From: Joe Orton <jorton@apache.org>
Date: Wed, 25 Jun 2025 15:16:22 +0000 (+0000)
Subject: * modules/ssl/ssl_private.h: Fix logic in r1926720 HAVE_OPENSSL_KEYLOG macro,
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9b06444951566f40dc06dfbe34e53de90358f6b7;p=thirdparty%2Fapache%2Fhttpd.git

* modules/ssl/ssl_private.h: Fix logic in r1926720 HAVE_OPENSSL_KEYLOG macro,
thanks to rpluem.

Reviewed by: rpluem


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1926722 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index 7ff9ebf2e1..b4ca5e82a0 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -296,11 +296,15 @@ void free_bio_methods(void);
 #define X509_get_notAfter   X509_getm_notAfter
 #endif
 
-/* For OpenSSL 3.5.0+, don't handle $SSLKEYLOGFILE since libssl does -
- * unless OpenSSL was built with no-sslkeylog, which drops the env var
- * handling, but leaves the API intact. */
+/* The SSL_CTX_set_keylog_callback() API is present in 1.1.1+.
+ * 
+ * OpenSSL 3.5+ also provides optional native handling of
+ * $SSLKEYLOGFILE inside libssl, which duplicates the mod_ssl support.
+ * The mod_ssl support is hence disabled for 3.5+, unless that OpenSSL
+ * feature is itself disabled (and OPENSSL_NO_SSLKEYLOG is defined).
+ */
 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) \
-    && (OPENSSL_VERSION_NUMBER <= 0x30500000L || !defined(OPENSSL_NO_SSLKEYLOG))
+    && (OPENSSL_VERSION_NUMBER <= 0x30500000L || defined(OPENSSL_NO_SSLKEYLOG))
 #define HAVE_OPENSSL_KEYLOG 
 #endif