Openssl 3.0.0
Julien ÉLIE
julien at trigofacile.com
Sat Oct 2 15:59:01 UTC 2021
Hi all,
Seems like OpenSSL 3.0.0 has greatly improved its API!
> tls.c: In function 'load_dh_buffer':
> tls.c:167:9: warning: 'PEM_read_bio_DHparams' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
> 167 | dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
> | ^~
and
> tls.c: In function 'tls_init_serverengine':
> tls.c:571:5: warning: 'SSL_CTX_set_tmp_dh_callback' is deprecated:
Since OpenSSL 3.0 [-Wdeprecated-declarations]
> 571 | SSL_CTX_set_tmp_dh_callback(CTX, tmp_dh_cb);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~
"Applications may supply their own DH parameters instead of using the
built-in values. This approach is discouraged and applications should
in preference use the built-in parameter support described above."
Seems like all we now need is:
SSL_CTX_set_dh_auto(CTX, 1);
And we can just keep the callback as well as hard-coded DH groups in
tls.c only for previous versions of OpenSSL.
> tls.c: In function 'eckey_from_name':
> tls.c:473:5: warning: 'EC_KEY_new_by_curve_name' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
> 473 | eckey = EC_KEY_new_by_curve_name(builtin_curves[i].nid);
> | ^~~~~
The whole eckey_from_name() function in tls.c now seems irrelevant.
If OpenSSL >= 3.0.0, it looks like
eckey = eckey_from_name(tls_ec_curve);
can just be changed to something like
eckey = EVP_PKEY_get1_EC_KEY(EVP_EC_gen(tls_ec_curve));
Not yet tested though.
> tls.c: In function 'tls_start_servertls':
> tls.c:852:9: warning: 'BIO_set_callback' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
> 852 | BIO_set_callback(SSL_get_rbio(tls_conn), bio_dump_cb);
> | ^~~~~~~~~~~~~~~~
BIO_set_callback_ex() should now be used.
There are 2 more arguments to deal with in the callback function.
Normally not difficult to take into account, I can have a look.
--
Julien ÉLIE
« Soldats, du haut de ces pyramides, vingt siècles nous contemplent. »
(Napoléon)
More information about the inn-workers
mailing list