From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Wed, 17 Aug 2022 13:58:08 +0000 (+0200)
Subject: libssl: Properly load ciphers and digests with OpenSSL 3.0
X-Git-Tag: rec-4.8.0-alpha1~35^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=df46480c0ed11a7a76f62495fb9a2edeb3f90a64;p=thirdparty%2Fpdns.git

libssl: Properly load ciphers and digests with OpenSSL 3.0

Since https://github.com/openssl/openssl/commit/661595ca0933fe631faeadd14a189acd5d4185e0
we can no longer rely on the ciphers and digests required for TLS to
be loaded by `OPENSSL_init_ssl()`, so let's give up and load everything.
I hope you have a lot of RAM.
---

diff --git a/pdns/libssl.cc b/pdns/libssl.cc
index b8ae194233..0cd6c2eb52 100644
--- a/pdns/libssl.cc
+++ b/pdns/libssl.cc
@@ -83,11 +83,19 @@ void registerOpenSSLUser()
 #ifdef HAVE_OPENSSL_INIT_CRYPTO
     /* load the default configuration file (or one specified via OPENSSL_CONF),
        which can then be used to load engines.
-       Do not load all ciphers and digests, we only need a few of them and these
+    */
+#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
+    /* Since 661595ca0933fe631faeadd14a189acd5d4185e0 we can no longer rely on the ciphers and digests
+       required for TLS to be loaded by OPENSSL_init_ssl(), so let's give up and load everything */
+    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, nullptr);
+#else /* OPENSSL_VERSION_MAJOR >= 3 */
+    /* Do not load all ciphers and digests, we only need a few of them and these
        will be loaded by OPENSSL_init_ssl(). */
     OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG|OPENSSL_INIT_NO_ADD_ALL_CIPHERS|OPENSSL_INIT_NO_ADD_ALL_DIGESTS, nullptr);
+#endif /* OPENSSL_VERSION_MAJOR >= 3 */
+
     OPENSSL_init_ssl(0, nullptr);
-#endif
+#endif /* HAVE_OPENSSL_INIT_CRYPTO */
 
 #if (OPENSSL_VERSION_NUMBER < 0x1010000fL || (defined LIBRESSL_VERSION_NUMBER && LIBRESSL_VERSION_NUMBER < 0x2090100fL))
     /* load error strings for both libcrypto and libssl */