Skip to content

Commit

Permalink
stream-ssl: Drop support for OpenSSL 1.1.0 and older.
Browse files Browse the repository at this point in the history
OpenSSL 1.1.0 reached EoL 5 years ago on 11 Sep 2019.  Vast majority
of distributions moved to newer versions long time ago.

OpenSSL 1.1.1 introduced a lot of new APIs and deprecated a lot of
old ones.  It also introduced support for TLSv1.3 with a pack of
APIs specific to that version.

Requiring OpenSSL 1.1.1 or newer will allow us to get rid of use of
many deprecated APIs as well as introduce explicit support for TLSv1.3
without polluting the code with conditional compiling.

Python community did an exceptional investigation on benefits of
dropping support for OpenSSL 1.1.0 when they did the same in 2021:
  https://peps.python.org/pep-0644/

We do not officially support building with LibreSSL, but all the
ifdefs for it are not necessary today, as LibreSSL implemented all
the missing APIs.  Also, most major distributions either moved away
from LibreSSL or provide OpenSSL as an alternative.

This commit only removes explicit workarounds.  We'll start replacing
deprecated APIs in the next ones.

OpenSSL 1.1.1 also reached end of life in 2023, but it's not a big
burden to support, and many distributions are still using it and
will continue using it for quite some time.

Signed-off-by: Ilya Maximets <[email protected]>
  • Loading branch information
igsilya committed Dec 8, 2024
1 parent 4d43542 commit 508acfc
Show file tree
Hide file tree
Showing 4 changed files with 2 additions and 29 deletions.
1 change: 1 addition & 0 deletions NEWS
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Post-v3.4.0
* TLSv1 and TLSv1.1 protocols are deprecated and disabled by default
on OpenFlow and database connections. Use --ssl-protocols to turn
them back on. Support will be fully removed in the next release.
* OpenSSL 1.1.1 or newer is now required for SSL/TLS support.
- Userspace datapath:
* The default zone limit, if set, is now inherited by any zone
that does not have a specific value defined, rather than being
Expand Down
6 changes: 0 additions & 6 deletions build-aux/generate-dhparams-c
Original file line number Diff line number Diff line change
Expand Up @@ -83,13 +83,7 @@ static int
my_DH_set0_pqg(DH *dh, BIGNUM *p, const BIGNUM **q OVS_UNUSED, BIGNUM *g)
{
ovs_assert(q == NULL);
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
dh->p = p;
dh->g = g;
return 1;
#else
return DH_set0_pqg(dh, p, NULL, g);
#endif
}
EOF
dhparam_to_c lib/dh2048.pem
Expand Down
6 changes: 0 additions & 6 deletions lib/dhparams.c
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,7 @@ static int
my_DH_set0_pqg(DH *dh, BIGNUM *p, const BIGNUM **q OVS_UNUSED, BIGNUM *g)
{
ovs_assert(q == NULL);
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
dh->p = p;
dh->g = g;
return 1;
#else
return DH_set0_pqg(dh, p, NULL, g);
#endif
}
DH *get_dh2048(void)
{
Expand Down
18 changes: 1 addition & 17 deletions lib/stream-ssl.c
Original file line number Diff line number Diff line change
Expand Up @@ -499,14 +499,7 @@ get_peer_common_name(const struct ssl_stream *sslv)
goto error;
}

const char *cn;
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
/* ASN1_STRING_data() is deprecated as of OpenSSL version 1.1 */
cn = (const char *)ASN1_STRING_data(cn_data);
#else
cn = (const char *)ASN1_STRING_get0_data(cn_data);
#endif
peer_name = xstrdup(cn);
peer_name = xstrdup((const char *) ASN1_STRING_get0_data(cn_data));

error:
X509_free(peer_cert);
Expand Down Expand Up @@ -1016,15 +1009,6 @@ do_ssl_init(void)
{
SSL_METHOD *method;

#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
#ifdef _WIN32
/* The following call is needed if we "#include <openssl/applink.c>". */
CRYPTO_malloc_init();
#endif
SSL_library_init();
SSL_load_error_strings();
#endif

if (!RAND_status()) {
/* We occasionally see OpenSSL fail to seed its random number generator
* in heavily loaded hypervisors. I suspect the following scenario:
Expand Down

0 comments on commit 508acfc

Please sign in to comment.