This is an automated email from the ASF dual-hosted git repository. cmcfarlen pushed a commit to branch 10.2.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit 3694109998d318984fa16233a2de702fe483ee87 Author: Brian Neradt <[email protected]> AuthorDate: Fri Mar 20 18:15:46 2026 -0500 cmake: limit GENERAL_NAME bssl probe (#13008) CMake can report HAVE_GENERAL_NAME_IN_BSSL_NAMESPACE on plain OpenSSL builds. In a build, the probe succeeded with OpenSSL 3.x even though SSLLIB_IS_BORINGSSL and SSLLIB_IS_AWSLC were both false. That made OCSP stapling in src/iocore/net/OCSPStapling.cc take the bssl::GENERAL_NAME path, and the final traffic_server link failed with an undefined reference to bssl::GENERAL_NAME_it(). The probe is not safe to run for non-BoringSSL libraries. OpenSSL 3.x headers allow bssl::GENERAL_NAME_it() to be declared syntactically, but libcrypto only exports the global GENERAL_NAME_it symbol, so a compile-only try_compile can false-positive. Only run the probe for BoringSSL-family builds and force the cache entry off for plain OpenSSL builds. (cherry picked from commit 33cb77a81e3275e665eabcadcb9f6cb2089e9452) --- CMakeLists.txt | 35 ++++++++++++++++++++++------------- 1 file changed, 22 insertions(+), 13 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index f5c51ca3af..80aa25460c 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -593,19 +593,28 @@ check_cxx_source_compiles( }" HAVE_CRYPTO_EX_DUP_TYPE1 ) -check_cxx_source_compiles( - "#include <openssl/asn1.h> - namespace bssl { - DECLARE_ASN1_ITEM(GENERAL_NAME) - }; - int main() { - if (&bssl::GENERAL_NAME_it == reinterpret_cast<void *>(0x01)) { - return 1; - } - return 0; - }" - HAVE_GENERAL_NAME_IN_BSSL_NAMESPACE -) +if(SSLLIB_IS_BORINGSSL OR SSLLIB_IS_AWSLC) + check_cxx_source_compiles( + "#include <openssl/asn1.h> + namespace bssl { + DECLARE_ASN1_ITEM(GENERAL_NAME) + }; + int main() { + if (&bssl::GENERAL_NAME_it == reinterpret_cast<void *>(0x01)) { + return 1; + } + return 0; + }" + HAVE_GENERAL_NAME_IN_BSSL_NAMESPACE + ) +else() + # This probe is only meaningful for BoringSSL-family libraries. Force it off + # for OpenSSL so a stale cache or macro shape change can't enable bssl:: code. + set(HAVE_GENERAL_NAME_IN_BSSL_NAMESPACE + FALSE + CACHE INTERNAL "GENERAL_NAME lives in the bssl namespace" FORCE + ) +endif() set(CMAKE_EXTRA_INCLUDE_FILES netinet/in.h netinet/tcp.h) check_type_size("struct tcp_info" STRUCT_TCP_INFO)
