git.ipfire.org Git - thirdparty/apache/httpd.git/commit

Merge r1933586, r1916058, r1916068, r1933631, r1929891 from trunk:

Fix OpenSSL 4.0 compatibility and test that in CI.

CI: Update to test OpenSSL 4.0.0 explicitly.
CI: No longer disable deprecated-declaration warnings for OpenSSL 3.4 -Werror build.

* modules/ssl/ssl_engine_kernel.c (ssl_hook_UserCheck): Change name to
  const X509_NAME *.
  (ssl_callback_proxy_cert): Change ca_name, issuer, and ca_issuer to
  const X509_NAME *.

* modules/ssl/ssl_engine_log.c (ssl_log_cert_error): Change cert
  parameter to const X509 *. Use X509_get0_serialNumber,
  X509_get0_notBefore, and X509_get0_notAfter instead of non-const
  variants.
  (ssl_log_xerror, ssl_log_cxerror, ssl_log_rxerror): Change cert
  parameter to const X509 *.

* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_dn): Change
  xsname parameter to const X509_NAME *.
  (ssl_var_lookup_ssl_cert_dn_oneline): Change xsname parameter to
  const X509_NAME *.
  (ssl_var_lookup_ssl_cert): Change xsname to const X509_NAME *.
  (ssl_var_lookup_ssl_cert_rfc4523_cea): Change issuer to const
  X509_NAME *.

* modules/ssl/ssl_private.h (ssl_log_xerror, ssl_log_cxerror,
  ssl_log_rxerror): Update declarations to use const X509 *.

* modules/ssl/ssl_util_ssl.c (modssl_X509_NAME_to_string): Change dn
  parameter to const X509_NAME *.
  (getIDs): Change subj to const X509_NAME *.

* modules/ssl/ssl_util_ssl.h (modssl_X509_NAME_to_string): Update
  declaration to use const X509_NAME *.

* support/ab.c (ssl_print_cert_info): Change dn to const X509_NAME *.

mod_ssl: use ASN1_STRING accessor API in dump_extn_value:

* modules/ssl/ssl_engine_vars.c (dump_extn_value): Use
  ASN1_STRING_get0_data() and ASN1_STRING_length() rather than
  directly dereferencing the ASN1_OCTET_STRING structure, which is
  opaque in OpenSSL 4.0.
* modules/ssl/ssl_private.h: Add compat macros for
  ASN1_STRING_get0_data and ASN1_STRING_length for pre-1.1 API.

mod_ssl: constify ASN1_TIME pointers, use X509_get0_not{Before,After}:

* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_valid,
  ssl_var_lookup_ssl_cert_remain): Constify ASN1_TIME * parameter.
  (ssl_var_lookup_ssl_cert): Use X509_get0_notBefore() and
  X509_get0_notAfter() which return const pointers.
  (ssl_var_lookup_ssl_cert_remain): Use ASN1_TIME_check() directly
  rather than INVALID_ASN1_TIME macro which dereferences the
  ASN1_TIME structure.
  (dump_extn_value): Constify ASN1_OCTET_STRING * parameter.
* modules/ssl/ssl_private.h: Add compat macros for
  X509_get0_before and X509_get0_after for pre-1.1 API.

mod_ssl: constify X509_NAME_ENTRY and X509_EXTENSION pointers:

* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_dn,
  extract_dn): Constify X509_NAME_ENTRY * variables, constify
  X509_NAME * parameter of extract_dn, drop unnecessary casts
  on X509_NAME_ENTRY_get_object() calls.
  (ssl_ext_list): Use MODSSL_X509_EXT_CONST for X509_EXTENSION *
  since X509_EXTENSION accessors are only constified in OpenSSL 4.
* modules/ssl/ssl_util_ssl.c, modules/ssl/ssl_util_ssl.h
  (modssl_X509_NAME_ENTRY_to_string): Constify X509_NAME_ENTRY *
  parameter.
* modules/ssl/ssl_private.h: Add MODSSL_X509_EXT_CONST, defined
  as const for OpenSSL 4+ and empty otherwise.

* modules/ssl/ssl_util_ssl.c (asn1_string_convert): Constify
  ASN1_STRING * argument.
* modules/ssl/ssl_engine_ocsp.c (extract_responder_uri): Use
  modssl_ASN1_STRING_convert instead of directly accessing ASN1_STRING
  data pointer.

* modules/ssl/ssl_util_ssl.c (modssl_ASN1_STRING_convert): Rename from
  asn1_string_convert and export function.
  (asn1_string_to_utf8): Update to use modssl_ASN1_STRING_convert.
  (modssl_X509_NAME_ENTRY_to_string): Update to use
  modssl_ASN1_STRING_convert.

* modules/ssl/ssl_util_ssl.h (modssl_ASN1_STRING_convert): Declare new
  function.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
CI: Add OpenSSL 3.1 builds, including a no-engine build.
(attempt to use 3.2 failed, unsure why)
- add OpenSSL build binaries to $PATH

CI: add OpenSSL 3.2, test OpenSSL 3.x using Apache::Test
trunk to pick up r1916067.

CI: The OpenSSL no-engine config option is redundant as of 4.0, remove.

CI: Try to fix ab failures during OpenSSL ech job, set RPATH via LDFLAGS

CI: For OpenSSL branch builds, always build a fresh version of the
OpenSSL branch and cache the commit hash to allow checking for freshness.
Also clone with --depth=1 to save time+bandwidth.

Reviewed by: jorton, covener (skimmed+CI results), rpluem
Github: closes #642

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1934973 13f79535-47bb-0310-9956-ffa450edef68

author	Joe Orton <jorton@apache.org>
	Thu, 4 Jun 2026 08:50:44 +0000 (08:50 +0000)
committer	Joe Orton <jorton@apache.org>
	Thu, 4 Jun 2026 08:50:44 +0000 (08:50 +0000)
commit	83d565fbb5898a3263056f59e7b53cbf3fd2fb61
tree	59c6ee7cb08f8f7eca44f2feae60667d75cc4bf5	tree \| snapshot
parent	785f2b2c56103cf8d5f9109cdd81d034cd348147	commit \| diff

.github/workflows/linux.yml		diff \| blob \| blame \| history
CHANGES		diff \| blob \| blame \| history
modules/ssl/ssl_engine_kernel.c		diff \| blob \| blame \| history
modules/ssl/ssl_engine_log.c		diff \| blob \| blame \| history
modules/ssl/ssl_engine_ocsp.c		diff \| blob \| blame \| history
modules/ssl/ssl_engine_vars.c		diff \| blob \| blame \| history
modules/ssl/ssl_private.h		diff \| blob \| blame \| history
modules/ssl/ssl_util_ssl.c		diff \| blob \| blame \| history
modules/ssl/ssl_util_ssl.h		diff \| blob \| blame \| history
support/ab.c		diff \| blob \| blame \| history
test/travis_before_linux.sh		diff \| blob \| blame \| history
test/travis_run_linux.sh		diff \| blob \| blame \| history