a fair few warnings as well:
ssl_engine_init.c: In function ‘make_dh_params’: ssl_engine_init.c:110:5: warning: ‘DH_new’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] DH dh = DH_new(); ^~ In file included from /home/azureuser/code/openssl-for-apache/include/openssl/dsa.h:51:0, from /home/azureuser/code/openssl-for-apache/include/openssl/x509.h:37, from /home/azureuser/code/openssl-for-apache/include/openssl/ssl.h:31, from ssl_private.h:90, from ssl_engine_init.c:29: /home/azureuser/code/openssl-for-apache/include/openssl/dh.h:199:27: note: declared here OSSL_DEPRECATEDIN_3_0 DH DH_new(void); ^
~ssl_engine_init.c:121:5: warning: ‘DH_set0_pqg’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] if (!p || !g || !DH_set0_pqg(dh, p, NULL, g)) { ^~ In file included from /home/azureuser/code/openssl-for-apache/include/openssl/dsa.h:51:0, from /home/azureuser/code/openssl-for-apache/include/openssl/x509.h:37, from /home/azureuser/code/openssl-for-apache/include/openssl/ssl.h:31, from ssl_private.h:90, from ssl_engine_init.c:29: /home/azureuser/code/openssl-for-apache/include/openssl/dh.h:255:27: note: declared here OSSL_DEPRECATEDIN_3_0 int DH_set0_pqg(DH dh, BIGNUM p, BIGNUM q, BIGNUM g); ^~~ssl_engine_init.c:122:9: warning: ‘DH_free’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] DH_free(dh); ^~~ In file included from /home/azureuser/code/openssl-for-apache/include/openssl/dsa.h:51:0, from /home/azureuser/code/openssl-for-apache/include/openssl/x509.h:37, from /home/azureuser/code/openssl-for-apache/include/openssl/ssl.h:31, from ssl_private.h:90, from ssl_engine_init.c:29: /home/azureuser/code/openssl-for-apache/include/openssl/dh.h:200:28: note: declared here OSSL_DEPRECATEDIN_3_0 void DH_free(DH dh); ^~~ ssl_engine_init.c: In function ‘free_dh_params’: ssl_engine_init.c:160:9: warning: ‘DH_free’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] DH_free(dhparams[n].dh); ^~~ In file included from /home/azureuser/code/openssl-for-apache/include/openssl/dsa.h:51:0, from /home/azureuser/code/openssl-for-apache/include/openssl/x509.h:37, from /home/azureuser/code/openssl-for-apache/include/openssl/ssl.h:31, from ssl_private.h:90, from ssl_engine_init.c:29: /home/azureuser/code/openssl-for-apache/include/openssl/dh.h:200:28: note: declared here OSSL_DEPRECATEDIN_3_0 void DH_free(DH dh); ^~~ ssl_engine_init.c: In function ‘load_esnikeys’: ssl_engine_init.c:334:48: warning: passing argument 2 of ‘SSL_CTX_esni_server_enable’ from incompatible pointer type [-Wincompatible-pointer-types] if (SSL_CTX_esni_server_enable(ctx,privname,pubname)!=1) { ^~~~ In file included from ssl_engine_init.c:40:0: /home/azureuser/code/openssl-for-apache/include/openssl/esni.h:545:5: note: expected ‘SSL {aka struct ssl_st }’ but argument is of type ‘char ’ int SSL_CTX_esni_server_enable(SSL_CTX s, SSL con, const char esnikeyfile, const char esnipubfile); ^~~~~~ssl_engine_init.c:334:17: error: too few arguments to function ‘SSL_CTX_esni_server_enable’ if (SSL_CTX_esni_server_enable(ctx,privname,pubname)!=1) { ^~~~~~In file included from ssl_engine_init.c:40:0: /home/azureuser/code/openssl-for-apache/include/openssl/esni.h:545:5: note: declared here int SSL_CTX_esni_server_enable(SSL_CTX s, SSL con, const char esnikeyfile, const char esnipubfile); ^~~~~~ssl_engine_init.c: In function ‘ssl_init_Engine’: ssl_engine_init.c:633:9: warning: ‘ENGINE_by_id’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] if (!(e = ENGINE_by_id(mc->szCryptoDevice))) { ^~ In file included from ssl_private.h:105:0, from ssl_engine_init.c:29: /home/azureuser/code/openssl-for-apache/include/openssl/engine.h:336:31: note: declared here OSSL_DEPRECATEDIN_3_0 ENGINE ENGINE_by_id(const char id); ^~~~ ssl_engine_init.c:643:13: warning: ‘ENGINE_ctrl’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] ENGINE_ctrl(e, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, 0, 0); ^~~In file included from ssl_private.h:105:0, from ssl_engine_init.c:29: /home/azureuser/code/openssl-for-apache/include/openssl/engine.h:429:27: note: declared here OSSL_DEPRECATEDIN_3_0 int ENGINE_ctrl(ENGINE e, int cmd, long i, void p, ^~~ssl_engine_init.c:647:9: warning: ‘ENGINE_set_default’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) { ^~ In file included from ssl_private.h:105:0, from ssl_engine_init.c:29: /home/azureuser/code/openssl-for-apache/include/openssl/engine.h:708:27: note: declared here OSSL_DEPRECATEDIN_3_0 int ENGINE_set_default(ENGINE e, unsigned int flags); ^~~~~~ ssl_engine_init.c:658:9: warning: ‘ENGINE_free’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] ENGINE_free(e); ^~~In file included from ssl_private.h:105:0, from ssl_engine_init.c:29: /home/azureuser/code/openssl-for-apache/include/openssl/engine.h:493:27: note: declared here OSSL_DEPRECATEDIN_3_0 int ENGINE_free(ENGINE e); ^~~ssl_engine_init.c: In function ‘ssl_init_ctx_tls_extensions’: ssl_engine_init.c:736:9: warning: ‘SRP_VBASE_new’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] if (!(mctx->srp_vbase = SRP_VBASE_new(mctx->srp_unknown_user_seed))) { ^~ In file included from ssl_private.h:220:0, from ssl_engine_init.c:29: /home/azureuser/code/openssl-for-apache/include/openssl/srp.h:173:12: note: declared here SRP_VBASE SRP_VBASE_new(char seed_key); ^~~~~ ssl_engine_init.c:745:9: warning: ‘SRP_VBASE_init’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] err = SRP_VBASE_init(mctx->srp_vbase, mctx->srp_vfile); ^~~ In file included from ssl_private.h:220:0, from ssl_engine_init.c:29: /home/azureuser/code/openssl-for-apache/include/openssl/srp.h:177:5: note: declared here int SRP_VBASE_init(SRP_VBASE vb, char verifier_file); ^~~~~~ ssl_engine_init.c:753:9: warning: ‘SSL_CTX_set_srp_username_callback’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] SSL_CTX_set_srp_username_callback(mctx->ssl_ctx, ^~~~~~~~~ In file included from ssl_private.h:90:0, from ssl_engine_init.c:29: /home/azureuser/code/openssl-for-apache/include/openssl/ssl.h:1959:5: note: declared here int SSL_CTX_set_srp_username_callback(SSL_CTX ctx, ^~~~~~~~~ ssl_engine_init.c:755:9: warning: ‘SSL_CTX_set_srp_cb_arg’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] SSL_CTX_set_srp_cb_arg(mctx->ssl_ctx, mctx); ^~~~~~ In file included from ssl_private.h:90:0, from ssl_engine_init.c:29: /home/azureuser/code/openssl-for-apache/include/openssl/ssl.h:1961:27: note: declared here OSSL_DEPRECATEDIN_3_0 int SSL_CTX_set_srp_cb_arg(SSL_CTX ctx, void arg); ^~~~~~ ssl_engine_init.c: In function ‘ssl_init_ctx_callbacks’: ssl_engine_init.c:1078:5: warning: ‘SSL_CTX_set_tmp_dh_callback’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); ^~~~~~~ In file included from ssl_private.h:90:0, from ssl_engine_init.c:29: /home/azureuser/code/openssl-for-apache/include/openssl/ssl.h:2286:6: note: declared here void SSL_CTX_set_tmp_dh_callback(SSL_CTX ctx, ^~~~~~~ ssl_engine_init.c: In function ‘ssl_init_server_certs’: ssl_engine_init.c:1716:9: warning: ‘DH_bits’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540) ^~~~ In file included from /home/azureuser/code/openssl-for-apache/include/openssl/dsa.h:51:0, from /home/azureuser/code/openssl-for-apache/include/openssl/x509.h:37, from /home/azureuser/code/openssl-for-apache/include/openssl/ssl.h:31, from ssl_private.h:90, from ssl_engine_init.c:29: /home/azureuser/code/openssl-for-apache/include/openssl/dh.h:202:27: note: declared here OSSL_DEPRECATEDIN_3_0 int DH_bits(const DH dh); ^~~ ssl_engine_init.c:1719:9: warning: ‘DH_free’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] DH_free(dhparams); ^~~ In file included from /home/azureuser/code/openssl-for-apache/include/openssl/dsa.h:51:0, from /home/azureuser/code/openssl-for-apache/include/openssl/x509.h:37, from /home/azureuser/code/openssl-for-apache/include/openssl/ssl.h:31, from ssl_private.h:90, from ssl_engine_init.c:29: /home/azureuser/code/openssl-for-apache/include/openssl/dh.h:200:28: note: declared here OSSL_DEPRECATEDIN_3_0 void DH_free(DH dh); ^~~ ssl_engine_init.c:1729:9: warning: ‘EC_KEY_new_by_curve_name’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] && (eckey = EC_KEY_new_by_curve_name(nid))) { ^~ In file included from /home/azureuser/code/openssl-for-apache/include/openssl/x509.h:33:0, from /home/azureuser/code/openssl-for-apache/include/openssl/ssl.h:31, from ssl_private.h:90, from ssl_engine_init.c:29: /home/azureuser/code/openssl-for-apache/include/openssl/ec.h:994:31: note: declared here OSSL_DEPRECATEDIN_3_0 EC_KEY EC_KEY_new_by_curve_name(int nid); ^~~~~~~~ ssl_engine_init.c:1751:5: warning: ‘EC_KEY_free’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] EC_KEY_free(eckey); ^~~In file included from /home/azureuser/code/openssl-for-apache/include/openssl/x509.h:33:0, from /home/azureuser/code/openssl-for-apache/include/openssl/ssl.h:31, from ssl_private.h:90, from ssl_engine_init.c:29: /home/azureuser/code/openssl-for-apache/include/openssl/ec.h:999:28: note: declared here OSSL_DEPRECATEDIN_3_0 void EC_KEY_free(EC_KEY key); ^~~ssl_engine_init.c: In function ‘ssl_init_ctx_cleanup’: ssl_engine_init.c:2008:9: warning: ‘SRP_VBASE_free’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] SRP_VBASE_free(mctx->srp_vbase); ^~~~~~ In file included from ssl_private.h:220:0, from ssl_engine_init.c:29: /home/azureuser/code/openssl-for-apache/include/openssl/srp.h:175:6: note: declared here void SRP_VBASE_free(SRP_VBASE vb); ^~~~~~Is this a mistake on my end or the code itself? And how can I try and fix this? Thank you
Hey, I looked into ECH over the past few days and understand that it will be the standard going into the future. The project I am working on currently involves the decryption of the ESNI field, I believe the method will carry over to ECH (just a bit more complex) since SNI along with other fields will be encrypted there.
My current goal is to work with the decrypted ESNI value, and hence I would be extremely grateful if you could look into the error whenever possible Thank you
ESNI stuff is legacy nowadays: closing
Hey, I was trying to enable eSNI on my Apache server and am following the steps as given in https://github.com/sftcd/openssl/blob/master/esnistuff/apache2.md
After "./configure --enable-ssl --with-ssl=$HOME/code/openssl-for-apache --with-libxml2" when i try make, it gives the following error:
There are a fair few warnings as well:
Is this a mistake on my end or the code itself? And how can I try and fix this?
Thank you