From e0be9fb7fc8b2b83c8d9d76ebd414ebb0e135581 Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Mon, 7 Jul 2025 09:15:21 +0000 Subject: [PATCH] Merge r1926720, r1926722 from trunk: * modules/ssl/ssl_private.h: For OpenSSL >= 3.5.0 drop $SSLKEYLOGFILE handling inside mod_ssl where OpenSSL is built to handle that internally in libssl. * modules/ssl/ssl_private.h: Fix logic in r1926720 HAVE_OPENSSL_KEYLOG macro, thanks to rpluem. Reviewed by: rpluem Submitted by: jorton Reviewed by: jorton, rpluem, ylavic Github: closes #538 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1927023 13f79535-47bb-0310-9956-ffa450edef68 --- changes-entries/ssl-less-keylog.txt | 3 +++ modules/ssl/ssl_private.h | 12 ++++++++++-- 2 files changed, 13 insertions(+), 2 deletions(-) create mode 100644 changes-entries/ssl-less-keylog.txt diff --git a/changes-entries/ssl-less-keylog.txt b/changes-entries/ssl-less-keylog.txt new file mode 100644 index 0000000000..eefb7c371a --- /dev/null +++ b/changes-entries/ssl-less-keylog.txt @@ -0,0 +1,3 @@ + *) mod_ssl: Drop $SSLKEYLOGFILE handling internally for OpenSSL 3.5 + builds which enable it in libssl natively. [Joe Orton] + diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index c517a7bdc0..fb9edaa5ee 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -290,8 +290,16 @@ void free_bio_methods(void); #define X509_get_notAfter X509_getm_notAfter #endif -#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) -#define HAVE_OPENSSL_KEYLOG +/* The SSL_CTX_set_keylog_callback() API is present in 1.1.1+. + * + * OpenSSL 3.5+ also provides optional native handling of + * $SSLKEYLOGFILE inside libssl, which duplicates the mod_ssl support. + * The mod_ssl support is hence disabled for 3.5+, unless that OpenSSL + * feature is itself disabled (and OPENSSL_NO_SSLKEYLOG is defined). + */ +#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) \ + && (OPENSSL_VERSION_NUMBER <= 0x30500000L || defined(OPENSSL_NO_SSLKEYLOG)) +#define HAVE_OPENSSL_KEYLOG #endif #ifdef HAVE_FIPS -- 2.47.3