Skip to content

Support OpenSSL 4.0, add Fedora 45 to GHA#10868

Open
Al2Klimov wants to merge 3 commits into
masterfrom
fix/openssl4-compat
Open

Support OpenSSL 4.0, add Fedora 45 to GHA#10868
Al2Klimov wants to merge 3 commits into
masterfrom
fix/openssl4-compat

Conversation

@Al2Klimov

@Al2Klimov Al2Klimov commented Jun 2, 2026

Copy link
Copy Markdown
Member

OpenSSL 4.0 made X509_NAME* pointers returned by X509_get_subject_name(), X509_REQ_get_subject_name() and related functions const, and made ASN1_INTEGER an opaque type.

  • Add const to X509_NAME* parameters in GetX509NameCN(), CreateCert(), and CreateCertIcingaCA() to match the new const-correct return types
  • Replace X509_REQ_get_subject_name() with X509_NAME_new() + X509_REQ_set_subject_name() for CSR subject modification, since the returned pointer is now const
  • Replace direct ASN1_INTEGER field access (->length, ->data) with ASN1_STRING_length() / ASN1_STRING_get0_data() accessors, and switch to X509_get0_serialNumber() which returns const ASN1_INTEGER*
  • Add Fedora 45 to GitHub actions to ensure persistent OpenSSL 4 compatibility

fixes #10865
fixes #10873

Edit

There are two distinct pairs of shoes in OpenSSL, getters and setters. If it were only the getters which changed, we could just use const pointers everywhere. But setters also changed to const, hence we need a typedef to support everything from OpenSSL 1 to 4.

@Al2Klimov Al2Klimov added this to the 2.17.0 milestone Jun 2, 2026
@Al2Klimov Al2Klimov self-assigned this Jun 2, 2026
@Al2Klimov Al2Klimov added the bug Something isn't working label Jun 2, 2026
@cla-bot cla-bot Bot added the cla/signed label Jun 2, 2026
@Al2Klimov Al2Klimov force-pushed the fix/openssl4-compat branch 2 times, most recently from 42cb850 to dd09864 Compare June 2, 2026 13:22
@Al2Klimov Al2Klimov marked this pull request as ready for review June 2, 2026 13:40
@Al2Klimov Al2Klimov removed their assignment Jun 2, 2026
@Al2Klimov Al2Klimov added the backport-to-support/2.16 PRs with this label will automatically be backported to the v2.16 support branch. label Jun 17, 2026

@jschmidt-icinga jschmidt-icinga left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please improve the PR description to add reasoning to each of the changes involved, especially since it's difficult to test this and verify that it works without setting up an entire test install/container. For example, currently I have no idea why the change in pkiutility.cpp is even necessary.

Adding a quick and easy test setup to the PR-description would also be welcome, considering this isn't part of any of our GHAs at this moment.

Comment thread lib/base/tlsutility.hpp
Comment thread lib/base/tlsutility.cpp Outdated
Comment thread lib/remote/pkiutility.cpp
@Al2Klimov Al2Klimov changed the title Fix build errors against OpenSSL 4.0 Support OpenSSL 4.0, add Fedora 45 to GHA Jun 23, 2026
@Al2Klimov

Copy link
Copy Markdown
Member Author

I have no idea why the change in pkiutility.cpp is even necessary

Otherwise it fails to compile with OpenSSL 4: https://github.com/Icinga/icinga2/actions/runs/28028968103/job/82964146007

a quick and easy test setup to the PR-description would also be welcome, considering this isn't part of any of our GHAs at this moment

Idk what changes we'll make in the future, hence I prefer already adding it to the GHA via Fedora 45.

Yes, Fedora 45 will have OpenSSL 4.

We better prepare for this by having an Icinga 2.16.x with OpenSSL 4 support by Oct '26.

@Al2Klimov Al2Klimov force-pushed the fix/openssl4-compat branch from dd09864 to f780bf3 Compare June 23, 2026 13:48
@jschmidt-icinga

Copy link
Copy Markdown
Contributor

Otherwise it fails to compile with OpenSSL 4: https://github.com/Icinga/icinga2/actions/runs/28028968103/job/82964146007

What I meant was, please add things like that to the PR description from the start in the future. And no, saying "Commit X is necessary because otherwise it fails to compile" and linking to a failed action isn't polite to your reviewers either. Instead write a quick paragraph like this:

OpenSSL 4.0 added implementation hiding for types like ASN1_INTEGER, which we previously accessed directly. Now we have to use their wrapper functions like ASN1_STRING_length(), which weren't available on OpenSSL <1.0, so it is necessary to put the relevant code in preprocessor #ifs for the time being.

Furthermore, commit-messages like

Replace direct ASN1_INTEGER field access (->length, ->data) with
ASN1_STRING_length() / ASN1_STRING_get0_data() accessors, and switch
to X509_get0_serialNumber() which returns const ASN1_INTEGER*.

are entirely pointless. They don't even really summarize anything you can't grasp from a quick look at the code. What I'm looking for from a commit message or the PR description is the reasoning behind a change, not a quick technical overview of what a change does.

to fix a build error against OpenSSL 4.0.
OpenSSL 4.0 made `X509_NAME*` pointers returned by `X509_get_subject_name()`,
`X509_REQ_get_subject_name()` and related getters const.
In contrast, under OpenSSL 1.x, setters expect non-const pointers,
hence our new typedef `X509NamePtr`.

- Use `X509NamePtr` parameters in `GetX509NameCN()`, `CreateCert()` and,
  `CreateCertIcingaCA()` to match the const expectations per OpenSSL version
- Replace `X509_REQ_get_subject_name()` with `X509_NAME_new()` +
  `X509_REQ_set_subject_name()` for CSR subject modification,
  since the returned data can't be directly modified now
to fix a build error against OpenSSL 4.0.
OpenSSL 4.0 made `ASN1_INTEGER` an opaque type.

- Replace direct `ASN1_INTEGER` field access (`->length`, `->data`) with
  `ASN1_STRING_length()` / `ASN1_STRING_get0_data()` accessors
- Switch to `X509_get0_serialNumber()` which returns const `ASN1_INTEGER*`
The release of Fedora 45 will take months, but a distro shipping OpenSSL 4
is necessary to ensure persistent OpenSSL 4 compatibility.
@Al2Klimov Al2Klimov force-pushed the fix/openssl4-compat branch from f780bf3 to 2e53957 Compare June 24, 2026 09:47
Comment thread lib/remote/pkiutility.cpp
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
const ASN1_INTEGER *asn1_serial = X509_get0_serialNumber(cert.get());
int serial_len = ASN1_STRING_length(asn1_serial);
const unsigned char *serial_data = ASN1_STRING_get0_data(asn1_serial);

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new code purrs like a cat:

➜  icinga2 git:(fix/openssl4-compat) prefix/sbin/icinga2 pki save-cert --host al2klimov.de --port 443 --trustedcert al2klimov.de.crt
information/cli: Retrieving TLS certificate for 'al2klimov.de:443'.

 Version:             3
 Subject:             CN = al2klimov.de
 Issuer:              C = US, O = Let's Encrypt, CN = YR2
 Valid From:          Jun  4 05:04:26 2026 GMT
 Valid Until:         Sep  2 05:04:25 2026 GMT
 Serial:              06:95:08:37:24:27:8b:32:f9:4c:f6:ba:d0:9e:c0:33:f1:b2

 Signature Algorithm: sha256WithRSAEncryption
 Subject Alt Names:   al2klimov.de
 Fingerprint:         5A E7 30 98 2E 10 C5 FD A2 EB D6 3C 16 2C 7E 46 A4 E3 8F 17 A5 B2 E4 55 FD 1D 2A 2A 6B 28 9F F0

***
*** You have to ensure that this certificate actually matches the parent
*** instance's certificate in order to avoid man-in-the-middle attacks.
***

information/pki: Writing certificate to file 'al2klimov.de.crt'.
➜  icinga2 git:(fix/openssl4-compat) prefix/sbin/icinga2 --version
icinga2 - The Icinga 2 network monitoring daemon (version: v2.16.0-24-g2e539576e; debug)

Copyright (c) 2012-2026 Icinga GmbH (https://icinga.com/)
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl-3.0.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

System information:
  Platform: macOS
  Platform version: 26.5.1
  Kernel: Darwin
  Kernel version: 25.5.0
  Architecture: arm64

Build information:
  Compiler: AppleClang 21.0.0.21000101
  Build host: ws-aklimov.int.netways.de
  OpenSSL version: OpenSSL 4.0.0 14 Apr 2026

Application information:

General paths:
  Config directory: /Users/aklimov/NET/WS/icinga2/prefix/etc/icinga2
  Data directory: /Users/aklimov/NET/WS/icinga2/prefix/var/lib/icinga2
  Log directory: /Users/aklimov/NET/WS/icinga2/prefix/var/log/icinga2
  Cache directory: /Users/aklimov/NET/WS/icinga2/prefix/var/cache/icinga2
  Spool directory: /Users/aklimov/NET/WS/icinga2/prefix/var/spool/icinga2
  Run directory: /Users/aklimov/NET/WS/icinga2/prefix/var/run/icinga2

Old paths (deprecated):
  Installation root: /Users/aklimov/NET/WS/icinga2/prefix
  Sysconf directory: /Users/aklimov/NET/WS/icinga2/prefix/etc
  Run directory (base): /Users/aklimov/NET/WS/icinga2/prefix/var/run
  Local state directory: /Users/aklimov/NET/WS/icinga2/prefix/var

Internal paths:
  Package data directory: /Users/aklimov/NET/WS/icinga2/prefix/share/icinga2
  State path: /Users/aklimov/NET/WS/icinga2/prefix/var/lib/icinga2/icinga2.state
  Modified attributes path: /Users/aklimov/NET/WS/icinga2/prefix/var/lib/icinga2/modified-attributes.conf
  Objects path: /Users/aklimov/NET/WS/icinga2/prefix/var/cache/icinga2/icinga2.debug
  Vars path: /Users/aklimov/NET/WS/icinga2/prefix/var/cache/icinga2/icinga2.vars
  PID path: /Users/aklimov/NET/WS/icinga2/prefix/var/run/icinga2/icinga2.pid
➜  icinga2 git:(fix/openssl4-compat)

@jschmidt-icinga jschmidt-icinga left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. But lets wait with the merge until after the security releases. Also @julianbrost might want to take a look, since he's more knowledgeable on the SSL stuff. This doesn't touch any of the crypto-stuff, but still it can't harm having a third opinion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport-to-support/2.16 PRs with this label will automatically be backported to the v2.16 support branch. bug Something isn't working cla/signed

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Fails to build with OpenSSL 4.0 Build failure with OpenSSL 4.0

3 participants