On Sun, Oct 31, 2021 at 01:35:09PM +0100, ste...@eissing.org wrote: > I would like us to come to an understanding what our roadmap in > regard to OpenSSL 3.0 is. People keep on asking about it. > > Yesterday, I spent some hours hacking at mod_ssl and mod_md to > get it running. I managed to compile it, but it was not working > reliably. Maybe I took some wrong turns somewhere. My observations > below.
What are you talking about exactly here? trunk should compile and run fine already with 3.0 except if you build OpenSSL without deprecated functions which AFAIK nobody sane will do, or at least, no sane distributor will do, because the world is not ready. > With my RM hat on, I see the next release in early December. We > have some fixes to ship and maybe the new http2 implementation. > > Personally, I do not see a need for OpenSSL 3.0 in that one. But > if anyone has plans to do it, it would be good to know. I would still like to get a Travis job testing against 3.0, on my TODO, but I don't know of any compatilibity problems not covered in trunk / https://github.com/apache/httpd/pull/258 (outside use of deprecated functions anyway). Regards, Joe > > Kind Regards, > Stefan > > --------------- > Observations hacking on OpenSSL 3.0 compatibility: > > - SRP seems to be gone. > - the ENGINE API seems to be gone > - RSA*, DH* and friends are no longer wanted. > Instead, the PKEY API offers replacements. > - This affects reading key parameter from files, afaict. > - Some minor annoyances with BIO_set_callback and > ERR_peek_last.. > - I changed EC key generation in mod_md to the new API, > but generation failed at runtime. Maybe a minor glitch > on my part. > - The code overall does not become prettier. > > >
