Apache Traffic Server already builds, runs, and is CI-tested against OpenSSL 3.x (CI covers OpenSSL 3.0.8 and 3.5.6, plus quictls). On OpenSSL 3.0 and newer the build defines OPENSSL_API_COMPAT=10002 (see CMakeLists.txt), which keeps a few deprecated calls compiling through the 1.0.2 compatibility layer.
This issue tracks removing that residual deprecated usage so we can eventually drop the compatibility shim and stay clean as these APIs are removed in future OpenSSL releases. It is the remaining work split out from the umbrella #7341, which I am closing because the compatibility goal (build, run, and pass the test suite on OpenSSL 3.x) is met.
All of the remaining deprecated-in-3.0 calls are in src/iocore/net/SSLUtils.cc:
Diffie-Hellman parameter helpers (deprecated in favor of the EVP_PKEY interface):
ENGINE API (deprecated in 3.0 in favor of providers):
Suggested direction:
- Replace the DH parameter handling with the EVP_PKEY / EVP_PKEY_CTX equivalents (or rely on the library's built-in parameter selection).
- Migrate the ENGINE-based private key loading to the OpenSSL 3.0 provider interface (OSSL_PROVIDER / OSSL_STORE), keeping a compatibility path for builds against OpenSSL 1.1.1 where providers are not available.
Once these are gone we can drop OPENSSL_API_COMPAT=10002 for OpenSSL 3 builds.
Note: the plugin-side items from the old umbrella (low-level SHA1/MD5/SHA256/HMAC digests in cache_promote, prefetch, certifier, ja3_fingerprint, s3_auth, metalink, access_control) and the other core items (SSL_get_peer_certificate, ERR_get_error_line_data, HMAC) have already been migrated; only the DH and ENGINE usage above remains.
Apache Traffic Server already builds, runs, and is CI-tested against OpenSSL 3.x (CI covers OpenSSL 3.0.8 and 3.5.6, plus quictls). On OpenSSL 3.0 and newer the build defines
OPENSSL_API_COMPAT=10002(see CMakeLists.txt), which keeps a few deprecated calls compiling through the 1.0.2 compatibility layer.This issue tracks removing that residual deprecated usage so we can eventually drop the compatibility shim and stay clean as these APIs are removed in future OpenSSL releases. It is the remaining work split out from the umbrella #7341, which I am closing because the compatibility goal (build, run, and pass the test suite on OpenSSL 3.x) is met.
All of the remaining deprecated-in-3.0 calls are in
src/iocore/net/SSLUtils.cc:Diffie-Hellman parameter helpers (deprecated in favor of the EVP_PKEY interface):
DH_get_2048_256()(line 389, line 499)DH_new()(line 423)PEM_read_bio_DHparams()(line 497)ENGINE API (deprecated in 3.0 in favor of providers):
ENGINE_load_dynamic()(line 832)ENGINE_get_default_RSA()(line 919)ENGINE_load_private_key()(line 921)Suggested direction:
Once these are gone we can drop
OPENSSL_API_COMPAT=10002for OpenSSL 3 builds.Note: the plugin-side items from the old umbrella (low-level SHA1/MD5/SHA256/HMAC digests in cache_promote, prefetch, certifier, ja3_fingerprint, s3_auth, metalink, access_control) and the other core items (SSL_get_peer_certificate, ERR_get_error_line_data, HMAC) have already been migrated; only the DH and ENGINE usage above remains.