On 6/25/25 3:56 PM, Joe Orton wrote:
> On Wed, Jun 25, 2025 at 03:41:57PM +0200, Ruediger Pluem wrote:
>>> --- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
>>> +++ httpd/httpd/trunk/modules/ssl/ssl_private.h Wed Jun 25 12:53:18 2025
>>> @@ -296,8 +296,12 @@ void free_bio_methods(void);
>>> #define X509_get_notAfter X509_getm_notAfter
>>> #endif
>>>
>>> -#if OPENSSL_VERSION_NUMBER >= 0x10101000L &&
>>> !defined(LIBRESSL_VERSION_NUMBER)
>>> -#define HAVE_OPENSSL_KEYLOG
>>> +/* For OpenSSL 3.5.0+, don't handle $SSLKEYLOGFILE since libssl does -
>>> + * unless OpenSSL was built with no-sslkeylog, which drops the env var
>>> + * handling, but leaves the API intact. */
>>> +#if OPENSSL_VERSION_NUMBER >= 0x10101000L &&
>>> !defined(LIBRESSL_VERSION_NUMBER) \
>>> + && (OPENSSL_VERSION_NUMBER <= 0x30500000L ||
>>> !defined(OPENSSL_NO_SSLKEYLOG))
>>
>> When is OPENSSL_NO_SSLKEYLOG defined? When it was build with no-sslkeylog
>> and thus drops the env var handling?
>> And in this case we want to handle it as before?
>
> Yep - exactly right.
But shouldn't it be defined(OPENSSL_NO_SSLKEYLOG) then and not
!defined(OPENSSL_NO_SSLKEYLOG)
as we want to define HAVE_OPENSSL_KEYLOG on OpenSSL 3.5.0+ when
OPENSSL_NO_SSLKEYLOG is defined.
Regards
RĂ¼diger
