From 81e502a5353eeb76e05747c0b2862e041f6d9c2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?= Date: Wed, 20 Jul 2022 19:06:17 +0700 Subject: [PATCH] h2o: use system yaml, ca-certs While we are at it, run make check. --- .../patches/link-against-system-libyaml.patch | 34 +++++++++++ ...orce-TLSv1.2-on-s_client-invocations.patch | 58 +++++++++++++++++++ srcpkgs/h2o/patches/use-etc-ssl-certs.patch | 37 ++++++++++++ srcpkgs/h2o/template | 19 +++++- 4 files changed, 146 insertions(+), 2 deletions(-) create mode 100644 srcpkgs/h2o/patches/link-against-system-libyaml.patch create mode 100644 srcpkgs/h2o/patches/tests-force-TLSv1.2-on-s_client-invocations.patch create mode 100644 srcpkgs/h2o/patches/use-etc-ssl-certs.patch diff --git a/srcpkgs/h2o/patches/link-against-system-libyaml.patch b/srcpkgs/h2o/patches/link-against-system-libyaml.patch new file mode 100644 index 000000000000..52f3df36c70f --- /dev/null +++ b/srcpkgs/h2o/patches/link-against-system-libyaml.patch @@ -0,0 +1,34 @@ +Author: Apollon Oikonomopoulos +Description: Use the system LibYAML instance + Do not statically link against LibYAML, use dynamic linking against the system + instance instead. +Last-Update: 2017-08-29 +Forwarded: no +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -121,6 +121,9 @@ + INCLUDE_DIRECTORIES(${LIBUV_INCLUDE_DIRS}) + LINK_DIRECTORIES(${LIBUV_LIBRARY_DIRS}) + ENDIF (LIBUV_FOUND) ++ PKG_CHECK_MODULES(LIBYAML REQUIRED yaml-0.1) ++ INCLUDE_DIRECTORIES(${LIBYAML_INCLUDE_DIRS}) ++ LIST(INSERT EXTRA_LIBS 0 ${LIBYAML_LIBRARIES}) + ENDIF (PKG_CONFIG_FOUND) + IF (NOT LIBUV_FOUND) + FIND_PACKAGE(LibUV) +@@ -313,7 +316,6 @@ + + SET(UNIT_TEST_SOURCE_FILES + ${LIB_SOURCE_FILES} +- ${LIBYAML_SOURCE_FILES} + ${BROTLI_SOURCE_FILES} + deps/picotest/picotest.c + t/00unit/test.c +@@ -445,7 +447,6 @@ + # standalone server directly links to libh2o using evloop + SET(STANDALONE_SOURCE_FILES + ${LIB_SOURCE_FILES} +- ${LIBYAML_SOURCE_FILES} + ${BROTLI_SOURCE_FILES} + deps/neverbleed/neverbleed.c + src/main.c diff --git a/srcpkgs/h2o/patches/tests-force-TLSv1.2-on-s_client-invocations.patch b/srcpkgs/h2o/patches/tests-force-TLSv1.2-on-s_client-invocations.patch new file mode 100644 index 000000000000..c6f6962356c7 --- /dev/null +++ b/srcpkgs/h2o/patches/tests-force-TLSv1.2-on-s_client-invocations.patch @@ -0,0 +1,58 @@ +From 752caaf33bf5a752bf2926aa32a1f8851a023fbf Mon Sep 17 00:00:00 2001 +From: Apollon Oikonomopoulos +Date: Fri, 14 Sep 2018 16:44:34 +0300 +Subject: [PATCH] Tests: force TLSv1.2 on s_client invocations + +The tests are not ready (yet) to handle TLSv1.3 support in OpenSSL, so +make s_client use TLSv1.2 explicitly. + +Note that we could pass -no_tls1_3 instead, but this would break with +older (pre-1.1.1) OpenSSL versions. +--- + t/40memcached-session-resumption.t | 2 +- + t/40session-ticket.t | 2 +- + t/40ssl-cipher-suite.t | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/t/40memcached-session-resumption.t b/t/40memcached-session-resumption.t +index 129affbe..6774bece 100644 +--- a/t/40memcached-session-resumption.t ++++ b/t/40memcached-session-resumption.t +@@ -47,7 +47,7 @@ hosts: + file.dir: @{[ DOC_ROOT ]} + EOT + my $lines = do { +- open my $fh, "-|", "openssl s_client -no_ticket $opts -connect 127.0.0.1:$server->{tls_port} 2>&1 < /dev/null" ++ open my $fh, "-|", "openssl s_client -tls1_2 -no_ticket $opts -connect 127.0.0.1:$server->{tls_port} 2>&1 < /dev/null" + or die "failed to open pipe:$!"; + local $/; + <$fh>; +diff --git a/t/40session-ticket.t b/t/40session-ticket.t +index 2e5d5e4a..e712ef18 100644 +--- a/t/40session-ticket.t ++++ b/t/40session-ticket.t +@@ -122,7 +122,7 @@ EOT + sub test { + my $lines = do { + my $cmd_opts = (-e "$tempdir/session" ? "-sess_in $tempdir/session" : "") . " -sess_out $tempdir/session"; +- open my $fh, "-|", "openssl s_client $cmd_opts -connect 127.0.0.1:$server->{tls_port} 2>&1 < /dev/null" ++ open my $fh, "-|", "openssl s_client -tls1_2 $cmd_opts -connect 127.0.0.1:$server->{tls_port} 2>&1 < /dev/null" + or die "failed to open pipe:$!"; + local $/; + <$fh>; +diff --git a/t/40ssl-cipher-suite.t b/t/40ssl-cipher-suite.t +index bda71842..71bdcf53 100644 +--- a/t/40ssl-cipher-suite.t ++++ b/t/40ssl-cipher-suite.t +@@ -32,7 +32,7 @@ my ($guard, $pid) = spawn_server( + ); + + # connect to the server with AES256-SHA as the first choice, and check that AES128-SHA was selected +-my $log = `openssl s_client -cipher AES256-SHA:AES128-SHA -host 127.0.0.1 -port $port < /dev/null 2>&1`; ++my $log = `openssl s_client -tls1_2 -cipher AES256-SHA:AES128-SHA -host 127.0.0.1 -port $port < /dev/null 2>&1`; + like $log, qr/^\s*Cipher\s*:\s*AES128-SHA\s*$/m; + + done_testing; +-- +2.18.0 + diff --git a/srcpkgs/h2o/patches/use-etc-ssl-certs.patch b/srcpkgs/h2o/patches/use-etc-ssl-certs.patch new file mode 100644 index 000000000000..570a9c0710b0 --- /dev/null +++ b/srcpkgs/h2o/patches/use-etc-ssl-certs.patch @@ -0,0 +1,37 @@ +Author: Apollon Oikonomopoulos +Description: On Debian systems, use /etc/ssl/certs for TLS verification + Instead of shipping a dedicated CA bundle, use /etc/ssl/certs for + verification by default. +Last-Update: 2017-09-04 +Forwarded: no (Debian-specific) +prefers CApath over CAfile because SSL_CTX_load_verify_locations can look up +by subject name and/or key identifier +--- a/lib/handler/configurator/proxy.c ++++ b/lib/handler/configurator/proxy.c +@@ -298,11 +298,10 @@ + if (ctx->pathconf == NULL && ctx->hostconf == NULL) { + /* is global conf, setup the default SSL context */ + self->vars->ssl_ctx = create_ssl_ctx(); +- char *ca_bundle = h2o_configurator_get_cmd_path("share/h2o/ca-bundle.crt"); +- if (SSL_CTX_load_verify_locations(self->vars->ssl_ctx, ca_bundle, NULL) != 1) +- fprintf(stderr, "Warning: failed to load the default certificates file at %s. Proxying to HTTPS servers may fail.\n", +- ca_bundle); +- free(ca_bundle); ++ char *ca_path = "/etc/ssl/certs"; ++ if (SSL_CTX_load_verify_locations(self->vars->ssl_ctx, NULL, ca_path) != 1) ++ fprintf(stderr, "Warning: failed to load the default certificates location at %s. Proxying to HTTPS servers may fail.\n", ++ ca_path); + SSL_CTX_set_verify(self->vars->ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); + h2o_cache_t *ssl_session_cache = + create_ssl_session_cache(H2O_DEFAULT_PROXY_SSL_SESSION_CACHE_CAPACITY, H2O_DEFAULT_PROXY_SSL_SESSION_CACHE_DURATION); +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -508,7 +508,7 @@ + ENDIF () + + INSTALL(PROGRAMS share/h2o/annotate-backtrace-symbols share/h2o/fastcgi-cgi share/h2o/fetch-ocsp-response share/h2o/kill-on-close share/h2o/setuidgid share/h2o/start_server DESTINATION ${CMAKE_INSTALL_DATAROOTDIR}/h2o) +-INSTALL(FILES share/h2o/ca-bundle.crt DESTINATION ${CMAKE_INSTALL_DATAROOTDIR}/h2o) ++#INSTALL(FILES share/h2o/ca-bundle.crt DESTINATION ${CMAKE_INSTALL_DATAROOTDIR}/h2o) + INSTALL(FILES share/h2o/status/index.html DESTINATION ${CMAKE_INSTALL_DATAROOTDIR}/h2o/status) + INSTALL(DIRECTORY doc/ DESTINATION ${CMAKE_INSTALL_DATAROOTDIR}/doc/h2o PATTERN "Makefile" EXCLUDE PATTERN "README.md" EXCLUDE) + INSTALL(DIRECTORY examples/ DESTINATION ${CMAKE_INSTALL_DATAROOTDIR}/doc/h2o/examples) diff --git a/srcpkgs/h2o/template b/srcpkgs/h2o/template index 3b300024f05c..3cd8ea0ff1b6 100644 --- a/srcpkgs/h2o/template +++ b/srcpkgs/h2o/template @@ -1,12 +1,16 @@ # Template file for 'h2o' pkgname=h2o version=2.2.6 -revision=3 +revision=4 build_style=cmake conf_files="/etc/h2o.conf" +configure_args="-DWITH_BUNDLED_SSL=OFF" +make_check_target=check hostmakedepends="pkg-config" -makedepends="openssl-devel libuv-devel zlib-devel" +makedepends="openssl-devel libuv-devel zlib-devel libyaml-devel" depends="perl" +checkdepends="perl-Test-TCP perl-Test-Exception perl-URI perl-Path-Tiny + perl-Scope-Guard curl wget netcat" short_desc="Optimized HTTP server with support for HTTP/1.x and HTTP/2" maintainer="Orphaned " license="MIT" @@ -20,6 +24,17 @@ make_dirs=" /var/log/h2o 0755 h2o h2o /srv/www/h2o 0755 h2o h2o" +pre_check() { + local t + export PERL5LIB="${wrksrc}" + for t in 40proxy-protocol 50access-log 50http2_debug_state \ + 50internal-redirect 50servername 50status \ + 80invalid-h2-chars-in-headers + do + rm -f t/${t}.t + done +} + post_install() { vsv h2o vconf ${FILESDIR}/h2o.conf