Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add OpenSSL 3.0+ support #1160

Closed
alaviss opened this issue Feb 2, 2024 · 1 comment · Fixed by #1349 · May be fixed by #1336
Closed

add OpenSSL 3.0+ support #1160

alaviss opened this issue Feb 2, 2024 · 1 comment · Fixed by #1349 · May be fixed by #1336
Labels
enhancement New feature or request help wanted Extra attention is needed stdlib Standard library
Milestone
Standard library ...

Comments

@alaviss
Copy link
Contributor

alaviss commented Feb 2, 2024

Now that OpenSSL 1.1.1 is scarce in the wild, we should start updating the wrappers and stdlib to OpenSSL 3.0 at minimum to make sure tooling using std/net runs without additional packages on most *nix.

It should be safe to drop OpenSSL <1.1.1 support, as those are no longer widely used and does not support the latest TLSv1.3 standard.

We should drop LibreSSL support for now as well, as we don't have the resource to test against that library, and platforms that use LibreSSL also supports OpenSSL.

This is more or less a short term goal to get existing tools running well.

Useful References

  • PEP 644: Python decision to only support 1.1.1 and above.
@alaviss alaviss added enhancement New feature or request help wanted Extra attention is needed stdlib Standard library labels Feb 2, 2024
@alaviss alaviss mentioned this issue Jun 7, 2024
Draft
@alaviss alaviss mentioned this issue Jun 17, 2024
Merged
github-merge-queue bot pushed a commit that referenced this issue Jun 18, 2024
@alaviss
openssl: support OpenSSL 3.0 and above (#1349)
cdcf8f7 
## Summary
The only ABI change between version 1.1.1 and 3.0 for our usage is 
`SSL_get_peer_certificate`  being splitted into 
`SSL_get1_peer_certificate`  (which is compatible with the prior symbol)
and  `SSL_get0_peer_certificate` .

This PR modifies  `SSL_get_peer_certificate`  in the wrapper to use the
new symbol if available. No changes in other programs are required.

## Details
*  `SSL_get_peer_certificate`  will now select either 
`SSL_get1_peer_certificate`  or  `SSL_get_peer_certificate`  depending
on which symbols are available.
* DLL names for OpenSSL 3.x has been added for macOS, Windows and
Linux.
* The symbols used for certificate verification are no longer
unconditionally hidden on Windows. They were hidden previously as Nim
ships old OpenSSL 1.0 which did not have these symbols.

Fixes #1160
@alaviss
Copy link
Contributor Author

alaviss commented Jun 18, 2024

Fixed by #1349

@alaviss alaviss closed this as completed Jun 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed stdlib Standard library
Projects
None yet
Milestone
Standard library additions or cleanup
1 participant
@alaviss