[PATCH 1 of 5] SSL: compatibility with X509_get_subject_name() in OpenSSL 4.0

[Maxim Dounin]

# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1773534572 -10800
#      Sun Mar 15 03:29:32 2026 +0300
# Node ID f4b3140bee29158dbd3fe9c82f748d17bb25546a
# Parent  66b28e8ff0cb5ace2d9ecbedb6f49946c8f77f07
SSL: compatibility with X509_get_subject_name() in OpenSSL 4.0.

In OpenSSL 4.0 alpha 1, X509_get_subject_name() and X509_get_issuer_name()
return "const X509_NAME *" results.  To avoid warnings the "const" qualifier
added to corresponding variables.

Note that in some cases it is safe to add qualifier unconditionally, since
all functions being used accept const arguments (in all supported OpenSSL
versions).  In particular, in ngx_ssl_ocsp_create_key() the name is only
used in X509_NAME_digest(), which accepts a const argument since at least
OpenSSL 0.9.8, and therefore it is safe to use "const" unconditionally.

In other cases conditional compilation is required, since at least some
functions being used require non-const arguments.  In particular,
X509_NAME_oneline() and X509_NAME_print_ex() accept const only starting
with OpenSSL 1.1.0.

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -1278,6 +1278,9 @@ ngx_ssl_verify_callback(int ok, X509_STO
     char              *subject, *issuer;
     int                err, depth;
     X509              *cert;
+#if OPENSSL_VERSION_NUMBER >= 0x40000000L
+    const
+#endif
     X509_NAME         *sname, *iname;
     ngx_connection_t  *c;
     ngx_ssl_conn_t    *ssl_conn;
@@ -6328,6 +6331,9 @@ ngx_ssl_get_subject_dn(ngx_connection_t 
 {
     BIO        *bio;
     X509       *cert;
+#if OPENSSL_VERSION_NUMBER >= 0x40000000L
+    const
+#endif
     X509_NAME  *name;
 
     s->len = 0;
@@ -6382,6 +6388,9 @@ ngx_ssl_get_issuer_dn(ngx_connection_t *
 {
     BIO        *bio;
     X509       *cert;
+#if OPENSSL_VERSION_NUMBER >= 0x40000000L
+    const
+#endif
     X509_NAME  *name;
 
     s->len = 0;
@@ -6438,6 +6447,9 @@ ngx_ssl_get_subject_dn_legacy(ngx_connec
     char       *p;
     size_t      len;
     X509       *cert;
+#if OPENSSL_VERSION_NUMBER >= 0x40000000L
+    const
+#endif
     X509_NAME  *name;
 
     s->len = 0;
@@ -6486,6 +6498,9 @@ ngx_ssl_get_issuer_dn_legacy(ngx_connect
     char       *p;
     size_t      len;
     X509       *cert;
+#if OPENSSL_VERSION_NUMBER >= 0x40000000L
+    const
+#endif
     X509_NAME  *name;
 
     s->len = 0;
diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c
+++ b/src/event/ngx_event_openssl_stapling.c
@@ -2629,9 +2629,9 @@ ngx_ssl_ocsp_cache_store(ngx_ssl_ocsp_ct
 static ngx_int_t
 ngx_ssl_ocsp_create_key(ngx_ssl_ocsp_ctx_t *ctx)
 {
-    u_char        *p;
-    X509_NAME     *name;
-    ASN1_INTEGER  *serial;
+    u_char           *p;
+    ASN1_INTEGER     *serial;
+    const X509_NAME  *name;
 
     p = ngx_pnalloc(ctx->pool, 60);
     if (p == NULL) {