Conversation
X509_get_issuer_name() and X509_get_subject_name() were changed to return a const value. Since it is passed to functions with a non const argument in older versions, the support is conditionally compiled as needed. ASN1_INTEGER was made opaque, compat shim is provided for OpenSSL < 1.1.0 where ASN1_STRING_get0_data() doesn't exist.
bavshin-f5
left a comment
There was a problem hiding this comment.
Looks good, thanks!
Verified that we are compatible with master, 0.9.8, and a few versions in between.
Note that several tests fail with 4.0. It should be fine to investigate and address these separately.
tests/ssl_certificate.t (Wstat: 256 (exited 1) Tests: 13 Failed: 1)
Failed test: 9
Non-zero exit status: 1
tests/stream_ssl_certificate.t (Wstat: 256 (exited 1) Tests: 9 Failed: 1)
Failed test: 5
Non-zero exit status: 1
tests/ssl_session_ticket_key.t (Wstat: 256 (exited 1) Tests: 4 Failed: 1)
Failed test: 2
Non-zero exit status: 1
The OpenSSL team continues constifying and un-constifying things even after the 4.0.0-alpha1. Could be worth to keep this open for a while, retest and merge right before our next release.
|
|
||
| p = ngx_cpymem(p, serial->data, serial->length); | ||
| ngx_memzero(p, 20 - serial->length); | ||
| p = ngx_cpymem(p, ASN1_STRING_get0_data(serial), length); |
There was a problem hiding this comment.
Not an issue, just an observation:
Using ASN1_STRING_data on ASN1_INTEGER seems like exactly the thing OpenSSL documentation asks us not to do. It is what we essentially did before the change, though, and the alternative is a roundtrip conversion through BIGNUM, which is significantly worse.
|
@bavshin-f5 |
Make sure you are not testing against OpenSSL configured with |
OpenSSL 4.0 has entered a release cycle and is expected to appear in April 2026.
See https://openssl-library.org/roadmap/index.html