bryancall opened a new issue, #13348: URL: https://github.com/apache/trafficserver/issues/13348
Apache Traffic Server builds and runs against OpenSSL 3.x today, but on OpenSSL 3.0 and newer the build sets `OPENSSL_API_COMPAT=10002` (see CMakeLists.txt), which exposes the OpenSSL 1.0.2 API surface and lets deprecated calls keep compiling. That is a stopgap: it hides our remaining use of APIs that OpenSSL has deprecated and intends to remove. Looking ahead to OpenSSL 3.6 and later, we should migrate off these deprecated APIs and drop the compatibility shim so we stay buildable as they are removed. Goal: remove all deprecated OpenSSL API usage and build cleanly without `OPENSSL_API_COMPAT` (ideally with `OPENSSL_NO_DEPRECATED`) on OpenSSL 3.x. Tasks: - [ ] Diffie-Hellman parameter helpers and ENGINE-based private key loading in `src/iocore/net/SSLUtils.cc` - #13347 - [ ] Add a CI build (or a documented local build) without `OPENSSL_API_COMPAT`, or with `OPENSSL_NO_DEPRECATED`, to surface every remaining deprecation warning across core and plugins - [ ] Triage and fix the surfaced deprecations, tracking per-area sub-issues here - [ ] Drop `OPENSSL_API_COMPAT=10002` from CMakeLists.txt once the tree builds clean - [ ] Confirm the test suite passes on the targeted OpenSSL 3.x release Context: this is the forward-looking successor to the older umbrella #7341 (now closed), which tracked initial OpenSSL 3.0 compatibility. ATS already builds and passes CI on OpenSSL 3.0.8 and 3.5.6; the work here is to remove the deprecated-API reliance entirely rather than mask it with the compatibility define. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
