This is an automated email from the ASF dual-hosted git repository.
maskit pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 1947a3f3df Remove code for old openssl (#10792)
1947a3f3df is described below
commit 1947a3f3dff88d03c2c197e19e968bd52f32d559
Author: Masakazu Kitajo <[email protected]>
AuthorDate: Tue Nov 28 03:41:31 2023 +0900
Remove code for old openssl (#10792)
* Remove homemade SSL_ functions
- SSL_CTX_up_ref
- SSL_set0_rbio
* Remove code for old OpenSSL
---
CMakeLists.txt | 4 -
.../testing/blackbox-testing.en.rst | 1 -
.../client_context_dump/client_context_dump.cc | 6 +-
include/iocore/net/SSLInternal.h | 36 -------
include/tscore/ink_config.h.cmake.in | 1 -
.../experimental/access_control/access_control.cc | 1 -
.../experimental/access_control/access_control.h | 1 -
.../access_control/unit_tests/test_utils.cc | 4 -
plugins/experimental/access_control/utils.cc | 18 ----
plugins/experimental/access_control/utils.h | 3 -
.../cert_reporting_tool/cert_reporting_tool.cc | 6 +-
plugins/experimental/sslheaders/expand.cc | 6 --
plugins/ja3_fingerprint/ja3_fingerprint.cc | 106 ---------------------
src/api/InkAPI.cc | 1 -
src/iocore/net/CMakeLists.txt | 1 -
src/iocore/net/OCSPStapling.cc | 5 -
src/iocore/net/SSLInternal.cc | 64 -------------
src/iocore/net/SSLUtils.cc | 28 +-----
src/traffic_layout/info.cc | 1 -
tests/README.md | 1 -
tests/gold_tests/chunked_encoding/smuggle-client.c | 4 -
tests/gold_tests/timeout/ssl-delay-server.cc | 2 -
tests/gold_tests/tls/ssl-post.c | 4 -
tests/tools/plugins/ssl_client_verify_test.cc | 12 +--
24 files changed, 6 insertions(+), 310 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 5bfdf0a948..c07b273a56 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -192,10 +192,6 @@ set(MAX_THREADS_PER_TYPE
3072
CACHE STRING "Max number of threads per event type (default 3072)"
)
-set(TS_USE_SET_RBIO
- 1
- CACHE STRING "Use openssl set_rbio (default 1)"
-)
set(TS_USE_DIAGS
1
CACHE STRING "Use diags (default 1)"
diff --git a/doc/developer-guide/testing/blackbox-testing.en.rst
b/doc/developer-guide/testing/blackbox-testing.en.rst
index 0819618db5..e7827d7692 100644
--- a/doc/developer-guide/testing/blackbox-testing.en.rst
+++ b/doc/developer-guide/testing/blackbox-testing.en.rst
@@ -250,7 +250,6 @@ Condition Testing
- TS_HAS_SO_MARK
- TS_HAS_IP_TOS
- TS_USE_HWLOC
- - TS_USE_SET_RBIO
- TS_USE_TLS13
- TS_USE_QUIC
- TS_HAS_QUICHE
diff --git a/example/plugins/c-api/client_context_dump/client_context_dump.cc
b/example/plugins/c-api/client_context_dump/client_context_dump.cc
index 329eb55b4d..f664bf407a 100644
--- a/example/plugins/c-api/client_context_dump/client_context_dump.cc
+++ b/example/plugins/c-api/client_context_dump/client_context_dump.cc
@@ -44,11 +44,7 @@ DbgCtl dbg_ctl{PLUGIN_NAME};
char *
asn1_string_extract(ASN1_STRING *s)
{
-#if OPENSSL_VERSION_NUMBER >= 0x010100000
return reinterpret_cast<char *>(const_cast<unsigned char
*>(ASN1_STRING_get0_data(s)));
-#else
- return reinterpret_cast<char *>(ASN1_STRING_data(s));
-#endif
}
// For 1.0.2, needs access to internal structure
@@ -121,7 +117,7 @@ dump_context(const char *ca_path, const char *ck_path)
// Serial number
int64_t sn = 0;
-#if !defined(OPENSSL_IS_BORINGSSL) && (OPENSSL_VERSION_NUMBER >= 0x010100000)
+#if !defined(OPENSSL_IS_BORINGSSL)
ASN1_INTEGER_get_int64(&sn, serial);
#else
sn = ASN1_INTEGER_get(serial);
diff --git a/include/iocore/net/SSLInternal.h b/include/iocore/net/SSLInternal.h
deleted file mode 100644
index 0ea83f3104..0000000000
--- a/include/iocore/net/SSLInternal.h
+++ /dev/null
@@ -1,36 +0,0 @@
-/** @file
-
- Function prototypes that break the no internal pact with openssl.
-
- @section license License
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- */
-
-#pragma once
-#include "tscore/ink_config.h"
-#include <openssl/opensslv.h>
-
-#if !TS_USE_SET_RBIO
-// Defined in SSLInternal.c, should probably make a separate include
-// file for this at some point
-void SSL_set0_rbio(SSL *ssl, BIO *rbio);
-#endif
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-int SSL_CTX_up_ref(SSL_CTX *ctx);
-#endif
diff --git a/include/tscore/ink_config.h.cmake.in
b/include/tscore/ink_config.h.cmake.in
index 147b292e5b..3d4f193261 100644
--- a/include/tscore/ink_config.h.cmake.in
+++ b/include/tscore/ink_config.h.cmake.in
@@ -191,7 +191,6 @@ const int DEFAULT_STACKSIZE = @DEFAULT_STACK_SIZE@;
#cmakedefine01 TS_USE_POSIX_CAP
#cmakedefine01 TS_USE_QUIC
#cmakedefine01 TS_USE_REMOTE_UNWINDING
-#cmakedefine01 TS_USE_SET_RBIO
#cmakedefine01 TS_USE_TLS13
#cmakedefine01 TS_USE_TLS_ASYNC
#cmakedefine01 TS_USE_TPROXY
diff --git a/plugins/experimental/access_control/access_control.cc
b/plugins/experimental/access_control/access_control.cc
index cdb0924b59..a6f03c4f79 100644
--- a/plugins/experimental/access_control/access_control.cc
+++ b/plugins/experimental/access_control/access_control.cc
@@ -249,7 +249,6 @@ KvpAccessToken::parse(const StringView token)
KvpAccessTokenBuilder::KvpAccessTokenBuilder(const KvpAccessTokenConfig
&config, const StringMap &secretsMap)
: _config(config), _secretsMap(secretsMap)
{
- cryptoMagicInit();
}
void
diff --git a/plugins/experimental/access_control/access_control.h
b/plugins/experimental/access_control/access_control.h
index 079a201da6..c9fcc620bb 100644
--- a/plugins/experimental/access_control/access_control.h
+++ b/plugins/experimental/access_control/access_control.h
@@ -260,7 +260,6 @@ public:
AccessTokenFactory(const KvpAccessTokenConfig &tokenConfig, const StringMap
&secretsMap, bool enableDebug)
: _kvpAccessTokenConfig(tokenConfig), _secretMap(secretsMap),
_enableDebug(enableDebug)
{
- cryptoMagicInit();
_desiredType = KeyValuePair;
}
diff --git a/plugins/experimental/access_control/unit_tests/test_utils.cc
b/plugins/experimental/access_control/unit_tests/test_utils.cc
index 228f526dcf..7d518ec20b 100644
--- a/plugins/experimental/access_control/unit_tests/test_utils.cc
+++ b/plugins/experimental/access_control/unit_tests/test_utils.cc
@@ -231,8 +231,6 @@ TEST_CASE("Base64: modified encode / decode with '+', '/'
and various paddings",
TEST_CASE("HMAC Digest: test various supported/unsupported types",
"[MAC][access_control][utility]")
{
- cryptoMagicInit();
-
const String key = "1234567890";
const String data = "calculate a message digest on this";
@@ -274,6 +272,4 @@ TEST_CASE("HMAC Digest: test various supported/unsupported
types", "[MAC][access
digestIter++;
}
-
- cryptoMagicCleanup();
}
diff --git a/plugins/experimental/access_control/utils.cc
b/plugins/experimental/access_control/utils.cc
index dce98e3815..103e26cb94 100644
--- a/plugins/experimental/access_control/utils.cc
+++ b/plugins/experimental/access_control/utils.cc
@@ -163,24 +163,6 @@ urlDecode(const char *in, size_t inLen, char *out, size_t
outLen)
return dst - out;
}
-/* ******* Functions using OpenSSL library ******* */
-
-void
-cryptoMagicInit()
-{
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- OpenSSL_add_all_digests(); /* needed for EVP_get_digestbyname() */
-#endif
-}
-
-void
-cryptoMagicCleanup()
-{
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- EVP_cleanup();
-#endif
-}
-
/**
* @brief a helper function to get a human-readable error message in a buffer.
*
diff --git a/plugins/experimental/access_control/utils.h
b/plugins/experimental/access_control/utils.h
index ebdb5f2f23..8b09a45053 100644
--- a/plugins/experimental/access_control/utils.h
+++ b/plugins/experimental/access_control/utils.h
@@ -40,9 +40,6 @@ size_t urlDecode(const char *in, size_t inLen, char *out,
size_t outLen);
/* ******* Functions using OpenSSL library ******* */
-void cryptoMagicInit();
-void cryptoMagicCleanup();
-
size_t cryptoMessageDigestGet(const char *digestType, const char *data, size_t
dataLen, const char *key, size_t keyLen, char *out,
size_t outLen);
bool cryptoMessageDigestEqual(const char *md1, size_t md1Len, const char *md2,
size_t md2Len);
diff --git a/plugins/experimental/cert_reporting_tool/cert_reporting_tool.cc
b/plugins/experimental/cert_reporting_tool/cert_reporting_tool.cc
index 4027417cee..5ab3c15193 100644
--- a/plugins/experimental/cert_reporting_tool/cert_reporting_tool.cc
+++ b/plugins/experimental/cert_reporting_tool/cert_reporting_tool.cc
@@ -44,11 +44,7 @@ DbgCtl dbg_ctl{PLUGIN_NAME};
char *
asn1_string_extract(ASN1_STRING *s)
{
-#if OPENSSL_VERSION_NUMBER >= 0x010100000
return reinterpret_cast<char *>(const_cast<unsigned char
*>(ASN1_STRING_get0_data(s)));
-#else
- return reinterpret_cast<char *>(ASN1_STRING_data(s));
-#endif
}
// For 1.0.2, needs access to internal structure
@@ -120,7 +116,7 @@ dump_context(const char *ca_path, const char *ck_path)
// Serial number
int64_t sn = 0;
-#if !defined(OPENSSL_IS_BORINGSSL) && (OPENSSL_VERSION_NUMBER >= 0x010100000)
+#if !defined(OPENSSL_IS_BORINGSSL)
ASN1_INTEGER_get_int64(&sn, serial);
#else
sn = ASN1_INTEGER_get(serial);
diff --git a/plugins/experimental/sslheaders/expand.cc
b/plugins/experimental/sslheaders/expand.cc
index def0087d85..ab295f5236 100644
--- a/plugins/experimental/sslheaders/expand.cc
+++ b/plugins/experimental/sslheaders/expand.cc
@@ -71,13 +71,7 @@ static void
x509_expand_signature(X509 *x509, BIO *bio)
{
const ASN1_BIT_STRING *sig;
-#if OPENSSL_VERSION_NUMBER >= 0x010100000
X509_get0_signature(&sig, nullptr, x509);
-#elif OPENSSL_VERSION_NUMBER >= 0x010002000
- X509_get0_signature(const_cast<ASN1_BIT_STRING **>(&sig), nullptr, x509);
-#else
- sig = x509->signature;
-#endif
const char *ptr = reinterpret_cast<const char *>(sig->data);
const char *end = ptr + sig->length;
diff --git a/plugins/ja3_fingerprint/ja3_fingerprint.cc
b/plugins/ja3_fingerprint/ja3_fingerprint.cc
index 13056b4880..82f081b64b 100644
--- a/plugins/ja3_fingerprint/ja3_fingerprint.cc
+++ b/plugins/ja3_fingerprint/ja3_fingerprint.cc
@@ -130,90 +130,6 @@ getIP(sockaddr const *s_sockaddr, char
res[INET6_ADDRSTRLEN])
return res[0] ? res : nullptr;
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-// Parsing clientHello to get ja3 string
-// No error checking or handling because this should be called after openSSL
has done all checks and
-// returned successfully
-static std::string
-custom_get_ja3(SSL *s)
-{
- Dbg(dbg_ctl, "Entering custom_get_ja3()...");
- std::string ja3;
- const unsigned char *p, *d;
- int i, j, len;
-
- // ClientHello buf and len
- d = p = (unsigned char *)s->init_msg;
- long n = s->init_num;
-
- // Get version
- int version = (((int)p[0]) << 8) | (int)p[1];
- ja3 += std::to_string(version) + ',';
- p += 2;
-
- // Skip client random
- p += SSL3_RANDOM_SIZE;
-
- // Skip session id
- j = *(p++);
- p += j;
-
- // No DTLS handling
-
- // Get cipher suites
- n2s(p, len);
- custom_get_ja3_prefixed(2, p, len, ja3);
- ja3 += ',';
-
- // Skip compression
- i = *(p++);
- p += i;
-
- // Get extensions
- uint16_t type;
- int size;
- std::string eclist, ecpflist;
-
- // Skip length blob
- p += 2;
- bool first = true;
- while (p < d + n) {
- // Each extension blob is comprised of [2bytes] type + [2bytes] size +
[size bytes] data
- n2s(p, type);
- n2s(p, size);
-
- // Elliptic curve points
- if (type == 0x0a) {
- const unsigned char *sdata = p;
- n2s(sdata, len);
- custom_get_ja3_prefixed(2, sdata, len, eclist);
- }
- // Elliptic curve point formats
- else if (type == 0x0b) {
- const unsigned char *sdata = p;
- len = *(sdata++);
- custom_get_ja3_prefixed(1, sdata, len, ecpflist);
- }
-
- // Update pointer
- p += size;
-
- // Update ja3 string with valid extension type
- if (GREASE_table.find(type) == GREASE_table.end()) {
- if (!first) {
- ja3 += '-';
- }
- first = false;
- ja3 += std::to_string(type);
- }
- }
-
- // Append eclist and ecpflist
- ja3 += "," + eclist + "," + ecpflist;
- Dbg(dbg_ctl, "ja3 string: %s", ja3.c_str());
- return ja3;
-}
-#elif OPENSSL_VERSION_NUMBER >= 0x10101000L
static std::string
custom_get_ja3(SSL *s)
{
@@ -262,9 +178,6 @@ custom_get_ja3(SSL *s)
ja3 += "," + eclist + "," + ecpflist;
return ja3;
}
-#else
-#error OpenSSL cannot be 1.1.0
-#endif
// This function will append value to the last occurrence of field. If none
exists, it will
// create a field and append to the headers
@@ -295,14 +208,7 @@ client_hello_ja3_handler(TSCont contp, TSEvent event, void
*edata)
{
TSVConn ssl_vc = reinterpret_cast<TSVConn>(edata);
switch (event) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- case TS_EVENT_SSL_SERVERNAME: {
-#elif OPENSSL_VERSION_NUMBER >= 0x10101000L
case TS_EVENT_SSL_CLIENT_HELLO: {
-#else
-#error OpenSSL cannot be 1.1.0
-#endif
-
TSSslConnection sslobj = TSVConnSslConnectionGet(ssl_vc);
// OpenSSL handle
@@ -452,13 +358,7 @@ TSPluginInit(int argc, const char *argv[])
// SNI handler
TSCont ja3_cont = TSContCreate(client_hello_ja3_handler, nullptr);
TSUserArgIndexReserve(TS_USER_ARGS_VCONN, PLUGIN_NAME, "used to pass ja3",
&ja3_idx);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- TSHttpHookAdd(TS_SSL_SERVERNAME_HOOK, ja3_cont);
-#elif OPENSSL_VERSION_NUMBER >= 0x10101000L
TSHttpHookAdd(TS_SSL_CLIENT_HELLO_HOOK, ja3_cont);
-#else
-#error OpenSSL cannot be 1.1.0
-#endif
TSHttpHookAdd(TS_VCONN_CLOSE_HOOK, ja3_cont);
TSHttpHookAdd(TS_HTTP_SEND_REQUEST_HDR_HOOK,
TSContCreate(req_hdr_ja3_handler, nullptr));
}
@@ -481,13 +381,7 @@ TSRemapInit(TSRemapInterface *api_info, char *errbuf, int
errbuf_size)
// Set up SNI handler for all TLS connections
TSCont ja3_cont = TSContCreate(client_hello_ja3_handler, nullptr);
TSUserArgIndexReserve(TS_USER_ARGS_VCONN, PLUGIN_NAME, "Used to pass ja3",
&ja3_idx);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- TSHttpHookAdd(TS_SSL_SERVERNAME_HOOK, ja3_cont);
-#elif OPENSSL_VERSION_NUMBER >= 0x10101000L
TSHttpHookAdd(TS_SSL_CLIENT_HELLO_HOOK, ja3_cont);
-#else
-#error OpenSSL cannot be 1.1.0
-#endif
TSHttpHookAdd(TS_VCONN_CLOSE_HOOK, ja3_cont);
return TS_SUCCESS;
diff --git a/src/api/InkAPI.cc b/src/api/InkAPI.cc
index bc1a212b56..a23c5b11ea 100644
--- a/src/api/InkAPI.cc
+++ b/src/api/InkAPI.cc
@@ -59,7 +59,6 @@
#include "iocore/net/ConnectionTracker.h"
#include "iocore/net/SSLAPIHooks.h"
#include "iocore/net/SSLDiags.h"
-#include "iocore/net/SSLInternal.h"
#include "iocore/net/TLSBasicSupport.h"
#include "iocore/eventsystem/ConfigProcessor.h"
#include "proxy/Plugin.h"
diff --git a/src/iocore/net/CMakeLists.txt b/src/iocore/net/CMakeLists.txt
index ba3b47a00a..2047ec4723 100644
--- a/src/iocore/net/CMakeLists.txt
+++ b/src/iocore/net/CMakeLists.txt
@@ -42,7 +42,6 @@ add_library(
SSLConfig.cc
SSLSecret.cc
SSLDiags.cc
- SSLInternal.cc
SSLNetAccept.cc
SSLNetProcessor.cc
SSLNetVConnection.cc
diff --git a/src/iocore/net/OCSPStapling.cc b/src/iocore/net/OCSPStapling.cc
index 3dec860113..37306fbd69 100644
--- a/src/iocore/net/OCSPStapling.cc
+++ b/src/iocore/net/OCSPStapling.cc
@@ -751,13 +751,8 @@ stapling_get_issuer(SSL_CTX *ssl_ctx, X509 *x)
for (int i = 0; i < static_cast<int>(sk_X509_num(extra_certs)); i++) {
issuer = sk_X509_value(extra_certs, i);
if (X509_check_issued(issuer, x) == X509_V_OK) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000
- CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
- return issuer;
-#else
X509_up_ref(issuer);
goto end;
-#endif
}
}
diff --git a/src/iocore/net/SSLInternal.cc b/src/iocore/net/SSLInternal.cc
deleted file mode 100644
index 7d9207391a..0000000000
--- a/src/iocore/net/SSLInternal.cc
+++ /dev/null
@@ -1,64 +0,0 @@
-/** @file
-
- Functions that break the no internal pact with openssl. We
- explicitly undefine OPENSSL_NO_SSL_INTERN in this file.
-
- @section license License
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- */
-#include "tscore/ink_config.h"
-#include <openssl/opensslv.h>
-
-#if TS_USE_SET_RBIO && OPENSSL_VERSION_NUMBER >= 0x10100000L
-// No need to do anything, this version of openssl provides the SSL_set0_rbio
and SSL_CTX_up_ref.
-#else
-
-#ifdef OPENSSL_NO_SSL_INTERN
-#undef OPENSSL_NO_SSL_INTERN
-#endif
-
-#include <openssl/ssl.h>
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-#include <atomic>
-
-static_assert(sizeof(std::atomic_int) == sizeof(int));
-static_assert(alignof(std::atomic_int) == alignof(int));
-
-int
-SSL_CTX_up_ref(SSL_CTX *ctx)
-{
- int i;
- i = atomic_fetch_add_explicit(reinterpret_cast<std::atomic_int
*>(&ctx->references), 1, std::memory_order::memory_order_relaxed) +
- 1;
- return ((i > 1) ? 1 : 0);
-}
-#endif
-
-#if !TS_USE_SET_RBIO
-void
-SSL_set0_rbio(SSL *ssl, BIO *rbio)
-{
- if (ssl->rbio != nullptr) {
- BIO_free(ssl->rbio);
- }
- ssl->rbio = rbio;
-}
-#endif
-
-#endif
diff --git a/src/iocore/net/SSLUtils.cc b/src/iocore/net/SSLUtils.cc
index 8c7edd3329..3a9ac3aa92 100644
--- a/src/iocore/net/SSLUtils.cc
+++ b/src/iocore/net/SSLUtils.cc
@@ -188,7 +188,7 @@ SSL_CTX_add_extra_chain_cert_file(SSL_CTX *ctx, const char
*chainfile)
}
static SSL_SESSION *
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
ssl_get_cached_session(SSL *ssl, unsigned char *id, int len, int *copy)
#else
ssl_get_cached_session(SSL *ssl, const unsigned char *id, int len, int *copy)
@@ -619,28 +619,6 @@ ssl_context_enable_dhe(const char *dhparams_file, SSL_CTX
*ctx)
return ctx;
}
-// SSL_CTX_set_ecdh_auto() is removed by OpenSSL v1.1.0 and ECDH is enabled in
default.
-// TODO: remove this function when we drop support of OpenSSL v1.0.2* and
lower.
-static SSL_CTX *
-ssl_context_enable_ecdh(SSL_CTX *ctx)
-{
-#if OPENSSL_VERSION_NUMBER < 0x10100000
-
-#if defined(SSL_CTX_set_ecdh_auto)
- SSL_CTX_set_ecdh_auto(ctx, 1);
-#elif defined(NID_X9_62_prime256v1)
- EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
-
- if (ecdh) {
- SSL_CTX_set_tmp_ecdh(ctx, ecdh);
- EC_KEY_free(ecdh);
- }
-#endif /* SSL_CTRL_SET_ECDH_AUTO */
-#endif /* OPENSSL_VERSION_NUMBER */
-
- return ctx;
-}
-
static ssl_ticket_key_block *
ssl_context_enable_tickets(SSL_CTX *ctx, const char *ticket_key_path)
{
@@ -845,7 +823,7 @@ ssl_private_key_validate_exec(const char *cmdLine)
return bReturn;
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
#define ssl_malloc(size, file, line) ssl_malloc(size)
#define ssl_realloc(ptr, size, file, line) ssl_realloc(ptr, size)
#define ssl_free(ptr, file, line) ssl_free(ptr)
@@ -1366,8 +1344,6 @@
SSLMultiCertConfigLoader::init_server_ssl_ctx(CertLoadData const &data, const SS
goto fail;
}
- ssl_context_enable_ecdh(ctx);
-
if (sslMultCertSettings && sslMultCertSettings->dialog) {
SSLMultiCertConfigLoader::clear_pw_references(ctx);
}
diff --git a/src/traffic_layout/info.cc b/src/traffic_layout/info.cc
index 98be9fd8c5..d8340507bb 100644
--- a/src/traffic_layout/info.cc
+++ b/src/traffic_layout/info.cc
@@ -113,7 +113,6 @@ produce_features(bool json)
print_feature("TS_HAS_SO_MARK", TS_HAS_SO_MARK, json);
print_feature("TS_HAS_IP_TOS", TS_HAS_IP_TOS, json);
print_feature("TS_USE_HWLOC", TS_USE_HWLOC, json);
- print_feature("TS_USE_SET_RBIO", TS_USE_SET_RBIO, json);
print_feature("TS_USE_TLS13", TS_USE_TLS13, json);
print_feature("TS_USE_QUIC", TS_USE_QUIC, json);
print_feature("TS_HAS_QUICHE", TS_HAS_QUICHE, json);
diff --git a/tests/README.md b/tests/README.md
index 1916c0b4d6..55450444af 100644
--- a/tests/README.md
+++ b/tests/README.md
@@ -309,7 +309,6 @@ ts.Disk.remap_config.AddLine(
* TS_HAS_SO_MARK
* TS_HAS_IP_TOS
* TS_USE_HWLOC
- * TS_USE_SET_RBIO
* TS_USE_TLS13
* TS_USE_QUIC
* TS_HAS_QUICHE
diff --git a/tests/gold_tests/chunked_encoding/smuggle-client.c
b/tests/gold_tests/chunked_encoding/smuggle-client.c
index 7b9584ac1f..0afc5c1402 100644
--- a/tests/gold_tests/chunked_encoding/smuggle-client.c
+++ b/tests/gold_tests/chunked_encoding/smuggle-client.c
@@ -59,11 +59,7 @@ main(int argc, char *argv[])
const char *target_port = argv[2];
printf("using address: %s and port: %s\n", target, target_port);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- SSL_library_init();
-#else
OPENSSL_init_ssl(0, NULL);
-#endif
/* Obtain address(es) matching host/port */
memset(&hints, 0, sizeof(struct addrinfo));
diff --git a/tests/gold_tests/timeout/ssl-delay-server.cc
b/tests/gold_tests/timeout/ssl-delay-server.cc
index 8f12113566..8718289df9 100644
--- a/tests/gold_tests/timeout/ssl-delay-server.cc
+++ b/tests/gold_tests/timeout/ssl-delay-server.cc
@@ -85,9 +85,7 @@ run_session(void *arg)
return nullptr;
}
-#if OPENSSL_VERSION_NUMBER >= 0x10100000
SSL_set_max_proto_version(ssl, TLS1_2_VERSION);
-#endif
SSL_set_fd(ssl, sfd);
diff --git a/tests/gold_tests/tls/ssl-post.c b/tests/gold_tests/tls/ssl-post.c
index 9e37597d4a..de96e531bd 100644
--- a/tests/gold_tests/tls/ssl-post.c
+++ b/tests/gold_tests/tls/ssl-post.c
@@ -97,9 +97,7 @@ spawn_same_session_send(void *arg)
SSL_CTX *client_ctx = SSL_CTX_new(SSLv23_client_method());
SSL *ssl = SSL_new(client_ctx);
-#if OPENSSL_VERSION_NUMBER >= 0x10100000
SSL_set_max_proto_version(ssl, TLS1_2_VERSION);
-#endif
SSL_set_session(ssl, tinfo->session);
@@ -295,9 +293,7 @@ main(int argc, char *argv[])
SSL_CTX *client_ctx = SSL_CTX_new(SSLv23_client_method());
SSL *ssl = SSL_new(client_ctx);
-#if OPENSSL_VERSION_NUMBER >= 0x10100000
SSL_set_max_proto_version(ssl, TLS1_2_VERSION);
-#endif
SSL_set_fd(ssl, sfd);
int ret = SSL_connect(ssl);
diff --git a/tests/tools/plugins/ssl_client_verify_test.cc
b/tests/tools/plugins/ssl_client_verify_test.cc
index d3fcbea34b..a5f3b99c22 100644
--- a/tests/tools/plugins/ssl_client_verify_test.cc
+++ b/tests/tools/plugins/ssl_client_verify_test.cc
@@ -69,12 +69,8 @@ check_names(X509 *cert)
X509_NAME_ENTRY *e = X509_NAME_get_entry(subject, pos);
ASN1_STRING *cn = X509_NAME_ENTRY_get_data(e);
-#if OPENSSL_VERSION_NUMBER >= 0x010100000
- char *subj_name = strndup(reinterpret_cast<const char
*>(ASN1_STRING_get0_data(cn)), ASN1_STRING_length(cn));
-#else
- char *subj_name = strndup(reinterpret_cast<const char
*>(ASN1_STRING_data(cn)), ASN1_STRING_length(cn));
-#endif
- retval = check_name(subj_name);
+ char *subj_name = strndup(reinterpret_cast<const char
*>(ASN1_STRING_get0_data(cn)), ASN1_STRING_length(cn));
+ retval = check_name(subj_name);
free(subj_name);
}
}
@@ -89,11 +85,7 @@ check_names(X509 *cert)
name = sk_GENERAL_NAME_value(names, i);
if (name->type == GEN_DNS) {
char *dns =
-#if OPENSSL_VERSION_NUMBER >= 0x010100000
strndup(reinterpret_cast<const char
*>(ASN1_STRING_get0_data(name->d.dNSName)),
ASN1_STRING_length(name->d.dNSName));
-#else
- strndup(reinterpret_cast<const char
*>(ASN1_STRING_data(name->d.dNSName)), ASN1_STRING_length(name->d.dNSName));
-#endif
retval = check_name(dns);
free(dns);
}
