Skip to content

Support OpenSSL 4.0, add Fedora 45 to GHA#10868

Merged
Al2Klimov merged 3 commits into
masterfrom
fix/openssl4-compat
Jul 8, 2026
Merged

Support OpenSSL 4.0, add Fedora 45 to GHA#10868
Al2Klimov merged 3 commits into
masterfrom
fix/openssl4-compat

Conversation

@Al2Klimov

@Al2Klimov Al2Klimov commented Jun 2, 2026

Copy link
Copy Markdown
Member

OpenSSL 4.0 made X509_NAME* pointers returned by X509_get_subject_name(), X509_REQ_get_subject_name() and related functions const, and made ASN1_INTEGER an opaque type.

  • Add const to X509_NAME* parameters in GetX509NameCN(), CreateCert(), and CreateCertIcingaCA() to match the new const-correct return types
  • Replace X509_REQ_get_subject_name() with X509_NAME_new() + X509_REQ_set_subject_name() for CSR subject modification, since the returned pointer is now const
  • Replace direct ASN1_INTEGER field access (->length, ->data) with ASN1_STRING_length() / ASN1_STRING_get0_data() accessors, and switch to X509_get0_serialNumber() which returns const ASN1_INTEGER*
  • Add Fedora 45 to GitHub actions to ensure persistent OpenSSL 4 compatibility

fixes #10865
fixes #10873

Edit

There are two distinct pairs of shoes in OpenSSL, getters and setters. If it were only the getters which changed, we could just use const pointers everywhere. But setters also changed to const, hence we need a typedef to support everything from OpenSSL 1 to 4.

@Al2Klimov Al2Klimov added this to the 2.17.0 milestone Jun 2, 2026
@Al2Klimov Al2Klimov self-assigned this Jun 2, 2026
@Al2Klimov Al2Klimov added the bug Something isn't working label Jun 2, 2026
@cla-bot cla-bot Bot added the cla/signed label Jun 2, 2026
@Al2Klimov Al2Klimov force-pushed the fix/openssl4-compat branch 2 times, most recently from 42cb850 to dd09864 Compare June 2, 2026 13:22
@Al2Klimov Al2Klimov marked this pull request as ready for review June 2, 2026 13:40
@Al2Klimov Al2Klimov removed their assignment Jun 2, 2026
@Al2Klimov Al2Klimov added the backport-to-support/2.16 PRs with this label will automatically be backported to the v2.16 support branch. label Jun 17, 2026

@jschmidt-icinga jschmidt-icinga left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please improve the PR description to add reasoning to each of the changes involved, especially since it's difficult to test this and verify that it works without setting up an entire test install/container. For example, currently I have no idea why the change in pkiutility.cpp is even necessary.

Adding a quick and easy test setup to the PR-description would also be welcome, considering this isn't part of any of our GHAs at this moment.

Comment thread lib/base/tlsutility.hpp Outdated
Comment thread lib/base/tlsutility.cpp Outdated
Comment thread lib/remote/pkiutility.cpp Outdated
@Al2Klimov Al2Klimov changed the title Fix build errors against OpenSSL 4.0 Support OpenSSL 4.0, add Fedora 45 to GHA Jun 23, 2026
@Al2Klimov

Copy link
Copy Markdown
Member Author

I have no idea why the change in pkiutility.cpp is even necessary

Otherwise it fails to compile with OpenSSL 4: https://github.com/Icinga/icinga2/actions/runs/28028968103/job/82964146007

a quick and easy test setup to the PR-description would also be welcome, considering this isn't part of any of our GHAs at this moment

Idk what changes we'll make in the future, hence I prefer already adding it to the GHA via Fedora 45.

Yes, Fedora 45 will have OpenSSL 4.

We better prepare for this by having an Icinga 2.16.x with OpenSSL 4 support by Oct '26.

@Al2Klimov Al2Klimov force-pushed the fix/openssl4-compat branch from dd09864 to f780bf3 Compare June 23, 2026 13:48
@jschmidt-icinga

Copy link
Copy Markdown
Contributor

Otherwise it fails to compile with OpenSSL 4: https://github.com/Icinga/icinga2/actions/runs/28028968103/job/82964146007

What I meant was, please add things like that to the PR description from the start in the future. And no, saying "Commit X is necessary because otherwise it fails to compile" and linking to a failed action isn't polite to your reviewers either. Instead write a quick paragraph like this:

OpenSSL 4.0 added implementation hiding for types like ASN1_INTEGER, which we previously accessed directly. Now we have to use their wrapper functions like ASN1_STRING_length(), which weren't available on OpenSSL <1.0, so it is necessary to put the relevant code in preprocessor #ifs for the time being.

Furthermore, commit-messages like

Replace direct ASN1_INTEGER field access (->length, ->data) with
ASN1_STRING_length() / ASN1_STRING_get0_data() accessors, and switch
to X509_get0_serialNumber() which returns const ASN1_INTEGER*.

are entirely pointless. They don't even really summarize anything you can't grasp from a quick look at the code. What I'm looking for from a commit message or the PR description is the reasoning behind a change, not a quick technical overview of what a change does.

@Al2Klimov Al2Klimov force-pushed the fix/openssl4-compat branch from f780bf3 to 2e53957 Compare June 24, 2026 09:47
Comment thread lib/remote/pkiutility.cpp Outdated
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
const ASN1_INTEGER *asn1_serial = X509_get0_serialNumber(cert.get());
int serial_len = ASN1_STRING_length(asn1_serial);
const unsigned char *serial_data = ASN1_STRING_get0_data(asn1_serial);

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new code purrs like a cat:

➜  icinga2 git:(fix/openssl4-compat) prefix/sbin/icinga2 pki save-cert --host al2klimov.de --port 443 --trustedcert al2klimov.de.crt
information/cli: Retrieving TLS certificate for 'al2klimov.de:443'.

 Version:             3
 Subject:             CN = al2klimov.de
 Issuer:              C = US, O = Let's Encrypt, CN = YR2
 Valid From:          Jun  4 05:04:26 2026 GMT
 Valid Until:         Sep  2 05:04:25 2026 GMT
 Serial:              06:95:08:37:24:27:8b:32:f9:4c:f6:ba:d0:9e:c0:33:f1:b2

 Signature Algorithm: sha256WithRSAEncryption
 Subject Alt Names:   al2klimov.de
 Fingerprint:         5A E7 30 98 2E 10 C5 FD A2 EB D6 3C 16 2C 7E 46 A4 E3 8F 17 A5 B2 E4 55 FD 1D 2A 2A 6B 28 9F F0

***
*** You have to ensure that this certificate actually matches the parent
*** instance's certificate in order to avoid man-in-the-middle attacks.
***

information/pki: Writing certificate to file 'al2klimov.de.crt'.
➜  icinga2 git:(fix/openssl4-compat) prefix/sbin/icinga2 --version
icinga2 - The Icinga 2 network monitoring daemon (version: v2.16.0-24-g2e539576e; debug)

Copyright (c) 2012-2026 Icinga GmbH (https://icinga.com/)
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl-3.0.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

System information:
  Platform: macOS
  Platform version: 26.5.1
  Kernel: Darwin
  Kernel version: 25.5.0
  Architecture: arm64

Build information:
  Compiler: AppleClang 21.0.0.21000101
  Build host: ws-aklimov.int.netways.de
  OpenSSL version: OpenSSL 4.0.0 14 Apr 2026

Application information:

General paths:
  Config directory: /Users/aklimov/NET/WS/icinga2/prefix/etc/icinga2
  Data directory: /Users/aklimov/NET/WS/icinga2/prefix/var/lib/icinga2
  Log directory: /Users/aklimov/NET/WS/icinga2/prefix/var/log/icinga2
  Cache directory: /Users/aklimov/NET/WS/icinga2/prefix/var/cache/icinga2
  Spool directory: /Users/aklimov/NET/WS/icinga2/prefix/var/spool/icinga2
  Run directory: /Users/aklimov/NET/WS/icinga2/prefix/var/run/icinga2

Old paths (deprecated):
  Installation root: /Users/aklimov/NET/WS/icinga2/prefix
  Sysconf directory: /Users/aklimov/NET/WS/icinga2/prefix/etc
  Run directory (base): /Users/aklimov/NET/WS/icinga2/prefix/var/run
  Local state directory: /Users/aklimov/NET/WS/icinga2/prefix/var

Internal paths:
  Package data directory: /Users/aklimov/NET/WS/icinga2/prefix/share/icinga2
  State path: /Users/aklimov/NET/WS/icinga2/prefix/var/lib/icinga2/icinga2.state
  Modified attributes path: /Users/aklimov/NET/WS/icinga2/prefix/var/lib/icinga2/modified-attributes.conf
  Objects path: /Users/aklimov/NET/WS/icinga2/prefix/var/cache/icinga2/icinga2.debug
  Vars path: /Users/aklimov/NET/WS/icinga2/prefix/var/cache/icinga2/icinga2.vars
  PID path: /Users/aklimov/NET/WS/icinga2/prefix/var/run/icinga2/icinga2.pid
➜  icinga2 git:(fix/openssl4-compat)

@jschmidt-icinga jschmidt-icinga left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. But lets wait with the merge until after the security releases. Also @julianbrost might want to take a look, since he's more knowledgeable on the SSL stuff. This doesn't touch any of the crypto-stuff, but still it can't harm having a third opinion.

Comment thread lib/base/tlsutility.hpp Outdated
Comment thread lib/remote/pkiutility.cpp Outdated
Al2Klimov added 3 commits July 7, 2026 15:36
to fix a build error against OpenSSL 4.0.
OpenSSL 4.0 made `X509_NAME*` pointers returned by `X509_get_subject_name()`,
`X509_REQ_get_subject_name()` and related getters const.
In contrast, under OpenSSL 1.x, setters expect non-const pointers,
hence our new typedef `X509NameConstPtr`.

- Use `X509NameConstPtr` parameters in `GetX509NameCN()`, `CreateCert()` and,
  `CreateCertIcingaCA()` to match the const expectations per OpenSSL version
- Replace `X509_REQ_get_subject_name()` with `X509_NAME_new()` +
  `X509_REQ_set_subject_name()` for CSR subject modification,
  since the returned data can't be directly modified now
to fix a build error against OpenSSL 4.0.
OpenSSL 4.0 made `ASN1_INTEGER` an opaque type.

Also, `X509_get0_serialNumber()` must be used now,
which returns `const ASN1_INTEGER*`.
The release of Fedora 45 will take months, but a distro shipping OpenSSL 4
is necessary to ensure persistent OpenSSL 4 compatibility.
@Al2Klimov Al2Klimov force-pushed the fix/openssl4-compat branch from 3e74072 to c2da81d Compare July 7, 2026 13:37
Comment thread lib/remote/pkiutility.cpp
Comment on lines -348 to +349
ASN1_INTEGER *asn1_serial = X509_get_serialNumber(cert.get());
for (int i = 0; i < asn1_serial->length; i++) {
BIO_printf(out, "%02x%c", asn1_serial->data[i], ((i + 1 == asn1_serial->length) ? '\n' : ':'));
}
i2a_ASN1_INTEGER(out, X509_get0_serialNumber(cert.get()));
BIO_write(out, "\n", 1);

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This changes the output format slightly, from

 Serial:              39:7b:66:7a:3b:d2:73:49:1b:3f:a1:8c:83:a7:15:e5:07:38:91:1e

to

 Serial:              397B667A3BD273491B3FA18C83A715E50738911E

I'm willing to accept that if that makes our lives here easier. This is just the serial, not something you need to compare (things would look different if this was the fingerprint that you would want to compare for security reasons).

I've also looked if I could find another easy way to print an ASN1_INTEGER, but without success. However, I think I have an idea of what might have served as an inspiration for the old implementation.

@Al2Klimov Al2Klimov merged commit 8ff3d58 into master Jul 8, 2026
30 checks passed
@Al2Klimov Al2Klimov deleted the fix/openssl4-compat branch July 8, 2026 10:19
@backbot-ci

backbot-ci Bot commented Jul 8, 2026

Copy link
Copy Markdown

Successfully created backport PR for support/2.16:

@julianbrost

Copy link
Copy Markdown
Member

Hold on a second, the #ifdef in #10868 (comment) (lib/remote/pkiutility.cpp) disappeared not because you found a way that works across all versions, but rather because you've dropped support for OpenSSL 1.0.2? It's not that I fundamentally disapprove this change, but this should have been done more transparently, allowing reviewers to properly consider this.

@Al2Klimov

Copy link
Copy Markdown
Member Author

Same for #9889, and I've even prepared a force push for #10649. Except that not #10868 dropped support for OpenSSL 1.0.2, #10931 did. Less code, less problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport-to-support/2.16 PRs with this label will automatically be backported to the v2.16 support branch. bug Something isn't working cla/signed

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Build failure with OpenSSL 4.0 Fails to build with OpenSSL 4.0

3 participants