git: e20dba3a212d - stable/13 - libfetch: remove all old OpenSSL support

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Dag-Erling Smørgrav <des_at_FreeBSD.org>
Date: Wed, 11 Feb 2026 20:42:07 UTC
The branch stable/13 has been updated by des:

URL: https://cgit.FreeBSD.org/src/commit/?id=e20dba3a212d9e114c697b31ae9104e21a03a6d2

commit e20dba3a212d9e114c697b31ae9104e21a03a6d2
Author:     Enji Cooper <ngie@FreeBSD.org>
AuthorDate: 2023-06-22 03:53:54 +0000
Commit:     Dag-Erling Smørgrav <des@FreeBSD.org>
CommitDate: 2026-02-11 13:53:30 +0000

    libfetch: remove all old OpenSSL support
    
    This change removes pre-OpenSSL 1.1 supporting code and removes/adjusted
    preprocessor conditionals which were tautilogically true as FreeBSD main
    has shipped with OpenSSL 1.1+ for some time.
    
    Reviewed by:    emaste
    Differential Revision:  https://reviews.freebsd.org/D40711
    
    (cherry picked from commit bc1027a7785166fde9c2a3b48e6e70d198377d4b)
---
 lib/libfetch/common.c | 28 +---------------------------
 1 file changed, 1 insertion(+), 27 deletions(-)

diff --git a/lib/libfetch/common.c b/lib/libfetch/common.c
index 3a7aba160206..723cba62bb57 100644
--- a/lib/libfetch/common.c
+++ b/lib/libfetch/common.c
@@ -948,24 +948,8 @@ fetch_ssl_verify_altname(STACK_OF(GENERAL_NAME) *altnames,
 	const char *ns;
 
 	for (i = 0; i < sk_GENERAL_NAME_num(altnames); ++i) {
-#if OPENSSL_VERSION_NUMBER < 0x10000000L
-		/*
-		 * This is a workaround, since the following line causes
-		 * alignment issues in clang:
-		 * name = sk_GENERAL_NAME_value(altnames, i);
-		 * OpenSSL explicitly warns not to use those macros
-		 * directly, but there isn't much choice (and there
-		 * shouldn't be any ill side effects)
-		 */
-		name = (GENERAL_NAME *)SKM_sk_value(void, altnames, i);
-#else
 		name = sk_GENERAL_NAME_value(altnames, i);
-#endif
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-		ns = (const char *)ASN1_STRING_data(name->d.ia5);
-#else
 		ns = (const char *)ASN1_STRING_get0_data(name->d.ia5);
-#endif
 		nslen = (size_t)ASN1_STRING_length(name->d.ia5);
 
 		if (name->type == GEN_DNS && ip == NULL &&
@@ -1196,16 +1180,6 @@ fetch_ssl(conn_t *conn, const struct url *URL, int verbose)
 	X509_NAME *name;
 	char *str;
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-	/* Init the SSL library and context */
-	if (!SSL_library_init()){
-		fprintf(stderr, "SSL library init failed\n");
-		return (-1);
-	}
-
-	SSL_load_error_strings();
-#endif
-
 	conn->ssl_meth = SSLv23_client_method();
 	conn->ssl_ctx = SSL_CTX_new(conn->ssl_meth);
 	SSL_CTX_set_mode(conn->ssl_ctx, SSL_MODE_AUTO_RETRY);
@@ -1223,7 +1197,7 @@ fetch_ssl(conn_t *conn, const struct url *URL, int verbose)
 	}
 	SSL_set_fd(conn->ssl, conn->sd);
 
-#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
+#if !defined(OPENSSL_NO_TLSEXT)
 	if (!SSL_set_tlsext_host_name(conn->ssl,
 	    __DECONST(struct url *, URL)->host)) {
 		fprintf(stderr,