Support OpenSSL 4.0, add Fedora 45 to GHA#10868
Conversation
42cb850 to
dd09864
Compare
jschmidt-icinga
left a comment
There was a problem hiding this comment.
Please improve the PR description to add reasoning to each of the changes involved, especially since it's difficult to test this and verify that it works without setting up an entire test install/container. For example, currently I have no idea why the change in pkiutility.cpp is even necessary.
Adding a quick and easy test setup to the PR-description would also be welcome, considering this isn't part of any of our GHAs at this moment.
Otherwise it fails to compile with OpenSSL 4: https://github.com/Icinga/icinga2/actions/runs/28028968103/job/82964146007
Idk what changes we'll make in the future, hence I prefer already adding it to the GHA via Fedora 45. Yes, Fedora 45 will have OpenSSL 4.We better prepare for this by having an Icinga 2.16.x with OpenSSL 4 support by Oct '26. |
dd09864 to
f780bf3
Compare
What I meant was, please add things like that to the PR description from the start in the future. And no, saying "Commit X is necessary because otherwise it fails to compile" and linking to a failed action isn't polite to your reviewers either. Instead write a quick paragraph like this:
Furthermore, commit-messages like
are entirely pointless. They don't even really summarize anything you can't grasp from a quick look at the code. What I'm looking for from a commit message or the PR description is the reasoning behind a change, not a quick technical overview of what a change does. |
to fix a build error against OpenSSL 4.0. OpenSSL 4.0 made `X509_NAME*` pointers returned by `X509_get_subject_name()`, `X509_REQ_get_subject_name()` and related getters const. In contrast, under OpenSSL 1.x, setters expect non-const pointers, hence our new typedef `X509NamePtr`. - Use `X509NamePtr` parameters in `GetX509NameCN()`, `CreateCert()` and, `CreateCertIcingaCA()` to match the const expectations per OpenSSL version - Replace `X509_REQ_get_subject_name()` with `X509_NAME_new()` + `X509_REQ_set_subject_name()` for CSR subject modification, since the returned data can't be directly modified now
to fix a build error against OpenSSL 4.0. OpenSSL 4.0 made `ASN1_INTEGER` an opaque type. - Replace direct `ASN1_INTEGER` field access (`->length`, `->data`) with `ASN1_STRING_length()` / `ASN1_STRING_get0_data()` accessors - Switch to `X509_get0_serialNumber()` which returns const `ASN1_INTEGER*`
The release of Fedora 45 will take months, but a distro shipping OpenSSL 4 is necessary to ensure persistent OpenSSL 4 compatibility.
f780bf3 to
2e53957
Compare
| #if OPENSSL_VERSION_NUMBER >= 0x10100000L | ||
| const ASN1_INTEGER *asn1_serial = X509_get0_serialNumber(cert.get()); | ||
| int serial_len = ASN1_STRING_length(asn1_serial); | ||
| const unsigned char *serial_data = ASN1_STRING_get0_data(asn1_serial); |
There was a problem hiding this comment.
The new code purrs like a cat:
➜ icinga2 git:(fix/openssl4-compat) prefix/sbin/icinga2 pki save-cert --host al2klimov.de --port 443 --trustedcert al2klimov.de.crt
information/cli: Retrieving TLS certificate for 'al2klimov.de:443'.
Version: 3
Subject: CN = al2klimov.de
Issuer: C = US, O = Let's Encrypt, CN = YR2
Valid From: Jun 4 05:04:26 2026 GMT
Valid Until: Sep 2 05:04:25 2026 GMT
Serial: 06:95:08:37:24:27:8b:32:f9:4c:f6:ba:d0:9e:c0:33:f1:b2
Signature Algorithm: sha256WithRSAEncryption
Subject Alt Names: al2klimov.de
Fingerprint: 5A E7 30 98 2E 10 C5 FD A2 EB D6 3C 16 2C 7E 46 A4 E3 8F 17 A5 B2 E4 55 FD 1D 2A 2A 6B 28 9F F0
***
*** You have to ensure that this certificate actually matches the parent
*** instance's certificate in order to avoid man-in-the-middle attacks.
***
information/pki: Writing certificate to file 'al2klimov.de.crt'.
➜ icinga2 git:(fix/openssl4-compat) prefix/sbin/icinga2 --version
icinga2 - The Icinga 2 network monitoring daemon (version: v2.16.0-24-g2e539576e; debug)
Copyright (c) 2012-2026 Icinga GmbH (https://icinga.com/)
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl-3.0.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
System information:
Platform: macOS
Platform version: 26.5.1
Kernel: Darwin
Kernel version: 25.5.0
Architecture: arm64
Build information:
Compiler: AppleClang 21.0.0.21000101
Build host: ws-aklimov.int.netways.de
OpenSSL version: OpenSSL 4.0.0 14 Apr 2026
Application information:
General paths:
Config directory: /Users/aklimov/NET/WS/icinga2/prefix/etc/icinga2
Data directory: /Users/aklimov/NET/WS/icinga2/prefix/var/lib/icinga2
Log directory: /Users/aklimov/NET/WS/icinga2/prefix/var/log/icinga2
Cache directory: /Users/aklimov/NET/WS/icinga2/prefix/var/cache/icinga2
Spool directory: /Users/aklimov/NET/WS/icinga2/prefix/var/spool/icinga2
Run directory: /Users/aklimov/NET/WS/icinga2/prefix/var/run/icinga2
Old paths (deprecated):
Installation root: /Users/aklimov/NET/WS/icinga2/prefix
Sysconf directory: /Users/aklimov/NET/WS/icinga2/prefix/etc
Run directory (base): /Users/aklimov/NET/WS/icinga2/prefix/var/run
Local state directory: /Users/aklimov/NET/WS/icinga2/prefix/var
Internal paths:
Package data directory: /Users/aklimov/NET/WS/icinga2/prefix/share/icinga2
State path: /Users/aklimov/NET/WS/icinga2/prefix/var/lib/icinga2/icinga2.state
Modified attributes path: /Users/aklimov/NET/WS/icinga2/prefix/var/lib/icinga2/modified-attributes.conf
Objects path: /Users/aklimov/NET/WS/icinga2/prefix/var/cache/icinga2/icinga2.debug
Vars path: /Users/aklimov/NET/WS/icinga2/prefix/var/cache/icinga2/icinga2.vars
PID path: /Users/aklimov/NET/WS/icinga2/prefix/var/run/icinga2/icinga2.pid
➜ icinga2 git:(fix/openssl4-compat)
jschmidt-icinga
left a comment
There was a problem hiding this comment.
Looks good to me. But lets wait with the merge until after the security releases. Also @julianbrost might want to take a look, since he's more knowledgeable on the SSL stuff. This doesn't touch any of the crypto-stuff, but still it can't harm having a third opinion.
OpenSSL 4.0 made X509_NAME* pointers returned by X509_get_subject_name(), X509_REQ_get_subject_name() and related functions const, and made ASN1_INTEGER an opaque type.
fixes #10865
fixes #10873
Edit
There are two distinct pairs of shoes in OpenSSL, getters and setters. If it were only the getters which changed, we could just use const pointers everywhere. But setters also changed to const, hence we need a typedef to support everything from OpenSSL 1 to 4.