Hello, On Mon, 15 Jul 2019 at 09:13, Илья Шипицин <chipits...@gmail.com> wrote: > > Hello, > > I tried to build openssl-1.1.1 with "no-deprecated" > > src/ssl_sock.o: In function `ssl_sock_do_create_cert': > /home/travis/build/chipitsine/haproxy/src/ssl_sock.c:1867: undefined > reference to `X509_get_notBefore' > /home/travis/build/chipitsine/haproxy/src/ssl_sock.c:1868: undefined > reference to `X509_get_notAfter' > src/ssl_sock.o: In function `smp_fetch_ssl_x_notafter': > /home/travis/build/chipitsine/haproxy/src/ssl_sock.c:6779: undefined > reference to `X509_get_notAfter' > src/ssl_sock.o: In function `smp_fetch_ssl_x_notbefore': > /home/travis/build/chipitsine/haproxy/src/ssl_sock.c:6883: undefined > reference to `X509_get_notBefore' > > > > in include/common/openssl-compat.h I see > > #if (OPENSSL_VERSION_NUMBER < 0x10100000L) || (LIBRESSL_VERSION_NUMBER < > 0x20700000L) > #define X509_getm_notBefore X509_get_notBefore > #define X509_getm_notAfter X509_get_notAfter > #endif > > but it seems does not work.
This is a compatibility layer for older OpenSSL releases - older than 1.1.0, when X509_getm_notAfter is missing, not for newer releases when X509_get_notAfter is missing. To re-implement OpenSSL's own compatibility layer we probably need something like this: # if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && OPENSSL_API_LEVEL >= 2 # define X509_get_notBefore X509_getm_notBefore # define X509_get_notAfter X509_getm_notAfter # define X509_set_notBefore X509_set1_notBefore # define X509_set_notAfter X509_set1_notAfter # endif As per: https://github.com/openssl/openssl/blob/bc42bd6298702a1abf70aa6383d36886dd5af4b3/include/openssl/x509.h#L654 Lukas