Fix deprecation warnings with openssl-3 #381
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* mod_ssl_openssl.h:
Make it the first openssl to be included openssl header, selecting the
OpenSSL api based on OPENSSL_API_COMPAT eventually.
* ssl_private.h;
Define OPENSSL_API_COMPAT to version 1.1.1 (last one supporting EGINE_ API)
before including mod_ssl_openssl.h to enable the ENGINE_ api (TODO: switch to
new "providers" api before the ENGINE_ api is abandonned..).
mod_ssl.h is now implicitely included from there.
Fix preprocessor "#define FOO (COND)" to "#if COND #define FOO 1 #else #define FOO 0".
Define MODSSL_HAVE_ENGINE_API iff OPENSSL_API_COMPAT < 3.0 (otherwise all the
engine features are disabled, only "builtin" is accepted).
Define HAVE_SRP iff OPENSSL_API_COMPAT < 3.0 (no replacement for this api
above, so it might not be implemenentedain httpd anymore at some point..).
Define X509_get_not{Before,After} if missing to the non deprecated version.
New modssl_set_io_callbacks() to factorize compat code for io callbacks.
ssl_dh_GetParamFromFile() becomes modssl_dh_from_file() for openssl < 3.0 and
modssl_dh_pkey_from_file() for openssl >= 3.0.
* mod_ssl.c, mod_ssl_ct.c, ssl_util_stapling:
Including "ssl_private.h" only is suited/enough now.
* mod_ssl_ct.c, ssl_ct_log_config:
Use EVP api with openssl >= 3 instead of the deprecated SHA256 one.
* ssl_engine_config.c(ssl_cmd_SSLCryptoDevice):
Disabled engines (besides NULL/"builtin"/NULL) unless MODSSL_HAVE_ENGINE_API.
* ssl_engine_init:
New compat modssl_runtime_lib_version() to address deprecated SSLeay().
ssl_init_Engine() does nothing unless MODSSL_HAVE_ENGINE_API.
Simplify ssl_init_server_certs() (less #ifdef-ery) with scoped local vars.
Compat loading DH parameters and EC curve from cert.
* ssl_engine_io.c, ssl_engine_kernel.c:
Implement common modssl_set_io_callbacks() and use it.
* ssl_engine_pphrase(modssl_load_engine_keypair):
Depend on MODSSL_HAVE_ENGINE_API, or return ENOTIMPL.
* ssl_util.c(modssl_is_engine_id):
No engine supported unless MODSSL_HAVE_ENGINE_API.
* ssl_util_ssl.c(modssl_dh_pkey_from_file, modssl_ec_group_from_file):
Compat with openssl >= 3.0.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908537 13f79535-47bb-0310-9956-ffa450edef68
* md/md_crypt.c(md_pkey_get_rsa_e64, md_pkey_get_rsa_n64): Replace deprecated RSA api with EVP_PKEY_get_bn_param on openssl >= 3.0. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908539 13f79535-47bb-0310-9956-ffa450edef68
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908440 13f79535-47bb-0310-9956-ffa450edef68
EVP_PKEY_get1_RSA()'s returned value should be EVP_PKEY_free()d, but we can use EVP_PKEY_get0_RSA() here. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1913616 13f79535-47bb-0310-9956-ffa450edef68
…. PR 68080 Also, always allow for "SSLCryptoDevice builtin" even if the ENGINE API is not available, OPENSSL_NO_ENGINE or more generally with the new API (providers) available since OpenSSL >= 3. * ssl_private.h: Set MODSSL_HAVE_ENGINE_API to 0 if OPENSSL_NO_ENGINE. * mod_ssl.c, ssl_engine_config.c: Don't depend on HAVE_OPENSSL_ENGINE_H and HAVE_ENGINE_INIT to provide [ssl_cmd_]SSLCryptoDevice. Submitted by: ylavic, jorton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1913815 13f79535-47bb-0310-9956-ffa450edef68
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1913816 13f79535-47bb-0310-9956-ffa450edef68
…enssl >= 3 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908542 13f79535-47bb-0310-9956-ffa450edef68
|
Great stuff @ylavic thank you! |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1913832 13f79535-47bb-0310-9956-ffa450edef68
asfgit
pushed a commit
that referenced
this pull request
Nov 18, 2023
*) mod_ssl: Improve compatibility with OpenSSL 3, fix build warnings about
deprecated ENGINE_ API, honor OPENSSL_API_COMPAT setting while defaulting
to compatibitily with version 1.1.1 (including ENGINEs / SSLCryptoDevice).
mod_ssl: Disable the OpenSSL ENGINE API when OPENSSL_NO_ENGINE is set.
Allow for "SSLCryptoDevice builtin" if the ENGINE API is not available,
notably with OpenSSL >= 3. PR 68080.
trunk patch: http://svn.apache.org/r1908537
http://svn.apache.org/r1908539
http://svn.apache.org/r1908542
http://svn.apache.org/r1913616
http://svn.apache.org/r1913815
http://svn.apache.org/r1913816
http://svn.apache.org/r1908542
http://svn.apache.org/r1913832
2.4.x patch: https://patch-diff.githubusercontent.com/raw/apache/httpd/pull/381.diff
(#381)
+1: ylavic, jorton, minfrin
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1913912 13f79535-47bb-0310-9956-ffa450edef68
|
Backported to 2.4.x in 28f6fc0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backports: r1908537, r1908539, r1908542, r1913616, r1913815, r1913816, r1908542, r1913832