Why is ssl-v23 the default method when it is deprecated upstream?

[sabracrolleton]

Should not the default method be ssl-TLSv1-2-method or something considered more secure than ssl-v23 which is deprecated by open-ssl?

[deadtrickster]

@sabracrolleton
Because there is no way for old openssl versions to say "I want tls only". So here https://github.com/cl-plus-ssl/cl-plus-ssl/blob/master/src/context.lisp#L94 we are using v23 and then disable v2 and v3. In recent OpenSSL versions they introduced TLS_method.
In ffi.lisp it is used for compatibility reasons because no one in CL community cares.

[avodonosov]

@sabracrolleton the formalistic answer to your "why" - it's because the upstream deprecating it is just upstream, it's not released yet. We can't rely on it because it's not available on all platforms.

or something considered more secure

what can you suggest?

[sabracrolleton]

Thank you for the response. Not sure I can suggest anything because I know
just enough to be dangerous.Will think about the platform problem.

Sabra

On Sun, Jan 17, 2016 at 4:51 PM, Anton Vodonosov [email protected]
wrote:

@sabracrolleton https://github.com/sabracrolleton the formalistic
answer to your "why" - it's because the upstream deprecating is just
upstream, it's not released yet. We can't rely on it because it's not
avaiable on all platforms.

or something considered more secure
what can you suggest?

—
Reply to this email directly or view it on GitHub
#34 (comment)
.

[avodonosov]

@sabracrolleton , thanks for your report anyway. At least I've learned about the problem.

As for the fix, the approach implemented by @deadtrickster seems reasonable - we use v23 and then disable v2 and v3. We could fix the initialize method from ffi.lisp in a similar way (pull requests are welcome, with doc update where necessary and without unnecessary backwards compatibility breakages).

[phmarek]

Well, as of now everything <= TLS 1.1 is "officially" deprecated (Firefox, Chrome, Safari, Edge [1]; PCI [2]); and with TLS 1.2 out since more than 10 years, I'd propose to default to TLS 1.2 now, and to put the onus of providing the option in case of compatibility problems on the few specific users.

[1]: eg. https://www.tomshardware.com/news/major-browsers-deprecate-tls-1.0-1.1,37932.html
[2]: https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls

Please, let's make that transition.

[avodonosov]

@phmarek, are you open to submit a pull request (with doc update describing the options?)

[phmarek]

I can try to.

Is index.html generated in some way or hand-written?

[avodonosov]

hand-written

[phmarek]

As a base for discussion please see https://github.com/phmarek/cl-plus-ssl/tree/modern-tls.

The interesting thing is -- the important commit is the last one, using openssl-1.1. The commits before that one, even including ssl-ctx-set-min-proto-version, still allow TLS-1.0; only the defaults in libssl1.1=1.1.1a-1 achieve the goal of setting up only new cipher suites.

The problem seems to be that MAKE-CONTEXT is never used -- and so the expected default settings aren't actually set up.
I guess that

  (setf *ssl-global-context* (ssl-ctx-new *ssl-global-method*))

(in INITIALIZE) would be a good place to call it, but as it is now we run into a loop as the ENSURE-INITIALIZED doesn't have *SSL-GLOBAL-CONTEXT* set already.

But perhaps I'm missing some small detail - how would MAKE-CONTEXT be used for an SSL server?

Please note that the documentation is not updated yet - I'll need a working implementation (even for older SSL versions) before I'm going to change it.

[avodonosov]

@phmarek , I like your commits. I posted a comment in one of them.

[phmarek]

@avodonosov: Thanks - please take & pick what you like, and let's continue discussion for the rest.

[phmarek]

Do you have an idea how MAKE-CONTEXT can be used?

[phmarek]

Okay, I've got an idea..

[phmarek]

Please see the new version of my branch... no doc, no compat re FFI, but an initial idea how to run MAKE-CONTEXT.

[avodonosov]

@phmarek , the make-context was introduced here: #24. See the examples there for how it was intended to be used.

[phmarek]

Thanks, that explains about MAKE-CONTEXT for DRAKMA use - but I don't know yet how a SSL server (ie. HUNCHENTOOT) should make use of that.

[phmarek]

@avodonosov: I pushed some more commits, please take a look.

Do you have any opinion about MAKE-CONTEXT usage for an SSL server? Should we/I split it into MAKE-CONTEXT and MODIFY-CONTEXT so that options of a (possible active) server can be changed?

I wouldn't like having lots of small functions exported, so I'm tending to provide one MODIFY-CONTEXT with many keyword arguments instead.

[avodonosov]

@phmarek, I do not really understand why do you ask about many small modification functions or one modify-context.

The idea of make-context is that every independent part of application creates a context for itself. A server would create a context and pass it to ssl functions. That way we, for example, could have different ssl settings when running hunchentoot with ssl and when making https requests for drakma - they would use different contexts.

I doubt it is safe to modify context whie it is in active use.

If one needs to change server ssl options, he would create a new context and assign the new context to the server.

[phmarek]

@avodonosov I understand your point -- and I think you're right.
Still, doing it that way becomes a bit harder for people that "only" use libraries.

Imagine that I have an Hunchentoot HTTPS server (or multiple on different ports) and a TELNETS server in my application, and I want to use different settings for them (different CA, for example).
Now CL+SSL only allows one global context, so I'd have to figure out how the intermediate libraries use the SSL state, etc.

The right design would be to have a function per library to set the SSL context, which could then be created by MAKE-CONTEXT. But the library might need to set some defaults or override other settings, so it would need to change settings, not simply create a new context (again).
Or, each library has a MAKE-SSL-CONTEXT function with lots of keyword args (or a &REST), and passes that on to CL+SSL:MAKE-CONTEXT.

But we are not there yet (that each library supports its SSL context) -- so I'm pondering the design choices for that.

[phmarek]

Would it work in Corman Lisp to load the (most recent) openssl library first, look at the filename, and then define the FFI functions (or set them to #'error) depending on the name?

I first thought about setting a *FEATURES* flag (like OPENSSL-1-1) if the newer version is found, and then to mark the DEFCFUN forms with that - but that wouldn't work for a saved image (if that is possible in Corman Lisp at all?)

[avodonosov]

@phmarek , if the libraries modify their private context and not the global one, that would be ok, but why do you raise this question in this issue? In this ticket, we just need TLS 1.2 to be used by default (where ssl-v23 is used currently).

[avodonosov]

@phmarek

and then to mark the DEFCFUN forms with that

Mark how? I don't understand.

[phmarek]

I meant "mark" as in

#+openssl-1-0
(defcfun ...) ; function from openssl 1.0
#+openssl-1-1
(defcfun ...) ; function from openssl 1.1

but as this (only) works during readtime, it won't help with a saved/loaded image - in the meantime the available libraries could change.

So I think we have to wrap the DEFCFUN in an IGNORE-ERRORS, do these on every initialization, and provide some (ERROR "not available") stub when DEFCFUN tells us the function isn't there.

Do you think that could work on all supported implementations?

[avodonosov]

I see.

I was thinking also to split ffi.lisp into ffi-common.lisp, ffi-1.0.lisp, ffi-0.9.lisp and so on. Loading them conditionally based on openssl version. But maybe that's an overkill and keeping everything in one file is cleaner.

I'm not sure we should pursue image loading with different openssl version possibility in the first attempt to solve the compatibility problem. It deserves to be analyzed, but if difficult to solve can be postponed.

But even if we postpone image reload support, read-time conditionals are too restrictive - one will need to recompile the code when he uses different OpenSSL version. It's better to now wipe out code for these foreign functions support as read-time conditionals do, but keep it under some kind of IF.

[avodonosov]

So I think we have to wrap the DEFCFUN in an IGNORE-ERRORS, do these on every initialization, and provide some (ERROR "not available") stub when DEFCFUN tells us the function isn't there.

Do you think that could work on all supported implementations?

The wrapper idea is good. As I understand DEFCFUN is not guaranteed to raise an error or signal anyhow the absense of foreign function - on some implementations it will fail on load time, on other implementations error will only heppen when we attempt to call the foreign function. So the wrapper can also consult the current openssl version.

Maybe the version requirements can be passed as an optional parameter to DEFINE-SSL-FUNCTION and DEFINE-CRYPTO-FUNCTION, whuch define the wrapper.

Maybe the wrapper can even call CFFI:DEFCFUN layzily - if that function is not defined yet (will it be useful?).

I'm thinking of workflow like:

• load cl+ssl,
• call cl+ssl:some-openssl-function-not-present-in-current-version,
• get an error,
• load newer openssl,
• call this function again and have it working.

One caveat: when breaking backward compatibility OpenSSL developers not only remove functions. They also change function parameters. For example up to OpenSSL 1.0.2 CRYPTO_free had only one argument, but after 1.0.2 crypto_free has 3 arguments. I wanted to use these functions to implementd
decode-asn1-string here #30 (comment), but when discovered that the function to check openssl name is renamed too, from SSLeay to OpenSSL_version_num, I gave up and we maintain lisp code to decode asn1 strings.

So, maybe we should not try to solve all compatibility questions on the wrapper level, otherwise we will need wrapper to check argument numbers and possibly types. It may be simpler to do in user code.

[phmarek]

Hmmm, does cffi:load-foreign-library reliably return an error if the library is not found?

Because then we could define libssl as libssl.so.1.1 first and try to l-f-l it, and if that doesn't work, we redefine libssl as per the various .1.0 variants and retry. This way we can store which ssl version is actually loaded, and then run defcfun (via eval) only for functions we know to exist - and define the others as (error "n/i").

That would feel at little bit better than checking the file name of the loaded library; sadly, because of the preprocessor macros being used there's no single function that returns the version number - OpenSSL_version_num resp. SSLeay depend on the SSL version, too...

[phmarek]

Well, wait, after loading the SSL library we can just do (eval (ignore-errors (defctun ...))) - EVAL returns multiple values, so we can see whether an error was triggered.

After trying to get the version number functions we can run one that could be defined and find out the real version without bothering with file name guessing - and then define the other functions depending on the version!

That "just" means that the define-*function macros need to store the definition somewhere instead of doing defcfun directly -- but that shouldn't be a problem...

[phmarek]

What do you think about the last commit on https://github.com/phmarek/cl-plus-ssl/tree/modern-tls?
Is that a good approach? (No functions tagged with versions yet, just something to look at)

[phmarek]

Updated the branch with a few functions marked that way; seems to work on SBCL

[avodonosov]

@phmarek , this is very close to what I was thinking about (several variations are possible).

But we discussed a wide number of topics, and it's better to commit them piece by piece.

In this ticket, I think we should just create openssl-version working reliably with different versions of OpenSSL and different lisp implementation.

Then utilize this function to use TLS_method in OpenSSL versions where it is available.

I want to setup a test environment to run the cl+ssl testsuite with a number of lisp implementations and with a number of openssl versions. (The testsuite will include a call to openssl-version function).

This can be enough to close the current ticket.

Other OpenSSL API changes (like CRYPTO_num_locks) can be handled in other tickets.

Support of image reload with another OpenSSL version would be yet another ticket.

[avodonosov]

@phmarek , some news.

I've set up the test environment, it can run the cl+ssl test suite on 7 lisp implementation with 5 openssl releases. The results:

(("sbcl-1.3.21-linux-x86" "openssl-0.9.8zh"
  (:FAILED-TESTS NIL :KNOWN-TO-FAIL NIL))
 ("sbcl-1.3.21-linux-x86" "openssl-1.0.0s"
  (:FAILED-TESTS NIL :KNOWN-TO-FAIL NIL))
 ("sbcl-1.3.21-linux-x86" "openssl-1.0.2q"
  (:FAILED-TESTS NIL :KNOWN-TO-FAIL NIL))
 ("sbcl-1.3.21-linux-x86" "openssl-1.1.0j"
  (:FAILED-TESTS
   ("common-lisp.null" "cl+ssl.test.expired" "cl+ssl.test.wrong.host"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert")
   :KNOWN-TO-FAIL NIL))
 ("sbcl-1.3.21-linux-x86" "openssl-1.1.1a"
  (:FAILED-TESTS
   ("common-lisp.null" "cl+ssl.test.expired" "cl+ssl.test.wrong.host"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert")
   :KNOWN-TO-FAIL NIL))
 ("ccl-1.11-5-rv1.11.5-f96-linux-x86" "openssl-0.9.8zh"
  (:FAILED-TESTS NIL :KNOWN-TO-FAIL NIL))
 ("ccl-1.11-5-rv1.11.5-f96-linux-x86" "openssl-1.0.0s"
  (:FAILED-TESTS NIL :KNOWN-TO-FAIL NIL))
 ("ccl-1.11-5-rv1.11.5-f96-linux-x86" "openssl-1.0.2q"
  (:FAILED-TESTS NIL :KNOWN-TO-FAIL NIL))
 ("ccl-1.11-5-rv1.11.5-f96-linux-x86" "openssl-1.1.0j"
  (:FAILED-TESTS
   ("cl+ssl.test.wrong.host" "common-lisp.null" "cl+ssl.test.expired"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert")
   :KNOWN-TO-FAIL NIL))
 ("ccl-1.11-5-rv1.11.5-f96-linux-x86" "openssl-1.1.1a"
  (:FAILED-TESTS
   ("cl+ssl.test.wrong.host" "common-lisp.null" "cl+ssl.test.expired"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert")
   :KNOWN-TO-FAIL NIL))
 ("abcl-1.5.0-fasl43-linux-x86" "openssl-0.9.8zh" :CRASH)
 ("abcl-1.5.0-fasl43-linux-x86" "openssl-1.0.0s" :CRASH)
 ("abcl-1.5.0-fasl43-linux-x86" "openssl-1.0.2q" :CRASH)
 ("abcl-1.5.0-fasl43-linux-x86" "openssl-1.1.0j" :CRASH)
 ("abcl-1.5.0-fasl43-linux-x86" "openssl-1.1.1a" :CRASH)
 ("acl-10.0-linux-x86" "openssl-0.9.8zh"
  (:FAILED-TESTS NIL :KNOWN-TO-FAIL NIL))
 ("acl-10.0-linux-x86" "openssl-1.0.0s"
  (:FAILED-TESTS NIL :KNOWN-TO-FAIL NIL))
 ("acl-10.0-linux-x86" "openssl-1.0.2q"
  (:FAILED-TESTS NIL :KNOWN-TO-FAIL NIL))
 ("acl-10.0-linux-x86" "openssl-1.1.0j"
  (:FAILED-TESTS
   ("cl+ssl.test.verify-google-cert"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.expired" "common-lisp.null"
    "cl+ssl.test.wrong.host")
   :KNOWN-TO-FAIL NIL))
 ("acl-10.0-linux-x86" "openssl-1.1.1a"
  (:FAILED-TESTS
   ("cl+ssl.test.verify-google-cert"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.expired" "common-lisp.null"
    "cl+ssl.test.wrong.host")
   :KNOWN-TO-FAIL NIL))
 ("acl-10.0m-linux-x86" "openssl-0.9.8zh" :FAIL)
 ("acl-10.0m-linux-x86" "openssl-1.0.0s" :FAIL)
 ("acl-10.0m-linux-x86" "openssl-1.0.2q" :FAIL)
 ("acl-10.0m-linux-x86" "openssl-1.1.0j" :FAIL)
 ("acl-10.0m-linux-x86" "openssl-1.1.1a" :FAIL)
 ("acl-10.0s-linux-x86" "openssl-0.9.8zh"
  (:FAILED-TESTS NIL :KNOWN-TO-FAIL NIL))
 ("acl-10.0s-linux-x86" "openssl-1.0.0s"
  (:FAILED-TESTS NIL :KNOWN-TO-FAIL NIL))
 ("acl-10.0s-linux-x86" "openssl-1.0.2q"
  (:FAILED-TESTS NIL :KNOWN-TO-FAIL NIL))
 ("acl-10.0s-linux-x86" "openssl-1.1.0j"
  (:FAILED-TESTS
   ("cl+ssl.test.verify-google-cert"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.expired" "common-lisp.null"
    "cl+ssl.test.wrong.host")
   :KNOWN-TO-FAIL NIL))
 ("acl-10.0s-linux-x86" "openssl-1.1.1a"
  (:FAILED-TESTS
   ("cl+ssl.test.verify-google-cert"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.expired" "common-lisp.null"
    "cl+ssl.test.wrong.host")
   :KNOWN-TO-FAIL NIL))
 ("acl-10.0ms-linux-x86" "openssl-0.9.8zh" :FAIL)
 ("acl-10.0ms-linux-x86" "openssl-1.0.0s" :FAIL)
 ("acl-10.0ms-linux-x86" "openssl-1.0.2q" :FAIL)
 ("acl-10.0ms-linux-x86" "openssl-1.1.0j" :FAIL)
 ("acl-10.0ms-linux-x86" "openssl-1.1.1a" :FAIL)
 ("clisp-2.49-unix-x86" "openssl-0.9.8zh" :FAIL)
 ("clisp-2.49-unix-x86" "openssl-1.0.0s" :FAIL)
 ("clisp-2.49-unix-x86" "openssl-1.0.2q" :FAIL)
 ("clisp-2.49-unix-x86" "openssl-1.1.0j" :FAIL)
 ("clisp-2.49-unix-x86" "openssl-1.1.1a" :FAIL)
 ("ecl-16.1.2-unknown-linux-x86-bytecode" "openssl-0.9.8zh" :CRASH)
 ("ecl-16.1.2-unknown-linux-x86-bytecode" "openssl-1.0.0s" :CRASH)
 ("ecl-16.1.2-unknown-linux-x86-bytecode" "openssl-1.0.2q" :CRASH)
 ("ecl-16.1.2-unknown-linux-x86-bytecode" "openssl-1.1.0j"
  (:FAILED-TESTS
   ("cl+ssl.test.verify-google-cert-universal-string"
    "cl+ssl.test.verify-google-cert-without-dns"
    "cl+ssl.test.verify-google-cert"
    "cl+ssl.test.verify-google-cert-teletex-string"
    "cl+ssl.test.verify-google-cert-bmp-string"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert-printable-string"
    "cl+ssl.test.expired" "common-lisp.null"
    "cl+ssl.test.wrong.host")
   :KNOWN-TO-FAIL NIL))
 ("ecl-16.1.2-unknown-linux-x86-bytecode" "openssl-1.1.1a"
  (:FAILED-TESTS
   ("cl+ssl.test.expired" "common-lisp.null" "cl+ssl.test.wrong.host"
    "cl+ssl.test.verify-google-cert-universal-string"
    "cl+ssl.test.verify-google-cert-teletex-string"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert")
   :KNOWN-TO-FAIL NIL))
 ("ecl-16.1.2-unknown-linux-x86-lisp-to-c" "openssl-0.9.8zh"
  (:FAILED-TESTS NIL :KNOWN-TO-FAIL NIL))
 ("ecl-16.1.2-unknown-linux-x86-lisp-to-c" "openssl-1.0.0s"
  (:FAILED-TESTS NIL :KNOWN-TO-FAIL NIL))
 ("ecl-16.1.2-unknown-linux-x86-lisp-to-c" "openssl-1.0.2q"
  (:FAILED-TESTS NIL :KNOWN-TO-FAIL NIL))
 ("ecl-16.1.2-unknown-linux-x86-lisp-to-c" "openssl-1.1.0j"
  (:FAILED-TESTS
   ("common-lisp.null" "cl+ssl.test.wrong.host" "cl+ssl.test.expired"
    "cl+ssl.test.verify-google-cert"
    "cl+ssl.test.verify-google-cert-dns-wildcard")
   :KNOWN-TO-FAIL NIL))
 ("ecl-16.1.2-unknown-linux-x86-lisp-to-c" "openssl-1.1.1a"
  (:FAILED-TESTS
   ("cl+ssl.test.expired" "cl+ssl.test.wrong.host" "common-lisp.null"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert")
   :KNOWN-TO-FAIL NIL))
 ("cmu-21d__21d_unicode_-linux-x86" "openssl-0.9.8zh" :FAIL)
 ("cmu-21d__21d_unicode_-linux-x86" "openssl-1.0.0s" :FAIL)
 ("cmu-21d__21d_unicode_-linux-x86" "openssl-1.0.2q" :FAIL)
 ("cmu-21d__21d_unicode_-linux-x86" "openssl-1.1.0j" :FAIL)
 ("cmu-21d__21d_unicode_-linux-x86" "openssl-1.1.1a" :FAIL))

BTW, if you want you can use this this tool, I've added your github public key to the .ssh/authorized_keys on that server. You can access it as ssh [email protected], the script is located at ~/cl+ssl/cl-plus-ssl/test/run-on-many-lisps-and-openssls/run-on-server.sh

As we see from the results, CMUCL is already broken, even on OpenSSL 0.9.8. This is because the code base already refers functions not existing in old versions - TLSv*_method :

cl-plus-ssl/src/ffi.lisp

Line 170 in aa78974

(define-ssl-function ("TLSv1_client_method" ssl-TLSv1-client-method)

Also, I found that ignore-errors doesn't fix cffi:defcfun for not existing foreign functions. CMUCL seems to fail at fasl loading time not when executing the form, but when reading the form equivalent from the fasl.

But (cffi:foreign-funcall "OpenSSL_version_num" :long) can be wrapped into ignore-errors or if.

An example file available at the same machine at ~/cl+ssl/cl-plus-ssl/test/run-on-many-lisps-and-openssls/test-cmucl.lisp

(ql:quickload "cffi")

(cffi:load-foreign-library "/home/testgrid/cl+ssl/cl-plus-ssl/test/run-on-many-lisps-and-openssls/op\
enssl-releases/bin/openssl-0.9.8zh/lib/libcrypto.so")

(cffi:load-foreign-library "/home/testgrid/cl+ssl/cl-plus-ssl/test/run-on-many-lisps-and-openssls/op\
enssl-releases/bin/openssl-0.9.8zh/lib/libssl.so")

(cffi:foreign-funcall "SSLeay" :long)

(when nil
  (cffi:foreign-funcall "OpenSSL_version_num" :long))

;; uncomment this and you will have an error when loading the fasl file                              
;;                                                                                                   
;; (when nil                                                                                         
;;   (cffi:defcfun ("OpenSSL_version_num" openssl-version-num)                                       
;;       :long))                                                                                     


;; (compile-file "/home/testgrid/cl+ssl/cl-plus-ssl/test/run-on-many-lisps-and-openssls/test-cmucl.l\
isp")                                                                                                
;; (load "/home/testgrid/cl+ssl/cl-plus-ssl/test/run-on-many-lisps-and-openssls/test-cmucl")         

So, probably we can approach it as:

#-cmucl                                                                                              
(cffi:defcfun ("OpenSSL_version_num" openssl-version-num)                                            
    :long)
#+cmucl
(defun openssl-version-num ()
  (cffi:foreign-funcall "OpenSSL_version_num" :long))

However, I'm starting to think the CMUCL question can be postponed, We can fix for other lisps first.

[avodonosov]

I have tried the

    #-cmucl                                                                                              
    (cffi:defcfun ("OpenSSL_version_num" openssl-version-num)                                            
        :long)
    #+cmucl
    (defun openssl-version-num ()
      (cffi:foreign-funcall "OpenSSL_version_num" :long))

The fasl loading fails. So, a top-level (cffi:foreign-funcall "OpenSSL_version_num" :long) works, but when wrapped into a defun it fails at fasl loading time.

Definetely, CMUCL support can be postponed.

[phmarek]

That's great! Thank you very much, that'll help us a lot!

A few questions, though:

• How about storing the git revision of CL+SSL in such dumps?
• Do you already have something that writes that out as a 2D HTML table, OpenSSL version horizontally and Lisp implementation vertically, with green check marks and red X's or so and including OK/NAK counters? If we had such files (with the linear distance from eg. aa78974 and the git hash) we can view them sorted (by time resp. evolution) and click through them to see what was fixed in which revision.
• Would you like to take a look at my latest changes (the dyn-load branch)? Perhaps loading the functions at runtime (via eval) works better.

As an aside: How about an sudo apt-get install vim-nox vim-scripts, please?

testgrid@cl-test-grid:~/cl+ssl/cl-plus-ssl/test$ vim run-on-many-lisps-and-openssls/
-bash: vim: command not found

Thank you very much!

[avodonosov]

I don't have sudo rights on that machine. Emailed Erik Huelsmann who has.
Regarding the other points:

1. Maybe good, but not implemented.
2. I don't have such a thing; to be honest, it's not appealing enough to me to work on it - I'd rather spend efforts reusing the possibility to run with different OpenSSL versions at TravisCI and fixing it to work with more lisps (

   cl-plus-ssl/.travis.yml

   Line 19 in aa78974

   # CMUCL fails to load libssl on TravisCI, despite OpenSSL 1.0.1f is installed,

   ). Debug Travis CI builds are already enabled for that repo, so it's possible to ssh to the build machine and study why CMUCL and Allegro are broken.
3. Will do later. (I posted a pair of comments though)

[avodonosov]

Erik replied that the vim packages are instaled.

[avodonosov]

@phmarek, test results for the recent version of your dyn-load branch + the recent usocket:

(("sbcl-1.3.21-linux-x86" "openssl-0.9.8zh"
  (:FAILED-TESTS
   ("common-lisp.null" "cl+ssl.test.expired" "cl+ssl.test.wrong.host"
    "cl+ssl.test.verify-google-cert-universal-string"
    "cl+ssl.test.verify-google-cert-bmp-string"
    "cl+ssl.test.verify-google-cert-teletex-string"
    "cl+ssl.test.verify-google-cert-printable-string"
    "cl+ssl.test.verify-google-cert-without-dns"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert")
   :KNOWN-TO-FAIL NIL))
 ("sbcl-1.3.21-linux-x86" "openssl-1.0.0s"
  (:FAILED-TESTS
   ("common-lisp.null" "cl+ssl.test.expired" "cl+ssl.test.wrong.host"
    "cl+ssl.test.verify-google-cert-universal-string"
    "cl+ssl.test.verify-google-cert-bmp-string"
    "cl+ssl.test.verify-google-cert-teletex-string"
    "cl+ssl.test.verify-google-cert-printable-string"
    "cl+ssl.test.verify-google-cert-without-dns"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert")
   :KNOWN-TO-FAIL NIL))
 ("sbcl-1.3.21-linux-x86" "openssl-1.0.2q"
  (:FAILED-TESTS
   ("common-lisp.null" "cl+ssl.test.expired" "cl+ssl.test.wrong.host"
    "cl+ssl.test.verify-google-cert-universal-string"
    "cl+ssl.test.verify-google-cert-bmp-string"
    "cl+ssl.test.verify-google-cert-teletex-string"
    "cl+ssl.test.verify-google-cert-printable-string"
    "cl+ssl.test.verify-google-cert-without-dns"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert")
   :KNOWN-TO-FAIL NIL))
 ("sbcl-1.3.21-linux-x86" "openssl-1.1.0j"
  (:FAILED-TESTS
   ("common-lisp.null" "cl+ssl.test.expired" "cl+ssl.test.wrong.host"
    "cl+ssl.test.verify-google-cert-universal-string"
    "cl+ssl.test.verify-google-cert-bmp-string"
    "cl+ssl.test.verify-google-cert-teletex-string"
    "cl+ssl.test.verify-google-cert-printable-string"
    "cl+ssl.test.verify-google-cert-without-dns"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert")
   :KNOWN-TO-FAIL NIL))
 ("sbcl-1.3.21-linux-x86" "openssl-1.1.1a"
  (:FAILED-TESTS
   ("common-lisp.null" "cl+ssl.test.expired" "cl+ssl.test.wrong.host"
    "cl+ssl.test.verify-google-cert-universal-string"
    "cl+ssl.test.verify-google-cert-bmp-string"
    "cl+ssl.test.verify-google-cert-teletex-string"
    "cl+ssl.test.verify-google-cert-printable-string"
    "cl+ssl.test.verify-google-cert-without-dns"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert")
   :KNOWN-TO-FAIL NIL))
 ("ccl-1.11-5-rv1.11.5-f96-linux-x86" "openssl-0.9.8zh"
  (:FAILED-TESTS
   ("cl+ssl.test.wrong.host" "common-lisp.null" "cl+ssl.test.expired"
    "cl+ssl.test.verify-google-cert-bmp-string"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert-without-dns"
    "cl+ssl.test.verify-google-cert-teletex-string"
    "cl+ssl.test.verify-google-cert"
    "cl+ssl.test.verify-google-cert-printable-string"
    "cl+ssl.test.verify-google-cert-universal-string")
   :KNOWN-TO-FAIL NIL))
 ("ccl-1.11-5-rv1.11.5-f96-linux-x86" "openssl-1.0.0s"
  (:FAILED-TESTS
   ("cl+ssl.test.wrong.host" "common-lisp.null" "cl+ssl.test.expired"
    "cl+ssl.test.verify-google-cert-bmp-string"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert-without-dns"
    "cl+ssl.test.verify-google-cert-teletex-string"
    "cl+ssl.test.verify-google-cert"
    "cl+ssl.test.verify-google-cert-printable-string"
    "cl+ssl.test.verify-google-cert-universal-string")
   :KNOWN-TO-FAIL NIL))
 ("ccl-1.11-5-rv1.11.5-f96-linux-x86" "openssl-1.0.2q"
  (:FAILED-TESTS
   ("cl+ssl.test.wrong.host" "common-lisp.null" "cl+ssl.test.expired"
    "cl+ssl.test.verify-google-cert-bmp-string"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert-without-dns"
    "cl+ssl.test.verify-google-cert-teletex-string"
    "cl+ssl.test.verify-google-cert"
    "cl+ssl.test.verify-google-cert-printable-string"
    "cl+ssl.test.verify-google-cert-universal-string")
   :KNOWN-TO-FAIL NIL))
 ("ccl-1.11-5-rv1.11.5-f96-linux-x86" "openssl-1.1.0j"
  (:FAILED-TESTS
   ("cl+ssl.test.wrong.host" "common-lisp.null" "cl+ssl.test.expired"
    "cl+ssl.test.verify-google-cert-bmp-string"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert-without-dns"
    "cl+ssl.test.verify-google-cert-teletex-string"
    "cl+ssl.test.verify-google-cert"
    "cl+ssl.test.verify-google-cert-printable-string"
    "cl+ssl.test.verify-google-cert-universal-string")
   :KNOWN-TO-FAIL NIL))
 ("ccl-1.11-5-rv1.11.5-f96-linux-x86" "openssl-1.1.1a"
  (:FAILED-TESTS
   ("cl+ssl.test.wrong.host" "common-lisp.null" "cl+ssl.test.expired"
    "cl+ssl.test.verify-google-cert-bmp-string"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert-without-dns"
    "cl+ssl.test.verify-google-cert-teletex-string"
    "cl+ssl.test.verify-google-cert"
    "cl+ssl.test.verify-google-cert-printable-string"
    "cl+ssl.test.verify-google-cert-universal-string")
   :KNOWN-TO-FAIL NIL))
 ("abcl-1.5.0-fasl43-linux-x86" "openssl-0.9.8zh" :CRASH)
 ("abcl-1.5.0-fasl43-linux-x86" "openssl-1.0.0s" :CRASH)
 ("abcl-1.5.0-fasl43-linux-x86" "openssl-1.0.2q" :CRASH)
 ("abcl-1.5.0-fasl43-linux-x86" "openssl-1.1.0j" :CRASH)
 ("abcl-1.5.0-fasl43-linux-x86" "openssl-1.1.1a" :CRASH)
 ("acl-10.0-linux-x86" "openssl-0.9.8zh"
  (:FAILED-TESTS
   ("cl+ssl.test.verify-google-cert-printable-string"
    "cl+ssl.test.verify-google-cert"
    "cl+ssl.test.verify-google-cert-teletex-string"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert-universal-string"
    "cl+ssl.test.verify-google-cert-without-dns"
    "cl+ssl.test.verify-google-cert-bmp-string" "cl+ssl.test.expired"
    "common-lisp.null" "cl+ssl.test.wrong.host")
   :KNOWN-TO-FAIL NIL))
 ("acl-10.0-linux-x86" "openssl-1.0.0s"
  (:FAILED-TESTS
   ("cl+ssl.test.verify-google-cert-printable-string"
    "cl+ssl.test.verify-google-cert"
    "cl+ssl.test.verify-google-cert-teletex-string"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert-universal-string"
    "cl+ssl.test.verify-google-cert-without-dns"
    "cl+ssl.test.verify-google-cert-bmp-string" "cl+ssl.test.expired"
    "common-lisp.null" "cl+ssl.test.wrong.host")
   :KNOWN-TO-FAIL NIL))
 ("acl-10.0-linux-x86" "openssl-1.0.2q"
  (:FAILED-TESTS
   ("cl+ssl.test.verify-google-cert-printable-string"
    "cl+ssl.test.verify-google-cert"
    "cl+ssl.test.verify-google-cert-teletex-string"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert-universal-string"
    "cl+ssl.test.verify-google-cert-without-dns"
    "cl+ssl.test.verify-google-cert-bmp-string" "cl+ssl.test.expired"
    "common-lisp.null" "cl+ssl.test.wrong.host")
   :KNOWN-TO-FAIL NIL))
 ("acl-10.0-linux-x86" "openssl-1.1.0j"
  (:FAILED-TESTS
   ("cl+ssl.test.expired" "common-lisp.null"
    "cl+ssl.test.wrong.host")
   :KNOWN-TO-FAIL NIL))
 ("acl-10.0-linux-x86" "openssl-1.1.1a"
  (:FAILED-TESTS
   ("cl+ssl.test.expired" "common-lisp.null"
    "cl+ssl.test.wrong.host")
   :KNOWN-TO-FAIL NIL))
 ("acl-10.0m-linux-x86" "openssl-0.9.8zh" :FAIL)
 ("acl-10.0m-linux-x86" "openssl-1.0.0s" :FAIL)
 ("acl-10.0m-linux-x86" "openssl-1.0.2q" :FAIL)
 ("acl-10.0m-linux-x86" "openssl-1.1.0j" :FAIL)
 ("acl-10.0m-linux-x86" "openssl-1.1.1a" :FAIL)
 ("acl-10.0s-linux-x86" "openssl-0.9.8zh"
  (:FAILED-TESTS
   ("cl+ssl.test.verify-google-cert-printable-string"
    "cl+ssl.test.verify-google-cert"
    "cl+ssl.test.verify-google-cert-teletex-string"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert-universal-string"
    "cl+ssl.test.verify-google-cert-without-dns"
    "cl+ssl.test.verify-google-cert-bmp-string" "cl+ssl.test.expired"
    "common-lisp.null" "cl+ssl.test.wrong.host")
   :KNOWN-TO-FAIL NIL))
 ("acl-10.0s-linux-x86" "openssl-1.0.0s"
  (:FAILED-TESTS
   ("cl+ssl.test.verify-google-cert-printable-string"
    "cl+ssl.test.verify-google-cert"
    "cl+ssl.test.verify-google-cert-teletex-string"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert-universal-string"
    "cl+ssl.test.verify-google-cert-without-dns"
    "cl+ssl.test.verify-google-cert-bmp-string" "cl+ssl.test.expired"
    "common-lisp.null" "cl+ssl.test.wrong.host")
   :KNOWN-TO-FAIL NIL))
 ("acl-10.0s-linux-x86" "openssl-1.0.2q"
  (:FAILED-TESTS
   ("cl+ssl.test.verify-google-cert-printable-string"
    "cl+ssl.test.verify-google-cert"
    "cl+ssl.test.verify-google-cert-teletex-string"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert-universal-string"
    "cl+ssl.test.verify-google-cert-without-dns"
    "cl+ssl.test.verify-google-cert-bmp-string" "cl+ssl.test.expired"
    "common-lisp.null" "cl+ssl.test.wrong.host")
   :KNOWN-TO-FAIL NIL))
 ("acl-10.0s-linux-x86" "openssl-1.1.0j"
  (:FAILED-TESTS
   ("cl+ssl.test.expired" "common-lisp.null"
    "cl+ssl.test.wrong.host")
   :KNOWN-TO-FAIL NIL))
 ("acl-10.0s-linux-x86" "openssl-1.1.1a"
  (:FAILED-TESTS
   ("cl+ssl.test.expired" "common-lisp.null"
    "cl+ssl.test.wrong.host")
   :KNOWN-TO-FAIL NIL))
 ("acl-10.0ms-linux-x86" "openssl-0.9.8zh" :FAIL)
 ("acl-10.0ms-linux-x86" "openssl-1.0.0s" :FAIL)
 ("acl-10.0ms-linux-x86" "openssl-1.0.2q" :FAIL)
 ("acl-10.0ms-linux-x86" "openssl-1.1.0j" :FAIL)
 ("acl-10.0ms-linux-x86" "openssl-1.1.1a" :FAIL)
 ("clisp-2.49-unix-x86" "openssl-0.9.8zh" :FAIL)
 ("clisp-2.49-unix-x86" "openssl-1.0.0s" :FAIL)
 ("clisp-2.49-unix-x86" "openssl-1.0.2q" :FAIL)
 ("clisp-2.49-unix-x86" "openssl-1.1.0j" :FAIL)
 ("clisp-2.49-unix-x86" "openssl-1.1.1a" :FAIL)
 ("ecl-16.1.2-unknown-linux-x86-bytecode" "openssl-0.9.8zh"
  (:FAILED-TESTS
   ("cl+ssl.test.expired" "cl+ssl.test.wrong.host" "common-lisp.null"
    "cl+ssl.test.verify-google-cert-universal-string"
    "cl+ssl.test.verify-google-cert"
    "cl+ssl.test.verify-google-cert-printable-string"
    "cl+ssl.test.verify-google-cert-without-dns"
    "cl+ssl.test.verify-google-cert-teletex-string"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert-bmp-string")
   :KNOWN-TO-FAIL NIL))
 ("ecl-16.1.2-unknown-linux-x86-bytecode" "openssl-1.0.0s"
  (:FAILED-TESTS
   ("common-lisp.null" "cl+ssl.test.expired" "cl+ssl.test.wrong.host"
    "cl+ssl.test.verify-google-cert-without-dns"
    "cl+ssl.test.verify-google-cert"
    "cl+ssl.test.verify-google-cert-bmp-string"
    "cl+ssl.test.verify-google-cert-universal-string"
    "cl+ssl.test.verify-google-cert-teletex-string"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert-printable-string")
   :KNOWN-TO-FAIL NIL))
 ("ecl-16.1.2-unknown-linux-x86-bytecode" "openssl-1.0.2q"
  (:FAILED-TESTS
   ("cl+ssl.test.wrong.host" "cl+ssl.test.expired" "common-lisp.null"
    "cl+ssl.test.verify-google-cert-without-dns"
    "cl+ssl.test.verify-google-cert-universal-string"
    "cl+ssl.test.verify-google-cert-printable-string"
    "cl+ssl.test.verify-google-cert-teletex-string"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert-bmp-string"
    "cl+ssl.test.verify-google-cert")
   :KNOWN-TO-FAIL NIL))
 ("ecl-16.1.2-unknown-linux-x86-bytecode" "openssl-1.1.0j"
  (:FAILED-TESTS
   ("common-lisp.null" "cl+ssl.test.expired" "cl+ssl.test.wrong.host"
    "cl+ssl.test.verify-google-cert-without-dns"
    "cl+ssl.test.verify-google-cert-bmp-string"
    "cl+ssl.test.verify-google-cert-universal-string"
    "cl+ssl.test.verify-google-cert"
    "cl+ssl.test.verify-google-cert-teletex-string"
    "cl+ssl.test.verify-google-cert-printable-string"
    "cl+ssl.test.verify-google-cert-dns-wildcard")
   :KNOWN-TO-FAIL NIL))
 ("ecl-16.1.2-unknown-linux-x86-bytecode" "openssl-1.1.1a"
  (:FAILED-TESTS
   ("common-lisp.null" "cl+ssl.test.wrong.host" "cl+ssl.test.expired"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert-bmp-string"
    "cl+ssl.test.verify-google-cert-without-dns"
    "cl+ssl.test.verify-google-cert-teletex-string"
    "cl+ssl.test.verify-google-cert"
    "cl+ssl.test.verify-google-cert-universal-string"
    "cl+ssl.test.verify-google-cert-printable-string")
   :KNOWN-TO-FAIL NIL))
 ("ecl-16.1.2-unknown-linux-x86-lisp-to-c" "openssl-0.9.8zh"
  (:FAILED-TESTS
   ("cl+ssl.test.expired" "cl+ssl.test.wrong.host" "common-lisp.null"
    "cl+ssl.test.verify-google-cert"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert-without-dns"
    "cl+ssl.test.verify-google-cert-bmp-string"
    "cl+ssl.test.verify-google-cert-teletex-string"
    "cl+ssl.test.verify-google-cert-universal-string"
    "cl+ssl.test.verify-google-cert-printable-string")
   :KNOWN-TO-FAIL NIL))
 ("ecl-16.1.2-unknown-linux-x86-lisp-to-c" "openssl-1.0.0s"
  (:FAILED-TESTS
   ("cl+ssl.test.expired" "cl+ssl.test.wrong.host" "common-lisp.null"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert-without-dns"
    "cl+ssl.test.verify-google-cert-printable-string"
    "cl+ssl.test.verify-google-cert-bmp-string"
    "cl+ssl.test.verify-google-cert"
    "cl+ssl.test.verify-google-cert-universal-string"
    "cl+ssl.test.verify-google-cert-teletex-string")
   :KNOWN-TO-FAIL NIL))
 ("ecl-16.1.2-unknown-linux-x86-lisp-to-c" "openssl-1.0.2q"
  (:FAILED-TESTS
   ("cl+ssl.test.verify-google-cert-without-dns"
    "cl+ssl.test.verify-google-cert-teletex-string"
    "cl+ssl.test.verify-google-cert-printable-string"
    "cl+ssl.test.verify-google-cert-bmp-string"
    "cl+ssl.test.verify-google-cert"
    "cl+ssl.test.verify-google-cert-universal-string"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.expired" "common-lisp.null"
    "cl+ssl.test.wrong.host")
   :KNOWN-TO-FAIL NIL))
 ("ecl-16.1.2-unknown-linux-x86-lisp-to-c" "openssl-1.1.0j"
  (:FAILED-TESTS
   ("cl+ssl.test.verify-google-cert-printable-string"
    "cl+ssl.test.verify-google-cert-bmp-string"
    "cl+ssl.test.verify-google-cert-without-dns"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert-universal-string"
    "cl+ssl.test.verify-google-cert"
    "cl+ssl.test.verify-google-cert-teletex-string"
    "common-lisp.null" "cl+ssl.test.wrong.host"
    "cl+ssl.test.expired")
   :KNOWN-TO-FAIL NIL))
 ("ecl-16.1.2-unknown-linux-x86-lisp-to-c" "openssl-1.1.1a"
  (:FAILED-TESTS
   ("cl+ssl.test.verify-google-cert-printable-string"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert"
    "cl+ssl.test.verify-google-cert-without-dns"
    "cl+ssl.test.verify-google-cert-teletex-string"
    "cl+ssl.test.verify-google-cert-bmp-string"
    "cl+ssl.test.verify-google-cert-universal-string"
    "cl+ssl.test.wrong.host" "cl+ssl.test.expired"
    "common-lisp.null")
   :KNOWN-TO-FAIL NIL))
 ("cmu-21d__21d_unicode_-linux-x86" "openssl-0.9.8zh" :FAIL)
 ("cmu-21d__21d_unicode_-linux-x86" "openssl-1.0.0s" :FAIL)
 ("cmu-21d__21d_unicode_-linux-x86" "openssl-1.0.2q" :FAIL)
 ("cmu-21d__21d_unicode_-linux-x86" "openssl-1.1.0j"
  (:FAILED-TESTS
   ("common-lisp.null" "cl+ssl.test.expired" "cl+ssl.test.wrong.host"
    "cl+ssl.test.verify-google-cert-universal-string"
    "cl+ssl.test.verify-google-cert-bmp-string"
    "cl+ssl.test.verify-google-cert-teletex-string"
    "cl+ssl.test.verify-google-cert-printable-string"
    "cl+ssl.test.verify-google-cert-without-dns"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert")
   :KNOWN-TO-FAIL NIL))
 ("cmu-21d__21d_unicode_-linux-x86" "openssl-1.1.1a"
  (:FAILED-TESTS
   ("common-lisp.null" "cl+ssl.test.expired" "cl+ssl.test.wrong.host"
    "cl+ssl.test.verify-google-cert-universal-string"
    "cl+ssl.test.verify-google-cert-bmp-string"
    "cl+ssl.test.verify-google-cert-teletex-string"
    "cl+ssl.test.verify-google-cert-printable-string"
    "cl+ssl.test.verify-google-cert-without-dns"
    "cl+ssl.test.verify-google-cert-dns-wildcard"
    "cl+ssl.test.verify-google-cert")
   :KNOWN-TO-FAIL NIL)))

You can read the failure details in the log files in /home/testgrid/cl+ssl/cl-plus-ssl/test/run-on-many-lisps-and-openssls/results-dyn-load-0a4e5db-recent-usocket/ at cl-test-grid.cloud.efficito.com

[phmarek]

How about working together on some branch? I'd like that much better than receiving comments on github -- just change/fix whatever you want.

I think it's easier to get some common result that way.

[avodonosov]

I accepted the invitation to your repo. Although I'm going to pick your changes commit by commit with small modifications, so maybe won't need to do anything in your branch. I'm just evaluating them for now.

[phmarek]

Thanks, that's fine -- let's make some progress, and keep discussion to smaller and smaller subsets until we're done!

[avodonosov]

@phmarek, I incorporated part of your commits.

While testing I noticed Allegro doesn't work on OpenSSL 1.1.1. Turned out it's due to absence of the stream-fd method for Allegro, which results in Lisp BIO being used instead of file descriptor BIO. And turns our Lisp BIOs are completely broken when we work with OpenSSL 1.1.1 - lisps crash with a segmentation fault.

I guess that's because the BIO and BIO_METHOD structures changed memory layout (some new fields added). Also, OpenSSL now makes these structures opaque for clients - it provides functions to create them and to get / set various fields.

That's another task for compatibility support - choose what BIO structures to use depending on the OpenSSL version.

Created #72 for this.

[phmarek]

What's the status of your testing setup?

Do we really need to support implementations like Corman Lisp in their current state, or do we require them to be able to IGNORE-ERRORS for nonexistant foreign functions or so?

[avodonosov]

@phmarek, in addition to the various-lisps * various-OpenSSL-versions tests developers can run on their machines, I've extended Travis CI integration to work with multiple lisps and openssls.

The next steps is to improve Travis CI to build 32 version of OpenSSL when testing with CMUCL and Allegro Express - these two implementations are 32 bit, while Travis CI VMs are 64 bit so default build produces 64 OpenSSL binaries. We need to explicitly parametrize the OpenSSL build to produce 32 bit version.

Your OpenSSL 1.1 compatibility changes are mostly integrated, although CMUCL is broken, because even ignore-errors around missing foreign function reference doesn't catch the error. Your eval approach is very simple and elegant, although out of sportive interest I work on an alternative solution where defcfun will lookup the foreign symbol with cffi:foreign-symbol-pointer and store it in a hashtable; also define a lisp wrapper function, which takes the foreign function pointer from the hashtable and invokes it using cffi:foreign-funcall-pointer.

But the first thing is Travis CI fix for 32 bit OpenSSL, so that if we fix CMUCL it remains working.

[avodonosov]

@phmarek, I've pushed this CMUCL fix in the last commit (74c67f0)

[phmarek]

Thanks. TBH, I'm a bit confused now as for which of my changes might still make sense and which don't ... I'll have to investigate.

Things like 6d81e2a are still of interest, aren't they?

[avodonosov]

@phmarek, such things are of interest, right. At some point, you told me you're not sure how to handle IPs for hostnames (phmarek@6d81e2a#commitcomment-32318935), so I wasn't looking at this area.

I will need some guidance for what is ready. Unit tests are desirable.

Your working branch is dyn-load, right? I posted some comments.

[phmarek]

I cleaned up a bit; please see my master branch now.

And yes, I didn't (yet) check how ip addresses in certificates are to be verified correctly - but I guess normalization should be a sane way.