building openssl-1.1.1d with "enable-deprecated"

Matt Caswell matt at
Mon Sep 16 14:52:46 UTC 2019

On 16/09/2019 15:44, Peter Sui wrote:
> Hi,
>        From the openssl website, I got the folloeing instruction:
> "
> Access to deprecated functions/macros has been removed by default. To enable
> access you must do two things. 1) Build OpenSSL with deprecation support (pass
> "enable-deprecated" as an argument to config) 2) Applications must define
> "OPENSSL_USE_DEPRECATED" before including OpenSSL header files.
> "
> But, after I followed the instructions, it did not work. I searched all the
> files(.h, .cpp, .c), I did not see the "OPENSSL_USE_DEPRECATED"  anywhere. And
> in the make file generated, I found it's using the
> flag -D"_CRT_SECURE_NO_DEPRECATE", does it mean no deprecated functions
> available in the library built?  I also compared all the binary and header files
> between the build without "enable-deprecated" and the build
> with "enable-deprecated", there is no difference.
> The command I used is:
> perl Configure VC-WIN32 enable-deprecated
> --prefix=T:\openssl-%OPENSSL_VERSION%-32bit-release-DLL-VS2015
> nmake

That CHANGES entry is incorrect and out-of-date. It should probably be removed.
The original CHANGES entry said this:

  *) config has been changed so that by default OPENSSL_NO_DEPRECATED is used.
     Access to deprecated functions can be re-enabled by running config with
     "enable-deprecated". In addition applications wishing to use deprecated
     functions must define OPENSSL_USE_DEPRECATED. Note that this new behaviour
     will, by default, disable some transitive includes that previously existed
     in the header files (e.g. ec.h will no longer, by default, include bn.h)
     [Matt Caswell]

That CHANGES entry was added while 1.1.0 was being developed. However before
1.1.0 was released we changed our mind and added this CHANGES entry:

  *) Revert default OPENSSL_NO_DEPRECATED setting.  Instead OpenSSL
     continues to support deprecated interfaces in default builds.
     However, applications are strongly advised to compile their
     source files with -DOPENSSL_API_COMPAT=0x10100000L, which hides
     the declarations of all interfaces deprecated in 0.9.8, 1.0.0
     or the 1.1.0 releases.

     In environments in which all applications have been ported to
     not use any deprecated interfaces OpenSSL's Configure script
     should be used with the --api=1.1.0 option to entirely remove
     support for the deprecated features from the library and
     unconditionally disable them in the installed headers.
     Essentially the same effect can be achieved with the "no-deprecated"
     argument to Configure, except that this will always restrict
     the build to just the latest API, rather than a fixed API

     As applications are ported to future revisions of the API,
     they should update their compile-time OPENSSL_API_COMPAT define
     accordingly, but in most cases should be able to continue to
     compile with later releases.

     The OPENSSL_API_COMPAT versions for 1.0.0, and 0.9.8 are
     0x10000000L and 0x00908000L, respectively.  However those
     versions did not support the OPENSSL_API_COMPAT feature, and
     so applications are not typically tested for explicit support
     of just the undeprecated features of either release.
     [Viktor Dukhovni]



More information about the openssl-users mailing list