From: Viktor Szakats <commit@vsz.me>
Date: Fri, 22 Aug 2025 14:42:06 +0000 (+0200)
Subject: openssl: drop more legacy cruft
X-Git-Tag: curl-8_16_0~116
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=db08e86cfb8b74b5b7c0a98541d0af5b712c4348;p=thirdparty%2Fcurl.git

openssl: drop more legacy cruft

- drop `ALLOW_RENEG` undocumented (insecure) build-time option.
- drop unnecessary check for `OPENSSL_VERSION_NUMBER`.
  It's present in all supported OpenSSL versions and forks.

Follow-up to 80c10c5d5dda78c471924b251e9db59d653aba1e #18351
Follow-up to 59311bd3df5da6342312b5dc9b6c91fc2be77d4f #3293 #3283

Closes #18359
---

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 88c9608da2..442543610b 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -135,17 +135,6 @@ static void ossl_provider_cleanup(struct Curl_easy *data);
 #include "../curl_memory.h"
 #include "../memdebug.h"
 
-/* Uncomment the ALLOW_RENEG line to a real #define if you want to allow TLS
-   renegotiations when built with BoringSSL. Renegotiating is non-compliant
-   with HTTP/2 and "an extremely dangerous protocol feature". Beware.
-
-#define ALLOW_RENEG 1
- */
-
-#ifndef OPENSSL_VERSION_NUMBER
-#error "OPENSSL_VERSION_NUMBER not defined"
-#endif
-
 #if defined(USE_OPENSSL_ENGINE) || defined(OPENSSL_HAS_PROVIDERS)
 #include <openssl/ui.h>
 #endif
@@ -3933,11 +3922,6 @@ static CURLcode ossl_init_ssl(struct ossl_ctx *octx,
     SSL_set_tlsext_status_type(octx->ssl, TLSEXT_STATUSTYPE_ocsp);
 #endif
 
-#if (defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)) && \
-    defined(ALLOW_RENEG)
-  SSL_set_renegotiate_mode(octx->ssl, ssl_renegotiate_freely);
-#endif
-
   SSL_set_connect_state(octx->ssl);
 
   octx->server_cert = NULL;