bryancall opened a new issue, #13348:
URL: https://github.com/apache/trafficserver/issues/13348

   Apache Traffic Server builds and runs against OpenSSL 3.x today, but on 
OpenSSL 3.0 and newer the build sets `OPENSSL_API_COMPAT=10002` (see 
CMakeLists.txt), which exposes the OpenSSL 1.0.2 API surface and lets 
deprecated calls keep compiling. That is a stopgap: it hides our remaining use 
of APIs that OpenSSL has deprecated and intends to remove. Looking ahead to 
OpenSSL 3.6 and later, we should migrate off these deprecated APIs and drop the 
compatibility shim so we stay buildable as they are removed.
   
   Goal: remove all deprecated OpenSSL API usage and build cleanly without 
`OPENSSL_API_COMPAT` (ideally with `OPENSSL_NO_DEPRECATED`) on OpenSSL 3.x.
   
   Tasks:
   - [ ] Diffie-Hellman parameter helpers and ENGINE-based private key loading 
in `src/iocore/net/SSLUtils.cc` - #13347
   - [ ] Add a CI build (or a documented local build) without 
`OPENSSL_API_COMPAT`, or with `OPENSSL_NO_DEPRECATED`, to surface every 
remaining deprecation warning across core and plugins
   - [ ] Triage and fix the surfaced deprecations, tracking per-area sub-issues 
here
   - [ ] Drop `OPENSSL_API_COMPAT=10002` from CMakeLists.txt once the tree 
builds clean
   - [ ] Confirm the test suite passes on the targeted OpenSSL 3.x release
   
   Context: this is the forward-looking successor to the older umbrella #7341 
(now closed), which tracked initial OpenSSL 3.0 compatibility. ATS already 
builds and passes CI on OpenSSL 3.0.8 and 3.5.6; the work here is to remove the 
deprecated-API reliance entirely rather than mask it with the compatibility 
define.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to