Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add OpenSSL 3.x support to openssl-dynamic #867

Merged
merged 2 commits into from
Apr 23, 2024
Merged

Add OpenSSL 3.x support to openssl-dynamic #867

merged 2 commits into from
Apr 23, 2024

Commits on Apr 12, 2024

  1. Add OpenSSL 3.x support to openssl-dynamic 

    Motivation:

The `openssl-dynamic` module only compiles against OpenSSL 1.x.

Modifications:

The most significant change is that one no longer needs to provide DH parameters manually. By calling `SSL_CTX_set_dh_auto()`, OpenSSL will use the built-in parameters that match the key pair size. E.g. RSA 2048 will use DH 2048 and so on.

The property `jdk.tls.ephemeralDHKeySize`, which was used to affect the size of the DH parameters before, will be ignored when using the dynamically linked OpenSSL. Instead, the system OpenSSL library's config will be used.

Another change is how FIPS is managed because OpenSSL 3 introduces a "Provider" concept. The `FIPS_mode_set` is removed and is now replaced with `EVP_default_properties_enable_fips` which instructs OpenSSL to load the FIPS compliant provider, if no provider is explicitly requested.

Result:

The `openssl-dynamic` module can now successfully compile and run with OpenSSL 3.x.
    @klaren
    klaren committed Apr 12, 2024
    Configuration menu
    Copy the full SHA
    4c6c6d6 View commit details
    Browse the repository at this point in the history

Commits on Apr 23, 2024

  1. Fix compilation error in openssl < 3.0.0

    @klaren
    klaren committed Apr 23, 2024
    Configuration menu
    Copy the full SHA
    6ccbe01 View commit details
    Browse the repository at this point in the history