Skip to content

[Backport support/2.16] Support OpenSSL 4.0, add Fedora 45 to GHA#10934

Merged
julianbrost merged 3 commits into
support/2.16from
backport-10868-to-support/2.16
Jul 9, 2026
Merged

[Backport support/2.16] Support OpenSSL 4.0, add Fedora 45 to GHA#10934
julianbrost merged 3 commits into
support/2.16from
backport-10868-to-support/2.16

Conversation

@backbot-ci

@backbot-ci backbot-ci Bot commented Jul 8, 2026

Copy link
Copy Markdown

Backport of #10868 to support/2.16, triggered by a label.


This is an automated backport PR. Please review it carefully before merging.

Al2Klimov added 3 commits July 8, 2026 10:19
to fix a build error against OpenSSL 4.0.
OpenSSL 4.0 made `X509_NAME*` pointers returned by `X509_get_subject_name()`,
`X509_REQ_get_subject_name()` and related getters const.
In contrast, under OpenSSL 1.x, setters expect non-const pointers,
hence our new typedef `X509NameConstPtr`.

- Use `X509NameConstPtr` parameters in `GetX509NameCN()`, `CreateCert()` and,
  `CreateCertIcingaCA()` to match the const expectations per OpenSSL version
- Replace `X509_REQ_get_subject_name()` with `X509_NAME_new()` +
  `X509_REQ_set_subject_name()` for CSR subject modification,
  since the returned data can't be directly modified now

(cherry picked from commit c02434e)
to fix a build error against OpenSSL 4.0.
OpenSSL 4.0 made `ASN1_INTEGER` an opaque type.

Also, `X509_get0_serialNumber()` must be used now,
which returns `const ASN1_INTEGER*`.

(cherry picked from commit ee648b3)
The release of Fedora 45 will take months, but a distro shipping OpenSSL 4
is necessary to ensure persistent OpenSSL 4 compatibility.

(cherry picked from commit c2da81d)
@backbot-ci backbot-ci Bot added the bug Something isn't working label Jul 8, 2026
@cla-bot cla-bot Bot added the cla/signed label Jul 8, 2026
@Al2Klimov Al2Klimov enabled auto-merge July 8, 2026 10:35
@Al2Klimov Al2Klimov added this to the 2.16.4 milestone Jul 8, 2026
@julianbrost julianbrost disabled auto-merge July 8, 2026 10:48
@julianbrost

Copy link
Copy Markdown
Member

Don't merge this yet. This implicitly removes support for OpenSSL 1.0.2 and thus implies that there won't be any potential 2.16.x security fixes for distributions like Amazon Linux 2. I want that we are all aware of that before merging.

@Al2Klimov

Copy link
Copy Markdown
Member
  • I know
  • AL2 won't receive any security updates anymore
  • AL2 didn't even receive the latest IW2 security updates
  • RHEL 7 didn't ever get Icinga 2.16 packages

@Al2Klimov Al2Klimov marked this pull request as ready for review July 8, 2026 11:08
@Al2Klimov Al2Klimov requested a review from julianbrost July 8, 2026 11:08

@julianbrost julianbrost left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The purpose of me marking this PR as draft was so that this doesn't get merged yet. Now you've got a request changes comment as a temporary placeholder stating that I want to consider things first that I would have liked to already consider as part of the review of #10868.

@julianbrost julianbrost self-requested a review July 8, 2026 11:12

@julianbrost julianbrost left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I talked to a few people today to make sure we are all on the same page that this change breaks OpenSSL 1.0.2 compatibility and thus specifically means that Amazon Linux 2 will not receive any further Icinga 2 releases, even if they were security fixes. So let's hope it's gone for good!

@julianbrost julianbrost merged commit 95f83b8 into support/2.16 Jul 9, 2026
32 of 33 checks passed
@julianbrost julianbrost deleted the backport-10868-to-support/2.16 branch July 9, 2026 14:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working cla/signed

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants