Re: OpenSSL 4.x compatibility

Fri, 05 Jun 2026 00:46:40 -0700 

On 1. 6. 2026 02:45, James McCoy wrote:

OpenSSL 4.0.0 was released[1] a few months ago and one of the changes
that affects Serf is making ASN1_STRING an opaque type.

[1]: https://github.com/openssl/openssl/releases/tag/openssl-4.0.0

This results the below build failure:
| cc -o buckets/ssl_buckets.o -c -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/reproducible-path/serf-1.3.10=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -std=c89 -Wdeclaration-after-statement -Wmissing-prototypes -Wall -O2 -isystem /usr/include/mit-krb5 -Wdate-time -D_FORTIFY_SOURCE=2 -DNDEBUG -DOPENSSL_NO_STDIO -DLINUX -D_REENTRANT -D_GNU_SOURCE -DSERF_HAVE_GSSAPI -I. -I/usr/include/apr-1.0 -I/usr/include -I/usr/include buckets/ssl_buckets.c 
| buckets/ssl_buckets.c: In function 'get_subject_alt_names':
| buckets/ssl_buckets.c:570:41: error: invalid use of incomplete typedef 'ASN1_IA5STRING' {aka 'struct asn1_string_st'} |   570 |                         strlen(nm->d.ia5->data) != nm->d.ia5->length) 
|       |                                         ^~
| buckets/ssl_buckets.c:570:61: error: invalid use of incomplete typedef 'ASN1_IA5STRING' {aka 'struct asn1_string_st'} |   570 |                         strlen(nm->d.ia5->data) != nm->d.ia5->length) 
| |                                                             ^~
| buckets/ssl_buckets.c:573:77: error: invalid use of incomplete typedef 'ASN1_IA5STRING' {aka 'struct asn1_string_st'} |   573 |                         p = pstrdup_escape_nul_bytes((const char *)nm->d.ia5->data, 
| | ^~
| buckets/ssl_buckets.c:574:63: error: invalid use of incomplete typedef 'ASN1_IA5STRING' {aka 'struct asn1_string_st'} 
|   574 | nm->d.ia5->length,
| |                                                               ^~

The attached patch fixes the build failure for 1.3.10, but should
probably be properly guarded with the relevant ASN1_STRING checks like
what already exists in trunk.

Although trunk uses ASN1_STRING_get0_data/length in some places, this
particular code path is still accessing the internals directly.

Even after fixing the build, I see a test failure in 1.3.10 that doesn't
happen with OpenSSL 3.6.2.
| 0088F7FDB37F0000:error:0A000126:SSL routines::unexpected eof while reading:../ssl/record/rec_layer_s3.c:703: 
| ..........................F...........................................
| | There was 1 failure:
| 1) test_ssltunnel_basic_auth_server_has_keepalive_off: test/test_context.c:2210: expected <0> but was <120199> 

Cheers,


Thanks for the patch! I'll have a look.

-- Brane

Reply via email to