m-oldap@bodyfour.uk wrote:
Full_Name: Mitchell Blank Version: 2.4.43 OS: linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (80.169.198.86)
Recently a couple alpha releases for OpenSSL 1.1.X have been posted on www.openssl.org with the request that software be tested against them prior to release.
Thanks for the report. There are clearly 2 issues the OpenSSL folks will have to resolve before this will work.
https://mta.openssl.org/pipermail/openssl-dev/2016-January/004362.html https://mta.openssl.org/pipermail/openssl-dev/2016-January/004365.html
I tried compiling the most recent OpenLDAP against it, but it failed. One of the overarching changes that OpenSSL is making is that many of its datatypes are now only visible as opaque pointers (in other words, their layout and size are considered private to OpenSSL itself)
This caused the following compile errors in tls_o.c:
openldap-2.4.43/libraries/libldap/tls_o.c: In function ‘tlso_ctx_ref’: openldap-2.4.43/libraries/libldap/tls_o.c:199:20: error: dereferencing pointer
to incomplete type
CRYPTO_add( &c->references, 1, CRYPTO_LOCK_SSL_CTX ); ^ openldap-2.4.43/libraries/libldap/tls_o.c: In function ‘tlso_session_my_dn’: openldap-2.4.43/libraries/libldap/tls_o.c:451:21: error: dereferencing pointer
to incomplete type der_dn->bv_val = xn->bytes->data;
^openldap-2.4.43/libraries/libldap/tls_o.c: In function
‘tlso_session_peer_dn’:
openldap-2.4.43/libraries/libldap/tls_o.c:478:21: error: dereferencing pointer
to incomplete type der_dn->bv_val = xn->bytes->data;
^openldap-2.4.43/libraries/libldap/tls_o.c: In function
‘tlso_session_chkhost’:
openldap-2.4.43/libraries/libldap/tls_o.c:618:21: error: dereferencing pointer
to incomplete type
if ( !OBJ_cmp( ne->object, obj )) { ^
The last one can probably be replaced with a X509_NAME_ENTRY_get_object() call. I don't know enough about the X509_NAME API to know how to fix the ->bytes->data ones.
For what it's worth, there were also a couple deprecated warnings:
openldap-2.4.43/libraries/libldap/tls_o.c:179:2: warning: ‘ERR_remove_state’
is deprecated
openldap-2.4.43/libraries/libldap/tls_o.c:1251:3: warning:
‘DH_generate_parameters’ is deprecated
Right now this isn't super urgency, but within a couple months OpenSSL 1.1.0 is expected to be released and suddenly a lot more people will be hitting this issue.