From: Andrew Dinh <andrewd@openssl.org>
Date: Mon, 8 Sep 2025 13:43:01 +0000 (+1000)
Subject: Deprecate SSL3 Configure flags
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=591e59ac5f511122de930bc27f229deae277705e;p=thirdparty%2Fopenssl.git

Deprecate SSL3 Configure flags

Show a deprecated warning if users attempt to run Configure script with
no-ssl3, no-ssl, or no-ssl3-method. Also adds a fix to the Configure
script preventing users from enabling deprecated flags.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28559)
---

diff --git a/Configure b/Configure
index 5923af9a69b..c0f3fec989f 100755
--- a/Configure
+++ b/Configure
@@ -528,7 +528,6 @@ my @disablables = (
     "srp",
     "srtp",
     "sse2",
-    "ssl",
     "ssl-trace",
     "stdio",
     "sslkeylog",
@@ -581,6 +580,9 @@ my %deprecated_disablables = (
     "ripemd" => "rmd160",
     "ui" => "ui-console",
     "heartbeats" => undef,
+    "ssl" => undef,
+    "ssl3" => undef,
+    "ssl3-method" => undef,
     );
 
 # All of the following are disabled by default:
@@ -611,8 +613,6 @@ our %disabled = ( # "what"         => "comment"
                   "msan"                => "default",
                   "rc5"                 => "default",
                   "sctp"                => "default",
-                  "ssl3"                => "default",
-                  "ssl3-method"         => "default",
                   "sslkeylog"           => "default",
                   "tfo"                 => "default",
                   "trace"               => "default",
@@ -641,14 +641,12 @@ my @disable_cascades = (
                              "rc2", "rc4", "rmd160",
                              "scrypt", "seed", "siphash", "siv",
                              "slh-dsa", "sm3", "sm4", "srp",
-                             "srtp", "ssl3-method", "ssl-trace",
+                             "srtp", "ssl-trace",
                              "tfo",
                              "ts", "ui-console", "whirlpool",
                              "fips-securitychecks" ],
     sub { $config{processor} eq "386" }
                         => [ "sse2" ],
-    "ssl"               => [ "ssl3" ],
-    "ssl3-method"       => [ "ssl3" ],
     "zlib"              => [ "zlib-dynamic" ],
     "brotli"            => [ "brotli-dynamic" ],
     "zstd"              => [ "zstd-dynamic" ],
@@ -882,6 +880,13 @@ while (@argvcopy)
                         $unsupported_options{$_} = 1;
                         next;
                         }
+
+                # Do not allow users to enable deprecated flags
+                if (/^enable-(.+)$/ && exists $deprecated_disablables{$word})
+                        {
+                        $unsupported_options{$_} = 1;
+                        next;
+                        }
                 }
         if (/^no-(.+)$/ || /^disable-(.+)$/)
                 {
@@ -901,11 +906,6 @@ while (@argvcopy)
                                 }
                         $disabled{"dtls"} = "option(dtls)";
                         }
-                elsif ($1 eq "ssl")
-                        {
-                        # Last one of its kind
-                        $disabled{"ssl3"} = "option(ssl)";
-                        }
                 elsif ($1 eq "tls")
                         {
                         # XXX: Tests will fail if all SSL/TLS