Skip to content

CI: Switch to testing against OpenSSL master since some of the ECH branch is now merged (not sure if enough). #609

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
notroj wants to merge 4 commits into
base: trunk
Choose a base branch
from
Open

CI: Switch to testing against OpenSSL master since some of the ECH branch is now merged (not sure if enough). #609

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9307ecb
CI: Switch to testing against OpenSSL master since some of the
notroj Mar 3, 2026
af2e9ec
constify X509_NAME * pointers.
notroj Mar 3, 2026
655df15
more constify X509_NAME, X509 pointers, PoC to fix OpenSSL 4.0 at the…
notroj Mar 3, 2026
c7ea7e7
use const X509 * APIs.
notroj Mar 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .github/workflows/linux.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -316,12 +316,12 @@ jobs:
APU_CONFIG="--without-crypto"
pkgs: subversion
# -------------------------------------------------------------------------
- name: OpenSSL ECH branch
- name: OpenSSL master
config: --enable-mods-shared=most --enable-maintainer-mode --disable-md --disable-http2 --disable-ldap --disable-crypto
notest-cflags: -Werror -O2
env: |
TEST_OPENSSL3=ech2
TEST_OPENSSL3_BRANCH=feature/ech
TEST_OPENSSL3=ech3
TEST_OPENSSL3_BRANCH=master
OPENSSL_CONFIG=no-engine
APR_VERSION=1.7.6
APU_VERSION=1.6.3
Expand Down
4 changes: 2 additions & 2 deletions modules/ssl/ssl_engine_kernel.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1263,7 +1263,7 @@ int ssl_hook_UserCheck(request_rec *r)
}

if (!sslconn->client_dn) {
X509_NAME *name = X509_get_subject_name(sslconn->client_cert);
const X509_NAME *name = X509_get_subject_name(sslconn->client_cert);
char *cp = X509_NAME_oneline(name, NULL, 0);
sslconn->client_dn = apr_pstrdup(r->connection->pool, cp);
OPENSSL_free(cp);
Expand Down Expand Up @@ -1817,7 +1817,7 @@ int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
server_rec *s = mySrvFromConn(c);
SSLSrvConfigRec *sc = mySrvConfig(s);
SSLDirConfigRec *dc = myDirConfigFromConn(c);
X509_NAME *ca_name, *issuer, *ca_issuer;
const X509_NAME *ca_name, *issuer, *ca_issuer;
X509_INFO *info;
X509 *ca_cert;
STACK_OF(X509_NAME) *ca_list;
Expand Down
14 changes: 7 additions & 7 deletions modules/ssl/ssl_engine_log.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,7 @@ void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s)
static void ssl_log_cert_error(const char *file, int line, int level,
apr_status_t rv, const server_rec *s,
const conn_rec *c, const request_rec *r,
apr_pool_t *p, X509 *cert, const char *format,
apr_pool_t *p, const X509 *cert, const char *format,
va_list ap)
{
char buf[HUGE_STRING_LEN];
Expand Down Expand Up @@ -167,14 +167,14 @@ static void ssl_log_cert_error(const char *file, int line, int level,
}

BIO_puts(bio, " / serial: ");
if (i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert)) == -1)
if (i2a_ASN1_INTEGER(bio, X509_get0_serialNumber(cert)) == -1)
BIO_puts(bio, "(ERROR)");

BIO_puts(bio, " / notbefore: ");
ASN1_TIME_print(bio, X509_get_notBefore(cert));
ASN1_TIME_print(bio, X509_get0_notBefore(cert));

BIO_puts(bio, " / notafter: ");
ASN1_TIME_print(bio, X509_get_notAfter(cert));
ASN1_TIME_print(bio, X509_get0_notAfter(cert));

BIO_puts(bio, "]");

Expand Down Expand Up @@ -212,7 +212,7 @@ static void ssl_log_cert_error(const char *file, int line, int level,
* in the other cases we use the connection and request pool, respectively).
*/
void ssl_log_xerror(const char *file, int line, int level, apr_status_t rv,
apr_pool_t *ptemp, server_rec *s, X509 *cert,
apr_pool_t *ptemp, server_rec *s, const X509 *cert,
const char *fmt, ...)
{
if (APLOG_IS_LEVEL(s,level)) {
Expand All @@ -225,7 +225,7 @@ void ssl_log_xerror(const char *file, int line, int level, apr_status_t rv,
}

void ssl_log_cxerror(const char *file, int line, int level, apr_status_t rv,
conn_rec *c, X509 *cert, const char *fmt, ...)
conn_rec *c, const X509 *cert, const char *fmt, ...)
{
if (APLOG_IS_LEVEL(mySrvFromConn(c),level)) {
va_list ap;
Expand All @@ -237,7 +237,7 @@ void ssl_log_cxerror(const char *file, int line, int level, apr_status_t rv,
}

void ssl_log_rxerror(const char *file, int line, int level, apr_status_t rv,
request_rec *r, X509 *cert, const char *fmt, ...)
request_rec *r, const X509 *cert, const char *fmt, ...)
{
if (APLOG_R_IS_LEVEL(r,level)) {
va_list ap;
Expand Down
12 changes: 6 additions & 6 deletions modules/ssl/ssl_engine_vars.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@

static const char *ssl_var_lookup_ssl(apr_pool_t *p, const SSLConnRec *sslconn, request_rec *r, const char *var);
static const char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, const char *var);
static const char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, const char *var);
static const char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, const X509_NAME *xsname, const char *var);
static const char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, const char *var);
static const char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm);
static const char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm);
Expand Down Expand Up @@ -598,7 +598,7 @@ static const char *ssl_var_lookup_ssl(apr_pool_t *p, const SSLConnRec *sslconn,
}

static const char *ssl_var_lookup_ssl_cert_dn_oneline(apr_pool_t *p, request_rec *r,
X509_NAME *xsname)
const X509_NAME *xsname)
{
char *result = NULL;
SSLDirConfigRec *dc;
Expand Down Expand Up @@ -629,7 +629,7 @@ static const char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *
const char *var)
{
const char *result;
X509_NAME *xsname;
const X509_NAME *xsname;
int nid;

result = NULL;
Expand Down Expand Up @@ -727,8 +727,8 @@ static const struct {
{ NULL, 0, 0 }
};

static const char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname,
const char *var)
static const char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, const X509_NAME *xsname,
const char *var)
{
const char *ptr;
const char *result;
Expand Down Expand Up @@ -929,7 +929,7 @@ static const char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl)

serialNumber = X509_get_serialNumber(xs);
if (serialNumber) {
X509_NAME *issuer = X509_get_issuer_name(xs);
const X509_NAME *issuer = X509_get_issuer_name(xs);
if (issuer) {
BIGNUM *bn = ASN1_INTEGER_to_BN(serialNumber, NULL);
if((decimal = BN_bn2dec(bn)) == NULL) {
Expand Down
6 changes: 3 additions & 3 deletions modules/ssl/ssl_private.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1212,16 +1212,16 @@ void ssl_log_ssl_error(const char *, int, int, server_rec *);
* counterparts. */
void ssl_log_xerror(const char *file, int line, int level,
apr_status_t rv, apr_pool_t *p, server_rec *s,
X509 *cert, const char *format, ...)
const X509 *cert, const char *format, ...)
__attribute__((format(printf,8,9)));

void ssl_log_cxerror(const char *file, int line, int level,
apr_status_t rv, conn_rec *c, X509 *cert,
apr_status_t rv, conn_rec *c, const X509 *cert,
const char *format, ...)
__attribute__((format(printf,7,8)));

void ssl_log_rxerror(const char *file, int line, int level,
apr_status_t rv, request_rec *r, X509 *cert,
apr_status_t rv, request_rec *r, const X509 *cert,
const char *format, ...)
__attribute__((format(printf,7,8)));

Expand Down
4 changes: 2 additions & 2 deletions modules/ssl/ssl_util_ssl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -236,7 +236,7 @@ char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne,
* convert an X509_NAME to an RFC 2253 formatted string, optionally truncated
* to maxlen characters (specify a maxlen of 0 for no length limit)
*/
char *modssl_X509_NAME_to_string(apr_pool_t *p, X509_NAME *dn, int maxlen)
char *modssl_X509_NAME_to_string(apr_pool_t *p, const X509_NAME *dn, int maxlen)
{
char *result = NULL;
BIO *bio;
Expand Down Expand Up @@ -373,7 +373,7 @@ BOOL modssl_X509_getSAN(apr_pool_t *p, X509 *x509, int type, const char *onf,
/* return an array of (RFC 6125 coined) DNS-IDs and CN-IDs in a certificate */
static BOOL getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids)
{
X509_NAME *subj;
const X509_NAME *subj;
int i = -1;

/* First, the DNS-IDs (dNSName entries in the subjectAltName extension) */
Expand Down
2 changes: 1 addition & 1 deletion modules/ssl/ssl_util_ssl.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ int modssl_smart_shutdown(SSL *ssl);
BOOL modssl_X509_getBC(X509 *, int *, int *);
char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne,
int raw);
char *modssl_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int);
char *modssl_X509_NAME_to_string(apr_pool_t *, const X509_NAME *, int);
BOOL modssl_X509_getSAN(apr_pool_t *, X509 *, int, const char *, int, apr_array_header_t **);
BOOL modssl_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *);
char *modssl_SSL_SESSION_id2sz(IDCONST unsigned char *, int, char *, int);
Expand Down
2 changes: 1 addition & 1 deletion support/ab.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -799,7 +799,7 @@ static int ssl_print_connection_info(BIO *bio, SSL *ssl)

static void ssl_print_cert_info(BIO *bio, X509 *cert)
{
X509_NAME *dn;
const X509_NAME *dn;
EVP_PKEY *pk;
char buf[1024];

Expand Down
Loading