Hi Christopher, Marcus (in CC) reported that 1.6 doesn't build anymore on SuSE 11 (which uses openssl 0.9.8). After some digging, we found that it is caused by the absence of EVP_PKEY_get_default_digest_nid() which was introduced in 1.0.0 and which was introduced by this patch :
commit 7969a33a01c3a70e48cddf36ea5a66710bd7a995 Author: Christopher Faulet <[email protected]> Date: Fri Oct 9 11:15:03 2015 +0200 MINOR: ssl: Add support for EC for the CA used to sign generated certificate This is done by adding EVP_PKEY_EC type in supported types for the CA privat key when we get the message digest used to sign a generated X509 certificate So now, we support DSA, RSA and EC private keys. And to be sure, when the type of the private key is not directly supported, get its default message digest using the function 'EVP_PKEY_get_default_digest_nid'. We also use the key of the default certificate instead of generated it. So w are sure to use the same key type instead of always using a RSA key. Interestingly, not all 0.9.8 will see the same problem since SNI is not enabled by default, it requires a build option. This explains why on my old PC I didn't get this problem with the same version. I initially thought it would just be a matter of adding a #if on the openssl version but it doesn't appear that easy given that the previous code was different, so I have no idea how to fix this. Do you have any idea ? Probably we can have a block of code instead of EVP_PKEY_... on older versions and that will be fine. I even wonder if EC was supported on 0.9.8. It's unfortunate that we managed to break things just a few days before the release with code that looked obviously right :-( Thanks for any insight. Willy
