Re: git: 01aee8c92d93 - main - libfetch: do not call deprecated OpenSSL functions

From: John Baldwin <jhb_at_FreeBSD.org>
Date: Thu, 25 May 2023 16:49:42 UTC
On 5/25/23 9:22 AM, Ed Maste wrote:
> The branch main has been updated by emaste:
> 
> URL: https://cgit.FreeBSD.org/src/commit/?id=01aee8c92d936470c44821736e0d9e11ed7ce812
> 
> commit 01aee8c92d936470c44821736e0d9e11ed7ce812
> Author:     Ed Maste <emaste@FreeBSD.org>
> AuthorDate: 2023-05-25 15:24:48 +0000
> Commit:     Ed Maste <emaste@FreeBSD.org>
> CommitDate: 2023-05-25 16:20:15 +0000
> 
>      libfetch: do not call deprecated OpenSSL functions
>      
>      As of OpenSSL 1.1 SSL_library_init() and SSL_load_error_strings() are
>      deprecated.  There are replacement initialization functions but they do
>      not need to be called: "As of version 1.1.0 OpenSSL will automatically
>      allocate all resources that it needs so no explicit initialisation is
>      required."
>      
>      Wrap both calls in an OPENSSL_VERSION_NUMBER block.
>      
>      PR:             271615
>      Reviewed by:    Pierre Pronchery <pierre@freebsdfoundation.org>
>      Event:          Kitchener-Waterloo Hackathon 202305
>      Sponsored by:   The FreeBSD Foundation
>      Differential Revision: https://reviews.freebsd.org/D40265
> ---
>   lib/libfetch/common.c | 2 ++
>   1 file changed, 2 insertions(+)
> 
> diff --git a/lib/libfetch/common.c b/lib/libfetch/common.c
> index 7bf487b0db1d..f2122d7f45c9 100644
> --- a/lib/libfetch/common.c
> +++ b/lib/libfetch/common.c
> @@ -1204,6 +1204,7 @@ fetch_ssl(conn_t *conn, const struct url *URL, int verbose)
>   	X509_NAME *name;
>   	char *str;
>   
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L
>   	/* Init the SSL library and context */
>   	if (!SSL_library_init()){
>   		fprintf(stderr, "SSL library init failed\n");
> @@ -1211,6 +1212,7 @@ fetch_ssl(conn_t *conn, const struct url *URL, int verbose)
>   	}
>   
>   	SSL_load_error_strings();
> +#endif

Should we just remove this code outright?  I don't think there's any value in
supporting pre-1.1 OpenSSL versions?

-- 
John Baldwin