details: http://freenginx.org/hg/nginx/rev/91f88a8688ed
branches:
changeset: 9482:91f88a8688ed
user: Maxim Dounin <[email protected]>
date: Sun Mar 22 16:26:31 2026 +0300
description:
SSL: compatibility with X509_get_subject_name() in OpenSSL 4.0.
In OpenSSL 4.0 alpha 1, X509_get_subject_name() and X509_get_issuer_name()
return "const X509_NAME *" results. To avoid warnings the "const" qualifier
added to corresponding variables.
Note that in some cases it is safe to add qualifier unconditionally, since
all functions being used accept const arguments (in all supported OpenSSL
versions). In particular, in ngx_ssl_ocsp_create_key() the name is only
used in X509_NAME_digest(), which accepts a const argument since at least
OpenSSL 0.9.8, and therefore it is safe to use "const" unconditionally.
In other cases conditional compilation is required, since at least some
functions being used require non-const arguments. In particular,
X509_NAME_oneline() and X509_NAME_print_ex() accept const only starting
with OpenSSL 1.1.0.
diffstat:
src/event/ngx_event_openssl.c | 15 +++++++++++++++
src/event/ngx_event_openssl_stapling.c | 6 +++---
2 files changed, 18 insertions(+), 3 deletions(-)
diffs (69 lines):
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -1278,6 +1278,9 @@ ngx_ssl_verify_callback(int ok, X509_STO
char *subject, *issuer;
int err, depth;
X509 *cert;
+#if OPENSSL_VERSION_NUMBER >= 0x40000000L
+ const
+#endif
X509_NAME *sname, *iname;
ngx_connection_t *c;
ngx_ssl_conn_t *ssl_conn;
@@ -6328,6 +6331,9 @@ ngx_ssl_get_subject_dn(ngx_connection_t
{
BIO *bio;
X509 *cert;
+#if OPENSSL_VERSION_NUMBER >= 0x40000000L
+ const
+#endif
X509_NAME *name;
s->len = 0;
@@ -6382,6 +6388,9 @@ ngx_ssl_get_issuer_dn(ngx_connection_t *
{
BIO *bio;
X509 *cert;
+#if OPENSSL_VERSION_NUMBER >= 0x40000000L
+ const
+#endif
X509_NAME *name;
s->len = 0;
@@ -6438,6 +6447,9 @@ ngx_ssl_get_subject_dn_legacy(ngx_connec
char *p;
size_t len;
X509 *cert;
+#if OPENSSL_VERSION_NUMBER >= 0x40000000L
+ const
+#endif
X509_NAME *name;
s->len = 0;
@@ -6486,6 +6498,9 @@ ngx_ssl_get_issuer_dn_legacy(ngx_connect
char *p;
size_t len;
X509 *cert;
+#if OPENSSL_VERSION_NUMBER >= 0x40000000L
+ const
+#endif
X509_NAME *name;
s->len = 0;
diff --git a/src/event/ngx_event_openssl_stapling.c
b/src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c
+++ b/src/event/ngx_event_openssl_stapling.c
@@ -2629,9 +2629,9 @@ ngx_ssl_ocsp_cache_store(ngx_ssl_ocsp_ct
static ngx_int_t
ngx_ssl_ocsp_create_key(ngx_ssl_ocsp_ctx_t *ctx)
{
- u_char *p;
- X509_NAME *name;
- ASN1_INTEGER *serial;
+ u_char *p;
+ ASN1_INTEGER *serial;
+ const X509_NAME *name;
p = ngx_pnalloc(ctx->pool, 60);
if (p == NULL) {
