[Xymon] [PATCH] Re: Fwd: Bug#828611: xymon: Fails to build from source with OpenSSL 1.1.0

Axel Beckert abe at debian.org
Sun Oct 30 14:07:08 CET 2016 

Hi,

Axel Beckert wrote:
> this has been reported in Debian at https://bugs.debian.org/828611
[...]
> OpenSSL 1.1.0 is about to released.  During a rebuild of all packages using
> OpenSSL this package fail to build.  A log of that build can be found at:
> https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/xymon_4.3.27-1_amd64-20160529-1558
> 
> On https://wiki.openssl.org/index.php/1.1_API_Changes you can see various of the
> reasons why it might fail.  There are also updated man pages at
> https://www.openssl.org/docs/manmaster/ that should contain useful information.

While it took quite a while to figure it out, the patch to make it
compile again against OpenSSL 1.1.0 is surprisingly tiny:

--- a/xymonnet/contest.c
+++ b/xymonnet/contest.c
@@ -648,7 +648,7 @@
 
 	certcn = X509_NAME_oneline(X509_get_subject_name(peercert), NULL, 0);
 	certissuer = X509_NAME_oneline(X509_get_issuer_name(peercert), NULL, 0);
-	certsigalg = OBJ_nid2ln(OBJ_obj2nid(peercert->sig_alg->algorithm));
+	certsigalg = OBJ_nid2ln(X509_get_signature_nid(peercert));
 	certstart = strdup(xymon_ASN1_UTCTIME(X509_get_notBefore(peercert)));
 	certend = strdup(xymon_ASN1_UTCTIME(X509_get_notAfter(peercert)));
 	{

See also
https://anonscm.debian.org/cgit/collab-maint/xymon.git/tree/debian/patches/81_fix_compilation_with_OpenSSL_1.1+.patch
https://anonscm.debian.org/cgit/collab-maint/xymon.git/plain/debian/patches/81_fix_compilation_with_OpenSSL_1.1+.patch

I've got one (currently non-productive) Xymon server on a Raspberry Pi
running(*) Debian Unstable with that patch and xymonnet properly
reported SSL certificate and https:// URL states so far. So I believe,
that patch is sufficient and working, despite I have not much of an
idea what it actually does. I took the idea for the patch from here:
https://github.com/bukka/php-src/commit/0598a8da2bc005b3a0be2801033b5347020f8316#diff-69bad938d17f4283faa5f7fea17fa627L2174

I would be happy if you could integrate the patch into the (probably
upcoming) 4.3.28 release to allow others to compile Xymon against
OpenSSL 1.1.0+. (And to spread it further to get more testing. :-)

(*) It's currently running with OpenSSL 1.0.2j though, but that proves
    that it's at least also backward compatible to 1.0.2. As soon as
    Debian Unstable switches to OpenSSL 1.1.0b or later, I'll continue
    to test it with that version.

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe at debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20161030/56831598/attachment.sig>

More information about the Xymon mailing list