Commit 8c108ae03b for openssl.org
commit 8c108ae03b5302aa525322a51fb9f526099f1d55
Author: Andrew Dinh <andrewd@openssl.org>
Date: Mon Sep 8 23:43:01 2025 +1000
Deprecate SSL3 Configure flags
Show a deprecated warning if users attempt to run Configure script with
no-ssl3, no-ssl, or no-ssl3-method. Also adds a fix to the Configure
script preventing users from enabling deprecated flags.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Saša NedvÄ›dický <sashan@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29338)
diff --git a/Configure b/Configure
index 5923af9a69..c0f3fec989 100755
--- a/Configure
+++ b/Configure
@@ -528,7 +528,6 @@ my @disablables = (
"srp",
"srtp",
"sse2",
- "ssl",
"ssl-trace",
"stdio",
"sslkeylog",
@@ -581,6 +580,9 @@ my %deprecated_disablables = (
"ripemd" => "rmd160",
"ui" => "ui-console",
"heartbeats" => undef,
+ "ssl" => undef,
+ "ssl3" => undef,
+ "ssl3-method" => undef,
);
# All of the following are disabled by default:
@@ -611,8 +613,6 @@ our %disabled = ( # "what" => "comment"
"msan" => "default",
"rc5" => "default",
"sctp" => "default",
- "ssl3" => "default",
- "ssl3-method" => "default",
"sslkeylog" => "default",
"tfo" => "default",
"trace" => "default",
@@ -641,14 +641,12 @@ my @disable_cascades = (
"rc2", "rc4", "rmd160",
"scrypt", "seed", "siphash", "siv",
"slh-dsa", "sm3", "sm4", "srp",
- "srtp", "ssl3-method", "ssl-trace",
+ "srtp", "ssl-trace",
"tfo",
"ts", "ui-console", "whirlpool",
"fips-securitychecks" ],
sub { $config{processor} eq "386" }
=> [ "sse2" ],
- "ssl" => [ "ssl3" ],
- "ssl3-method" => [ "ssl3" ],
"zlib" => [ "zlib-dynamic" ],
"brotli" => [ "brotli-dynamic" ],
"zstd" => [ "zstd-dynamic" ],
@@ -882,6 +880,13 @@ while (@argvcopy)
$unsupported_options{$_} = 1;
next;
}
+
+ # Do not allow users to enable deprecated flags
+ if (/^enable-(.+)$/ && exists $deprecated_disablables{$word})
+ {
+ $unsupported_options{$_} = 1;
+ next;
+ }
}
if (/^no-(.+)$/ || /^disable-(.+)$/)
{
@@ -901,11 +906,6 @@ while (@argvcopy)
}
$disabled{"dtls"} = "option(dtls)";
}
- elsif ($1 eq "ssl")
- {
- # Last one of its kind
- $disabled{"ssl3"} = "option(ssl)";
- }
elsif ($1 eq "tls")
{
# XXX: Tests will fail if all SSL/TLS