From: Joe Orton <jorton@apache.org>
Date: Wed, 25 Jun 2025 12:53:18 +0000 (+0000)
Subject: * modules/ssl/ssl_private.h: For OpenSSL >= 3.5.0 drop $SSLKEYLOGFILE
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c2ffd2a551154e73b2d01cb8fef805d0f74265f8;p=thirdparty%2Fapache%2Fhttpd.git

* modules/ssl/ssl_private.h: For OpenSSL >= 3.5.0 drop $SSLKEYLOGFILE
  handling inside mod_ssl where OpenSSL is built to handle that
  internally in libssl.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1926720 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index 7ebd3b48b3..7ff9ebf2e1 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -296,8 +296,12 @@ void free_bio_methods(void);
 #define X509_get_notAfter   X509_getm_notAfter
 #endif
 
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
-#define HAVE_OPENSSL_KEYLOG
+/* For OpenSSL 3.5.0+, don't handle $SSLKEYLOGFILE since libssl does -
+ * unless OpenSSL was built with no-sslkeylog, which drops the env var
+ * handling, but leaves the API intact. */
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) \
+    && (OPENSSL_VERSION_NUMBER <= 0x30500000L || !defined(OPENSSL_NO_SSLKEYLOG))
+#define HAVE_OPENSSL_KEYLOG 
 #endif
 
 #ifdef HAVE_FIPS