OpenSSL version 3.0.0-alpha1 published
Yann Ylavic
ylavic.dev at gmail.com
Fri Apr 24 11:26:05 UTC 2020
Hi team,
I gave 3.0.0-alpha1 a try with Apache httpd.
tl;dr it works with minimal changes, congrats!
The changes needed on httpd side:
- SSL_CTX_load_verify_locations() and X509_STORE_load_locations()
Replaced by {SSL_CTX,X590_STORE}_load_verify_file() +
{SSL_CTX,X590_STORE}_load_verify_{dir,path}().
I.e. open coding.
- DH_bits(dh) (used for logging only in httpd)
Replaced by BN_num_bits(DH_get0_p(dh)).
Not sure this one should be deprecated, it seems to be used in several
places in openssl codebase still, no replacement?
- SSL_CTX_set_tlsext_ticket_key_cb()
Replaced by SSL_CTX_set_tlsext_ticket_key_evp_cb() because of HMAC_Init_ex().
With a bit of #ifdef-ery (for compatibility), the openssl-3 version
uses EVP_MAC_CTX_set_params() for HMAC, per man page.
- ERR_peek_error_line_data() => ERR_peek_error_data()
Easy one.
- Custom input BIO_METHOD (using httpd filters' stack) asserted its
_ctrl() was never called, so far..
The new BIO_eof() calls in codebase, notably from ssl3_read_n(),
breaks this assertion.
Handling the case for BIO_CTRL_EOF made it, dunno if others may be
bitten by that.
And that's all, no intensive testing done yet, but at least the
(automatic) tests framework passes locally, nice work!
Thanks,
Yann.
More information about the openssl-users
mailing list