From: Philip Prindeville <philipp@redfish-solutions.com>
Date: Thu, 5 Feb 2026 21:47:50 +0000 (-0700)
Subject: [#4338] Build with current Openssl API
X-Git-Tag: Kea-3.1.7~19
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bb69a4dade2c5099d32c10bacd61910461cf3bdf;p=thirdparty%2Fkea.git

[#4338] Build with current Openssl API
---

diff --git a/AUTHORS b/AUTHORS
index e46c44e4c3..3b6a6a7f2b 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -312,6 +312,7 @@ We have received the following contributions:
 
  - Philip Prindeville
    2024-09: Brought down the number of utilities keactrl depends on.
+   2026-03: Support compiling without deprecated OpenSSL API.
 
  - q66
    2025-01: Added support for building with Boost 1.87.
diff --git a/config.h.in b/config.h.in
index 9d086c128f..fba9ce7434 100644
--- a/config.h.in
+++ b/config.h.in
@@ -111,3 +111,9 @@
 
 /* Compile with OpenSSL crypto */
 #mesondefine WITH_OPENSSL
+
+/* OpenSSL has the new X.509 certificate API */
+#mesondefine HAVE_NEW_SSL_API
+
+/* Use OpenSSL_version() instead of SSLeay_version() */
+#mesondefine HAVE_OPENSSL_VERSION
diff --git a/meson.build b/meson.build
index 3dee99fd04..4c93d3a4e4 100644
--- a/meson.build
+++ b/meson.build
@@ -340,6 +340,20 @@ elif CRYPTO_DEP.name() == openssl.name()
         required: true,
     )
     message('Using OpenSSL.')
+    if cpp.has_function(
+        'SSL_get1_peer_certificate',
+        prefix: '#include <openssl/ssl.h>',
+        dependencies: openssl,
+    )
+        conf_data.set('HAVE_NEW_SSL_API', true)
+    endif
+    if cpp.has_function(
+        'OpenSSL_version',
+        prefix: '#include <openssl/crypto.h>',
+        dependencies: openssl,
+    )
+        conf_data.set('HAVE_OPENSSL_VERSION', true)
+    endif
 else
     error('Dependency not found: neither Botan nor OpenSSL.')
 endif
diff --git a/src/lib/asiolink/openssl_tls.h b/src/lib/asiolink/openssl_tls.h
index 57c33236b8..2d132ea4a2 100644
--- a/src/lib/asiolink/openssl_tls.h
+++ b/src/lib/asiolink/openssl_tls.h
@@ -171,7 +171,11 @@ public:
     ///
     /// @return The commonName part of the subjectName or the empty string.
     virtual std::string getSubject() {
+#ifdef HAVE_NEW_SSL_API
+        ::X509* cert = ::SSL_get1_peer_certificate(this->native_handle());
+#else
         ::X509* cert = ::SSL_get_peer_certificate(this->native_handle());
+#endif
         if (!cert) {
             return ("");
         }
@@ -205,7 +209,11 @@ public:
     ///
     /// @return The commonName part of the issuerName or the empty string.
     virtual std::string getIssuer() {
+#ifdef HAVE_NEW_SSL_API
+        ::X509* cert = ::SSL_get1_peer_certificate(this->native_handle());
+#else
         ::X509* cert = ::SSL_get_peer_certificate(this->native_handle());
+#endif
         if (!cert) {
             return ("");
         }
diff --git a/src/lib/cryptolink/openssl_link.cc b/src/lib/cryptolink/openssl_link.cc
index 4bceb8fb27..363d8273c4 100644
--- a/src/lib/cryptolink/openssl_link.cc
+++ b/src/lib/cryptolink/openssl_link.cc
@@ -77,7 +77,11 @@ CryptoLink::initialize(CryptoLink& c) {
 
 std::string
 CryptoLink::getVersion() {
+#ifdef HAVE_OPENSSL_VERSION
+    return (OpenSSL_version(OPENSSL_VERSION));
+#else
     return (SSLeay_version(SSLEAY_VERSION));
+#endif
 }
 
 } // namespace cryptolink