BUILD: ssl: disable deprecated functions for AWS-LC 1.29.0

AWS-LC have a lot of functions that does nothing, which are now deprecated and emits some warning. This patch disables the following useless functions that emits a warning: SSL_CTX_get_security_level(), SSL_CTX_set_tmp_dh_callback(), ERR_load_SSL_strings(), RAND_keep_random_devices_open() The list of deprecated functions is here: https://github.com/aws/aws-lc/blob/main/docs/porting/functionality-differences.md
2025-08-05 22:56:57 +02:00 · 2024-06-14 10:01:46 +02:00 · 2024-06-14 10:01:46 +02:00 · ee5aa4e5e6
commit ee5aa4e5e6
parent 7120c77b14
2 changed files with 9 additions and 3 deletions
--- a/include/haproxy/openssl-compat.h
+++ b/include/haproxy/openssl-compat.h
@ -48,6 +48,10 @@
 #include <haproxy/quic_openssl_compat.h>
 #endif

+#if defined(USE_OPENSSL_AWSLC)
+#define OPENSSL_NO_DH
+#endif
+

 #if defined(LIBRESSL_VERSION_NUMBER)
 /* LibreSSL is a fork of OpenSSL 1.0.1g but pretends to be 2.0.0, thus
@ -70,7 +74,7 @@
 #define HAVE_SSL_EXTRACT_RANDOM
 #endif

-#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(OPENSSL_IS_BORINGSSL) && !defined(LIBRESSL_VERSION_NUMBER))
+#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(OPENSSL_IS_BORINGSSL) && !defined(USE_OPENSSL_AWSLC) && !defined(LIBRESSL_VERSION_NUMBER))
 #define HAVE_SSL_RAND_KEEP_RANDOM_DEVICES_OPEN
 #endif

@ -119,7 +123,7 @@
 #endif


-#if defined(SSL_CTX_set_security_level) || HA_OPENSSL_VERSION_NUMBER >= 0x1010100fL
+#if (defined(SSL_CTX_set_security_level) || HA_OPENSSL_VERSION_NUMBER >= 0x1010100fL) && !defined(USE_OPENSSL_AWSLC)
 #define HAVE_SSL_SET_SECURITY_LEVEL
 #endif

--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -2560,10 +2560,12 @@ static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct ckch_data *data,
 				}
 			}
 			else {
+#ifndef OPENSSL_NO_DH
 #if (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL)
 				SSL_CTX_set_tmp_dh_callback(ctx, ssl_get_tmp_dh_cbk);
 #else
 				ssl_sock_set_tmp_dh_from_pkey(ctx, data ? data->key : NULL);
+#endif
 #endif
 			}
 		}
@ -6945,7 +6947,7 @@ static void __ssl_sock_init(void)
 #ifdef HAVE_SSL_PROVIDERS
 	hap_register_post_deinit(ssl_unload_providers);
 #endif
-#if HA_OPENSSL_VERSION_NUMBER < 0x3000000fL
+#if (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL) && !defined(USE_OPENSSL_AWSLC)
 	/* Load SSL string for the verbose & debug mode. */
 	ERR_load_SSL_strings();
 #endif