From 6ccb94123f303cfd2a5ee44d78384a9a0f68dbd4 Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Wed, 25 Jun 2025 12:53:18 +0000 Subject: [PATCH 1/3] * modules/ssl/ssl_private.h: For OpenSSL >= 3.5.0 drop $SSLKEYLOGFILE handling inside mod_ssl where OpenSSL is built to handle that internally in libssl. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1926720 13f79535-47bb-0310-9956-ffa450edef68 --- modules/ssl/ssl_private.h | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index c517a7bdc01..00da5ac8f3f 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -290,8 +290,12 @@ void free_bio_methods(void); #define X509_get_notAfter X509_getm_notAfter #endif -#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) -#define HAVE_OPENSSL_KEYLOG +/* For OpenSSL 3.5.0+, don't handle $SSLKEYLOGFILE since libssl does - + * unless OpenSSL was built with no-sslkeylog, which drops the env var + * handling, but leaves the API intact. */ +#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) \ + && (OPENSSL_VERSION_NUMBER <= 0x30500000L || !defined(OPENSSL_NO_SSLKEYLOG)) +#define HAVE_OPENSSL_KEYLOG #endif #ifdef HAVE_FIPS From 9d9372f8415fadff972e960e733df34ff4ac2f3c Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Wed, 25 Jun 2025 15:16:22 +0000 Subject: [PATCH 2/3] * modules/ssl/ssl_private.h: Fix logic in r1926720 HAVE_OPENSSL_KEYLOG macro, thanks to rpluem. Reviewed by: rpluem git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1926722 13f79535-47bb-0310-9956-ffa450edef68 --- modules/ssl/ssl_private.h | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 00da5ac8f3f..fb9edaa5eeb 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -290,11 +290,15 @@ void free_bio_methods(void); #define X509_get_notAfter X509_getm_notAfter #endif -/* For OpenSSL 3.5.0+, don't handle $SSLKEYLOGFILE since libssl does - - * unless OpenSSL was built with no-sslkeylog, which drops the env var - * handling, but leaves the API intact. */ +/* The SSL_CTX_set_keylog_callback() API is present in 1.1.1+. + * + * OpenSSL 3.5+ also provides optional native handling of + * $SSLKEYLOGFILE inside libssl, which duplicates the mod_ssl support. + * The mod_ssl support is hence disabled for 3.5+, unless that OpenSSL + * feature is itself disabled (and OPENSSL_NO_SSLKEYLOG is defined). + */ #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) \ - && (OPENSSL_VERSION_NUMBER <= 0x30500000L || !defined(OPENSSL_NO_SSLKEYLOG)) + && (OPENSSL_VERSION_NUMBER <= 0x30500000L || defined(OPENSSL_NO_SSLKEYLOG)) #define HAVE_OPENSSL_KEYLOG #endif From 0a8a3fa0e196fc187593f1d98c09b06e5affce8a Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Fri, 27 Jun 2025 12:15:52 +0100 Subject: [PATCH 3/3] Describe change. --- changes-entries/ssl-less-keylog.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 changes-entries/ssl-less-keylog.txt diff --git a/changes-entries/ssl-less-keylog.txt b/changes-entries/ssl-less-keylog.txt new file mode 100644 index 00000000000..eefb7c371af --- /dev/null +++ b/changes-entries/ssl-less-keylog.txt @@ -0,0 +1,3 @@ + *) mod_ssl: Drop $SSLKEYLOGFILE handling internally for OpenSSL 3.5 + builds which enable it in libssl natively. [Joe Orton] +