Hi Damjan,

Am 29.03.24 um 10:33 schrieb Damjan Jovanovic:

I've now pushed commit 4c5b548fb6ece87dd30bbf720aca0d994a749167 into trunk,
upgrading our OpenSSL version from 1.0.2u to 3.0.13.


I am just doing a build on Windows.



Some issues to consider:

It works on FreeBSD 14, both with system OpenSSL linked dynamically and
internal OpenSSL linked statically.

Linux hasn't been tested but is so similar to FreeBSD that it really should

It works on Windows, with the following changes:
- OpenSSL requires Perl to build, but doesn't like Cygwin's Perl.
Previously, OpenSSL 1.0.2u was patched to use Cygwin's Perl, but OpenSSL 3
completely changed the build system, and I couldn't port the old patches.
Now note how traditionally our build tools (eg. make, Apache Ant, awk, sed,
etc.) were all installed prior to building OpenOffice, detected by
./configure, and then used during the build. I've done something different:
during ./bootstrap it will now download the Win32 Strawberry Perl portable
binaries as a dependency, and while building OpenSSL, it will unzip these
and temporarily use them as the Perl for building OpenSSL. This works, and
should reliably continue to work, but is a bit unusual, uses close to 800
MB extra disk space, and cannot use a system-wide Strawberry Perl instead
of the portable binaries, so it is something we may want to change going
forward. On the plus side, this new approach neither requires any
additional options to ./configure, nor babysitting any more build
dependencies, nor dragging around long patches to change OpenSSL to use
Cygwin's Perl. If anybody objects, speak up.
- Some defines were missing from MSVC's header files, for the ancient
version of the MSVC compiler we use, so I had to add them as command line
parameters to the compiler instead, eg.
- OpenSSL normally requires fairly recent versions of Windows, but also
supports the more minimal Windows CE, and so has fallback paths that can be
used for older versions of Windows. I've configured it to target Windows 95
and NT 4.0, and added a small number of patches that fix the build issues,
mostly by using the Windows CE fallback code.
- NASM is handled better: before, when NASM was already in the $PATH
instead of --with-nasm-path being passed to ./configure, building openssl
would break. It now works.
- Python needed a lot of patching to use OpenSSL 3, and the Win64 build of
python is probably broken and will need further work.
- It takes really long to build. We could disable unit tests to speed it up
(by passing "no-tests" to Configure), but I am not sure I like skipping
tests. We should be testing more, not less.

macOS? Who knows. It looks like on macOS, our main/openssl module links
statically, and doesn't apply any patches, so it might already work.

Licensing has changed, as OpenSSL 3 is under the Apache Software License v2
like ourselves, and our LICENSE and NOTICE files have been greatly

Remarkably, no changes to our C/C++ code were required. Some code changes
were required in the past, eg. f884850fece86ece56c7194bb1e746641f77c0a0 to
deal with EVP_CIPHER_CTX_init() -> EVP_CIPHER_CTX_new() between OpenSSL
1.0.x and 1.1.x. However, nothing needed changing between 1.1.x and 3.0.13,
OpenSSL was sufficiently backward compatible.

While those 1.0.x -> 1.1.x code changes are in trunk, they may be absent
from other branches, so cherry picking this commit to other branches may
require more commits to be cherry picked.

OpenSSL 3.0.x is the LTS release series, and will be supported until


Attachment: smime.p7s
Description: Kryptografische S/MIME-Signatur

Reply via email to