Merge r1926720, r1926722 from trunk:

* modules/ssl/ssl_private.h: For OpenSSL >= 3.5.0 drop $SSLKEYLOGFILE
  handling inside mod_ssl where OpenSSL is built to handle that
  internally in libssl.

* modules/ssl/ssl_private.h: Fix logic in r1926720 HAVE_OPENSSL_KEYLOG macro,
  thanks to rpluem.

Reviewed by: rpluem
Submitted by: jorton
Reviewed by: jorton, rpluem, ylavic
Github: closes #538

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1927023 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/changes-entries/ssl-less-keylog.txt b/changes-entries/ssl-less-keylog.txt
new file mode 100644 (file)
index 0000000..eefb7c3
--- /dev/null
+++ b/changes-entries/ssl-less-keylog.txt
@@ -0,0 +1,3 @@
+  *) mod_ssl: Drop $SSLKEYLOGFILE handling internally for OpenSSL 3.5
+     builds which enable it in libssl natively.  [Joe Orton]
+

diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index c517a7bdc01a4a98535f4084d880040c55ca9b02..fb9edaa5eeb67d5ec4dc3882e6de8af4d4451151 100644 (file)
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -290,8 +290,16 @@ void free_bio_methods(void);
 #define X509_get_notAfter   X509_getm_notAfter
 #endif
 
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
-#define HAVE_OPENSSL_KEYLOG
+/* The SSL_CTX_set_keylog_callback() API is present in 1.1.1+.
+ * 
+ * OpenSSL 3.5+ also provides optional native handling of
+ * $SSLKEYLOGFILE inside libssl, which duplicates the mod_ssl support.
+ * The mod_ssl support is hence disabled for 3.5+, unless that OpenSSL
+ * feature is itself disabled (and OPENSSL_NO_SSLKEYLOG is defined).
+ */
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) \
+    && (OPENSSL_VERSION_NUMBER <= 0x30500000L || defined(OPENSSL_NO_SSLKEYLOG))
+#define HAVE_OPENSSL_KEYLOG 
 #endif
 
 #ifdef HAVE_FIPS