Hi Damjan, Am 29.03.24 um 10:33 schrieb Damjan Jovanovic:
HiI've now pushed commit 4c5b548fb6ece87dd30bbf720aca0d994a749167 into trunk, upgrading our OpenSSL version from 1.0.2u to 3.0.13.
Great! I am just doing a build on Windows. Regards, Matthias
Some issues to consider: --------------------- PLATFORMS --------------------- It works on FreeBSD 14, both with system OpenSSL linked dynamically and internal OpenSSL linked statically. Linux hasn't been tested but is so similar to FreeBSD that it really should work. It works on Windows, with the following changes: - OpenSSL requires Perl to build, but doesn't like Cygwin's Perl. Previously, OpenSSL 1.0.2u was patched to use Cygwin's Perl, but OpenSSL 3 completely changed the build system, and I couldn't port the old patches. Now note how traditionally our build tools (eg. make, Apache Ant, awk, sed, etc.) were all installed prior to building OpenOffice, detected by ./configure, and then used during the build. I've done something different: during ./bootstrap it will now download the Win32 Strawberry Perl portable binaries as a dependency, and while building OpenSSL, it will unzip these and temporarily use them as the Perl for building OpenSSL. This works, and should reliably continue to work, but is a bit unusual, uses close to 800 MB extra disk space, and cannot use a system-wide Strawberry Perl instead of the portable binaries, so it is something we may want to change going forward. On the plus side, this new approach neither requires any additional options to ./configure, nor babysitting any more build dependencies, nor dragging around long patches to change OpenSSL to use Cygwin's Perl. If anybody objects, speak up. - Some defines were missing from MSVC's header files, for the ancient version of the MSVC compiler we use, so I had to add them as command line parameters to the compiler instead, eg. "-DINT64_MAX=9223372036854775807i64". - OpenSSL normally requires fairly recent versions of Windows, but also supports the more minimal Windows CE, and so has fallback paths that can be used for older versions of Windows. I've configured it to target Windows 95 and NT 4.0, and added a small number of patches that fix the build issues, mostly by using the Windows CE fallback code. - NASM is handled better: before, when NASM was already in the $PATH instead of --with-nasm-path being passed to ./configure, building openssl would break. It now works. - Python needed a lot of patching to use OpenSSL 3, and the Win64 build of python is probably broken and will need further work. - It takes really long to build. We could disable unit tests to speed it up (by passing "no-tests" to Configure), but I am not sure I like skipping tests. We should be testing more, not less. macOS? Who knows. It looks like on macOS, our main/openssl module links statically, and doesn't apply any patches, so it might already work. --------------------- LICENSING --------------------- Licensing has changed, as OpenSSL 3 is under the Apache Software License v2 like ourselves, and our LICENSE and NOTICE files have been greatly simplified. ------------------------- CODE CHANGES ------------------------- Remarkably, no changes to our C/C++ code were required. Some code changes were required in the past, eg. f884850fece86ece56c7194bb1e746641f77c0a0 to deal with EVP_CIPHER_CTX_init() -> EVP_CIPHER_CTX_new() between OpenSSL 1.0.x and 1.1.x. However, nothing needed changing between 1.1.x and 3.0.13, OpenSSL was sufficiently backward compatible. ------------------------------ OTHER BRANCHES ------------------------------ While those 1.0.x -> 1.1.x code changes are in trunk, they may be absent from other branches, so cherry picking this commit to other branches may require more commits to be cherry picked. ------------- FUTURE ------------- OpenSSL 3.0.x is the LTS release series, and will be supported until 2026-09-07. Regards Damjan
smime.p7s
Description: Kryptografische S/MIME-Signatur
