I've worked it out. The test in configure.ac (and the resulting test in configure) is not correct, as it's expecting (I think) a variant of the value from opensslv.h (i.e. OPENSSL_VERSION_NUMBER 0x009080bfL), which is not what configure is actually testing against. That, and it's missing the second set of brackets needed for the regxep test. Values of $ssl_library_ver from configure being tested against ... Centos 2.1 "90602f (OpenSSL 0.9.6b [engine] 9 Jul 2001)" RHEL 3-4 "90701f (OpenSSL 0.9.7a Feb 19 2003)" RHEL 5 "90802f (OpenSSL 0.9.8e-rhel5 01 Jul 2008)" AIX 5.3 "90811f (OpenSSL 0.9.8k 25 Mar 2009)" HP-UX 11.23 "90817f (OpenSSL 0.9.8w 23 Apr 2012)" HP-UX 11.31 "90819f (OpenSSL 0.9.8y 5 Feb 2013)" RHEL 6.0-4 "10000003 (OpenSSL 1.0.0-fips 29 Mar 2010)" AIX 6-7/RHEL 6.5+ "1000105f (OpenSSL 1.0.1e 11 Feb 2013)" So after applying this patch - and re-running autoconf - configure will error out on old openssl versions as expected. ---CUT--- *** openssh/configure.ac 2014-08-19 18:05:03.000000000 -0700 --- openssh-fix/configure.ac 2014-08-21 12:39:23.038445826 -0700 *************** *** 2289,2293 **** # Check version is supported. case "$ssl_library_ver" in ! 0090[0-7]*|009080[0-5]*) AC_MSG_ERROR([OpenSSL >= 0.9.8f required]) ;; --- 2289,2293 ---- # Check version is supported. case "$ssl_library_ver" in ! 90[[0-7]]*|9080[[0-5]]*) AC_MSG_ERROR([OpenSSL >= 0.9.8f required]) ;; ---CUT--- It should generate this (depending on your version of autoconf) in configure ssl_library_ver=`cat conftest.ssllibver` # Check version is supported. case "$ssl_library_ver" in 90[0-7]*|9080[0-5]*) as_fn_error $? "OpenSSL >= 0.9.8f required" "$LINENO" 5 ;; *) ;; esac On Thu, Aug 21, 2014 at 8:22 AM, Kevin Brott <kevin.brott@xxxxxxxxx> wrote: > > Example ... > > Using openssh-SNAP-20140822.tar.gz ... on Centos 2.1 .. > > $ openssl version > OpenSSL 0.9.6b [engine] 9 Jul 2001 > > $ ./configure > ... > checking OpenSSL header version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul > 2001) > checking OpenSSL library version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul > 2001) > checking whether OpenSSL's headers match the library... yes > checking if programs using OpenSSL functions will link... yes > checking whether OpenSSL has crippled AES support... yes > checking whether OpenSSL has AES CTR via EVP... no > checking whether OpenSSL has AES GCM via EVP... no > checking whether OpenSSL has NID_X9_62_prime256v1... no > checking whether OpenSSL has NID_secp384r1... no > checking whether OpenSSL has NID_secp521r1... no > checking whether OpenSSL's PRNG is internally seeded... yes > ... > Host: i686-pc-linux-gnu > Compiler: gcc > Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized > -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 > -fno-builtin-memset -std=gnu99 > Preprocessor flags: > Linker flags: -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack > Libraries: -lresolv -lcrypto -lrt -ldl -lutil -lz -lnsl -lcrypt > > $ gmake > ... > gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare > -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 > -fno-builtin-memset -std=gnu99 -I. -I.. -I. -I./.. -DHAVE_CONFIG_H -c > openssl-compat.c > In file included from openssl-compat.c:32: > openssl-compat.h:28:2: #error OpenSSL 0.9.8f or greater is required > gmake[1]: *** [openssl-compat.o] Error 1 > gmake[1]: Leaving directory `/usr/src/openssh/openbsd-compat' > gmake: *** [openbsd-compat/libopenbsd-compat.a] Error 2 > > This happens on all the Red Hat based systems where openssl < 1.0.0-fips > > > > On Wed, Aug 20, 2014 at 5:47 PM, Damien Miller <djm@xxxxxxxxxxx> wrote: > >> On Wed, 20 Aug 2014, Kevin Brott wrote: >> >> > FAIL*1 - configure completes without errors ... >> > make[1]: Entering directory `/usr/src/openssh/openbsd-compat' >> > gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare >> > -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 >> > -fno-builtin-memset -std=gnu99 -I. -I.. -I. -I./.. -DHAVE_CONFIG_H -c >> > openssl-compat.c >> > In file included from openssl-compat.c:32: >> > openssl-compat.h:28:2: #error OpenSSL 0.9.8f or greater is required >> >> that's strange - you aren't cross-compiling? The test in configure.ac >> won't work for x-compiles. >> >> If not, what does configure report your OpenSSL version as? e.g. >> >> checking OpenSSL header version... 1000106f (OpenSSL 1.0.1f 6 Jan 2014) >> checking OpenSSL library version... 1000106f (OpenSSL 1.0.1f 6 Jan 2014) >> >> > make[1]: Leaving directory `/usr/src/openssh/openbsd-compat' >> > make: *** [openbsd-compat/libopenbsd-compat.a] Error 2 >> > >> > FAIL*2 - port-aix.c still fails to compile on RHEL and AIX where ec.h >> isn't >> > part of openssl ... >> > gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare >> > -Wformat-security -Wno-pointer-sign -fno-strict-aliasing >> -D_FORTIFY_SOURCE=2 >> > -ftrapv -fno-builtin-memset -fstack-protector-all -fPIE -I. -I.. -I. >> > -I./.. -DHAVE_CONFIG_H -c port-aix.c >> > In file included from port-aix.c:31: >> > ../key.h:85: warning: type defaults to ?int? in declaration of >> ?EC_GROUP? >> > ../key.h:85: error: expected ?;?, ?,? or ?)? before ?*? token >> > ../key.h:86: warning: type defaults to ?int? in declaration of >> ?EC_KEY? >> > ../key.h:86: error: expected ?;?, ?,? or ?)? before ?*? token >> >> another missing check for no-ECC OpenSSL: >> >> Index: key.h >> =================================================================== >> RCS file: /var/cvs/openssh/key.h,v >> retrieving revision 1.45 >> diff -u -p -r1.45 key.h >> --- key.h 2 Jul 2014 05:28:03 -0000 1.45 >> +++ key.h 21 Aug 2014 00:46:48 -0000 >> @@ -81,10 +81,10 @@ int key_cert_check_authority(const Key >> const char **); >> char *key_alg_list(int, int); >> >> -#ifdef WITH_OPENSSL >> +#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) >> int key_ec_validate_public(const EC_GROUP *, const EC_POINT *); >> int key_ec_validate_private(const EC_KEY *); >> -#endif /* WITH_OPENSSL */ >> +#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */ >> >> Key *key_from_blob(const u_char *, u_int); >> int key_to_blob(const Key *, u_char **, u_int *); >> > > > > -- > # include <stddisclaimer.h> > /* Kevin Brott <Kevin.Brott@xxxxxxxxx> */ > > -- # include <stddisclaimer.h> /* Kevin Brott <Kevin.Brott@xxxxxxxxx> */ _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev