(trafficserver) branch master updated: cmake: limit GENERAL_NAME bssl probe (#13008)

Fri, 20 Mar 2026 16:16:01 -0700 

This is an automated email from the ASF dual-hosted git repository.

bneradt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
     new 33cb77a81e cmake: limit GENERAL_NAME bssl probe (#13008)
33cb77a81e is described below

commit 33cb77a81e3275e665eabcadcb9f6cb2089e9452
Author: Brian Neradt <[email protected]>
AuthorDate: Fri Mar 20 18:15:46 2026 -0500

    cmake: limit GENERAL_NAME bssl probe (#13008)
    
    CMake can report HAVE_GENERAL_NAME_IN_BSSL_NAMESPACE on plain
    OpenSSL builds. In a build, the probe succeeded with
    OpenSSL 3.x even though SSLLIB_IS_BORINGSSL and SSLLIB_IS_AWSLC were
    both false. That made OCSP stapling in src/iocore/net/OCSPStapling.cc
    take the bssl::GENERAL_NAME path, and the final traffic_server link
    failed with an undefined reference to bssl::GENERAL_NAME_it().
    
    The probe is not safe to run for non-BoringSSL libraries. OpenSSL 3.x
    headers allow bssl::GENERAL_NAME_it() to be declared syntactically, but
    libcrypto only exports the global GENERAL_NAME_it symbol, so a
    compile-only try_compile can false-positive.
    
    Only run the probe for BoringSSL-family builds and force the cache
    entry off for plain OpenSSL builds.
---
 CMakeLists.txt | 35 ++++++++++++++++++++++-------------
 1 file changed, 22 insertions(+), 13 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 0019aabda8..d899e29052 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -593,19 +593,28 @@ check_cxx_source_compiles(
   }"
   HAVE_CRYPTO_EX_DUP_TYPE1
 )
-check_cxx_source_compiles(
-  "#include <openssl/asn1.h>
-  namespace bssl {
-    DECLARE_ASN1_ITEM(GENERAL_NAME)
-  };
-  int main() {
-    if (&bssl::GENERAL_NAME_it == reinterpret_cast<void *>(0x01)) {
-      return 1;
-    }
-    return 0;
-  }"
-  HAVE_GENERAL_NAME_IN_BSSL_NAMESPACE
-)
+if(SSLLIB_IS_BORINGSSL OR SSLLIB_IS_AWSLC)
+  check_cxx_source_compiles(
+    "#include <openssl/asn1.h>
+    namespace bssl {
+      DECLARE_ASN1_ITEM(GENERAL_NAME)
+    };
+    int main() {
+      if (&bssl::GENERAL_NAME_it == reinterpret_cast<void *>(0x01)) {
+        return 1;
+      }
+      return 0;
+    }"
+    HAVE_GENERAL_NAME_IN_BSSL_NAMESPACE
+  )
+else()
+  # This probe is only meaningful for BoringSSL-family libraries. Force it off
+  # for OpenSSL so a stale cache or macro shape change can't enable bssl:: 
code.
+  set(HAVE_GENERAL_NAME_IN_BSSL_NAMESPACE
+      FALSE
+      CACHE INTERNAL "GENERAL_NAME lives in the bssl namespace" FORCE
+  )
+endif()
 
 set(CMAKE_EXTRA_INCLUDE_FILES netinet/in.h netinet/tcp.h)
 check_type_size("struct tcp_info" STRUCT_TCP_INFO)

Reply via email to