The code in FreeIPA's csr generator loads sk_num via FFI but openssl did change sk_num to be OPENSSL_sk_num in 1.1.0 series.

$ rpm -qf /usr/include/openssl/stack.h
openssl-devel-1.1.0f-7.fc26.x86_64
$ fgrep -r sk_num /usr/include/openssl/stack.h 
int OPENSSL_sk_num(const OPENSSL_STACK *);
#  define sk_num OPENSSL_sk_num

So the change would be to prepend our symbol usage with OPENSSL_.

Not so simple, actually!

I was playing with this for a while today and had some fun WTF moments because of ldconfig caching (ctypes.util.find_library() uses ldconfig internally to resolve the library you require).

If we just add the OPENSSL_ prefix to the certain spots, it will break machines that have compat-openssl installed. If we don't add it, however, we break the machines that don't have it installed (typically the "Cloud" Fedora machines).

I've fixed this by catching an exception and re-trying without OPENSSL_ prefix. Should work because accessing symbols from dynamically loaded libraries in FFI is like accessing attributes. If a symbol doesn't exist, AttributeError is generated.

See https://github.com/abbra/freeipa/pull/2/commits/40d09fafe9ef42efa70ec933782007a9d4650296 for details.

A good fix, let's get it upstream.

I submitted https://github.com/freeipa/freeipa/pull/1012

master:

• 79378c9 csrgen: support openssl 1.0 and 1.1

This also has to be fixed in 4.5.

Actually, csrgen_ffi.py is not in 4.5. It was introduced in e7588ab which is only in master (4.6).