# HG changeset patch
# User Maxim Dounin <mdou...@mdounin.ru>
# Date 1748666384 -10800
# Sat May 31 07:39:44 2025 +0300
# Node ID b56f2f0dd036938a6734c577c7fd1871d44cbee2
# Parent 41e7de4b8d3918a501dc95c8b0e706703675fc92
SSL: usage of SSL_SESSION_get_time_ex() with OpenSSL 3.3+.
In OpenSSL, SSL_SESSION_get_time() and SSL_SESSION_set_time() functions
use "long" to store seconds since the Epoch, which makes these functions
problematic after Y2038 on 32-bit platforms, and, more importantly, on
64-bit platforms with 32-bit long (notably Windows).
Note that there is no such problem in BoringSSL, which uses uint64_t
instead of "long". LibreSSL also uses "long", but it does not support
TLSv1.3 session resumption anyway, hence this is not an issue.
Fix is to use SSL_SESSION_get_time_ex() and SSL_SESSION_set_time_ex()
functions introduced in OpenSSL 3.3 when these are available.
Prodded by MSVC with C4244 warnings (conversion from 'type1' to 'type2',
possible loss of data) enabled.
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -1190,7 +1190,7 @@ ngx_ssl_info_callback(const ngx_ssl_conn
} else {
SSL_SESSION_set_time(sess, now);
- SSL_SESSION_set_timeout(sess, timeout - (now - time));
+ SSL_SESSION_set_timeout(sess, (long) (timeout - (now - time)));
}
}
}
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -83,6 +83,12 @@
#endif
+#if (OPENSSL_VERSION_NUMBER > 0x30300000L)
+#define SSL_SESSION_get_time(s) SSL_SESSION_get_time_ex(s)
+#define SSL_SESSION_set_time(s, t) SSL_SESSION_set_time_ex(s, t)
+#endif
+
+
typedef struct ngx_ssl_ocsp_s ngx_ssl_ocsp_t;
