From: Nick Mathewson Date: Sat, 26 Apr 2025 13:37:33 +0000 (-0400) Subject: Require OpenSSL >= 1.1.1 or LibreSSL >= 3.7 X-Git-Tag: tor-0.4.9.3-alpha~60^2~7 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e47287f00ebe4179ee412ceb2e3a967bab7a4423;p=thirdparty%2Ftor.git Require OpenSSL >= 1.1.1 or LibreSSL >= 3.7 3.0 is the oldest supported version of OpenSSL; it was first released in September 2021. OpenSSL 1.1.1 (the previous series) reached EOL in September 2023, but it is still used in Debian oldstable, which will be around till September 2026. LibreSSL 3.7 is not quite supported, but I don't have as firm a conviction about which LibreSSL versions we should handle. It was released in 2022. --- diff --git a/configure.ac b/configure.ac index f230b14177..b34f32a2f3 100644 --- a/configure.ac +++ b/configure.ac @@ -1000,7 +1000,7 @@ AC_ARG_WITH(ssl-dir, fi ]) -AC_MSG_NOTICE([Now, we'll look for OpenSSL >= 1.0.1]) +AC_MSG_NOTICE([Now, we'll look for OpenSSL.]) TOR_SEARCH_LIBRARY(openssl, $tryssldir, [-lssl -lcrypto $TOR_LIB_GDI $TOR_LIB_WS32 $TOR_LIB_CRYPT32], [#include char *getenv(const char *);], @@ -1040,38 +1040,48 @@ dnl and later. We want to migrate away from them, but that will be a lot of dnl work. (See ticket tor#40166.) For now, we disable the deprecation dnl warnings. -AC_MSG_CHECKING([for OpenSSL >= 3.0.0]) +AC_MSG_CHECKING([for OpenSSL implementation]) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include -#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x30000000L -#error "you_have_version_3" +#if defined(LIBRESSL_VERSION_NUMBER) +#error "this is libressl, no worries" #endif ]], [[]])], - [ AC_MSG_RESULT([no]) ], - [ AC_MSG_RESULT([yes]); - AC_DEFINE(OPENSSL_SUPPRESS_DEPRECATED, 1, [disable openssl deprecated-function warnings]) ]) - -AC_MSG_CHECKING([for OpenSSL < 1.0.1]) + [ openssl_impl=openssl + AC_MSG_RESULT([OpenSSL]) + AC_DEFINE(OPENSSL_SUPPRESS_DEPRECATED, 1, [disable openssl deprecated-function warnings]) + ], + [ openssl_impl=libressl + AC_MSG_RESULT([LibreSSL]) + ]) + +if test "x$openssl_impl" = "xopenssl"; then +AC_MSG_CHECKING([for OpenSSL < 1.1.1]) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include -#if OPENSSL_VERSION_NUMBER < 0x1000100fL -#error "too old" +#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x10101000L +#error "openssl too old" #endif ]], [[]])], [ AC_MSG_RESULT([no]) ], - [ AC_MSG_ERROR([OpenSSL is too old. We require 1.0.1 or later. You can specify a path to a newer one with --with-openssl-dir.]) ]) + [ AC_MSG_RESULT([yes]) + AC_MSG_ERROR([Your version of OpenSSL is too old. We require 1.1.1 or later, and you should use 3.5 if possible.]) + ]) +fi -AC_MSG_CHECKING([whether LibreSSL TLS 1.3 APIs are busted]) +if test "x$openssl_impl" = "xlibressl"; then +AC_MSG_CHECKING([for LibreSSL < 3.7.0]) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include -#if defined(LIBRESSL_VERSION_NUMBER) && \ - LIBRESSL_VERSION_NUMBER >= 0x3020100fL && \ - LIBRESSL_VERSION_NUMBER < 0x3040100fL -#error "oh no" +#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3070000fL +#error "libressl too old" #endif ]], [[]])], [ AC_MSG_RESULT([no]) ], - [ AC_MSG_ERROR([This version of LibreSSL won't work with Tor. Please upgrade to LibreSSL 3.4.1 or later. (Or downgrade to 3.2.0 if you really must.)]) ]) + [ AC_MSG_RESULT([yes]) + AC_MSG_ERROR([Your version of LibreSSL is too old. We require 3.7.0 or later.]) + ]) +fi AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include