[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#860024: apache2-bin: jessie-backports available

Hi there,

On Tue, 11 Apr 2017 11:58:40 +0200, L.P.H. van Belle wrote:
> > Thank you for the notice, that is because the debian/control is wrong,
> > it does not declare such dependency:
> > 
> >   <https://anonscm.debian.org/git/pkg-
> > apache/apache2.git/tree/debian/control?h=debian/2.4.25-
> > 3&id=4f79d48a8a5458eb0186a5a992c73a0699924900#n8>
> > 
> >   Build-Depends: debhelper (>= 9.20131213~), lsb-release, dpkg-dev (>=
> > 1.16.1~),
> >    libaprutil1-dev (>= 1.5.0), libapr1-dev (>= 1.5.0), libpcre3-dev,
> > zlib1g-dev,
> >    libnghttp2-dev, libssl1.0-dev | libssl-dev (<< 1.1), perl,
> >    liblua5.2-dev, libxml2-dev, autotools-dev, gawk | awk,
> >    dh-systemd
> Hmm, strange yes the stretch package it does. 
> https://packages.debian.org/stretch/apache2-bin 
> dep: libssl1.0.2 (>= 1.0.2d)

First of all, this is because stretch has libssl1.0-dev, thus the

  Build-Depends: libssl1.0-dev | libssl-dev

is satisfied by the first option and the Depends: (i.e. those for the
compiled .deb binary package) is automatically filled in by
dpkg-buildpackage according to the debpkg installed during the build.

OTOH, jessie[-backports] has libssl-dev only, so the Build-Depends:
would be satisfied by the second option.  However, sbuild does not honor
alternative dependencies, thus AFAIK the only way to compile apache2.4
with sbuild on jessie[-backports] is to remove the first option.

After some digging, it seems that the problem is not linked to ALPN, but
to the support of the mod_ssl's SSLOpenSSLConfCmd option itself, which
according to upstream needs at least OpenSSL version 1.0.2:


Thus, the Build-Depends: should be split in two:

  libssl1.0-dev (>= 1.0.2) | libssl-dev (>= 1.0.2)
  libssl1.0-dev (>= 1.0.2) | libssl-dev (<< 1.1)

Funny enough, there is no notice in the ./configure output:

--8<---------------cut here---------------start------------->8---
checking whether to enable mod_ssl... checking dependencies
checking for OpenSSL... checking for user-provided OpenSSL base directory... none
  setting MOD_CFLAGS to ""
  setting ab_CFLAGS to ""
  setting MOD_LDFLAGS to ""
  setting MOD_LDFLAGS to ""
checking for OpenSSL version >= 0.9.8a... OK
  setting MOD_LDFLAGS to "-lssl -lcrypto   "
  setting LIBS to "-lssl -lcrypto   "
  forcing ab_LDFLAGS to "-lssl -lcrypto   "
checking openssl/engine.h usability... yes
checking openssl/engine.h presence... yes
checking for openssl/engine.h... yes
checking for SSLeay_version... yes
checking for SSL_CTX_new... yes
checking for ENGINE_init... yes
checking for ENGINE_load_builtin_engines... yes
checking for RAND_egd... yes
  setting MOD_CFLAGS to ""
  setting MOD_SSL_LDADD to "-export-symbols-regex ssl_module"
checking whether to enable mod_ssl... shared (all)
  adding "-I$(top_srcdir)/modules/ssl" to INCLUDES
checking whether to enable mod_http2... checking dependencies
checking for OpenSSL... (cached) yes
  setting MOD_LDFLAGS to "-lssl -lcrypto   "
  setting MOD_CFLAGS to ""
  setting MOD_CPPFLAGS to "-DH2_OPENSSL"
checking for nghttp2... checking for user-provided nghttp2 base directory... none
checking for pkg-config along ...   setting MOD_CFLAGS to ""
checking for nghttp2 version >= 1.2.1... OK
  adding "-lnghttp2" to MOD_LDFLAGS
  setting LIBS to "-lnghttp2   "
checking nghttp2/nghttp2.h usability... yes
checking nghttp2/nghttp2.h presence... yes
checking for nghttp2/nghttp2.h... yes
checking for nghttp2_session_server_new2... yes
checking for nghttp2_stream_get_weight... yes
checking for nghttp2_session_change_stream_priority... yes
checking for nghttp2_session_callbacks_set_on_invalid_header_callback... yes
  setting MOD_HTTP2_LDADD to "-export-symbols-regex http2_module"
checking whether to enable mod_http2... shared (all)
checking whether to enable mod_proxy_http2... checking dependencies
checking for nghttp2... (cached) yes
  setting MOD_PROXY_HTTP2_LDADD to "-export-symbols-regex proxy_http2_module"
checking whether to enable mod_proxy_http2... shared

--8<---------------cut here---------------end--------------->8---

To go back to ALPN, from what I could find out, it was at first required
by Chrome to support HTTP/2, at least until it was decided to still
support NPN (thus HTTP/2 is feasible with OpenSSL <= 1.0.2f):


And I could not find why ALPN would require OpenSSL >= 1.0.2f (despite a
lot of search results stating that), since ALPN is officially supported
by OpenSSL 1.0.2:


Nevertheless, jessie-backports has OpenSSL 1.0.2k, thus simply
installing openssl from jessie-backports should be enough to add
mod_ssl's SSLOpenSSLConfCmd (and "full" ALPN) support:
~# dpkg-query -W apache2
apache2 2.4.25-3~bpo8+1
~# dpkg-query -W apache2-bin
apache2-bin     2.4.25-3~bpo8+1
~# dpkg-query -W libssl1.0.0
libssl1.0.0:amd64       1.0.1t-1+deb8u6
~# apt-get install -t jessie-backports -s openssl
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
The following packages will be upgraded:
  libssl1.0.0 openssl
2 upgraded, 0 newly installed, 0 to remove and 74 not upgraded.
Inst libssl1.0.0 [1.0.1t-1+deb8u6] (1.0.2k-1~bpo8+1 Debian Backports:jessie-backports [amd64])
Inst openssl [1.0.1t-1+deb8u6] (1.0.2k-1~bpo8+1 Debian Backports:jessie-backports [amd64])
Conf libssl1.0.0 (1.0.2k-1~bpo8+1 Debian Backports:jessie-backports [amd64])
Conf openssl (1.0.2k-1~bpo8+1 Debian Backports:jessie-backports [amd64])

Unfortunately, we do not have a test bed for HTTP/2 right now, could
someone please confirm this?

Thx, bye,
Gismo / Luca

Luca Capello
Administrateur GNU/Linux

Infomaniak Network SA

Attachment: signature.asc
Description: Digital signature

Reply to: