[nginx] SSL: compatibility with X509_get_subject_name() in OpenS...

[Maxim Dounin]

details:   http://freenginx.org/hg/nginx/rev/91f88a8688ed
branches:  
changeset: 9482:91f88a8688ed
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Sun Mar 22 16:26:31 2026 +0300
description:
SSL: compatibility with X509_get_subject_name() in OpenSSL 4.0.

In OpenSSL 4.0 alpha 1, X509_get_subject_name() and X509_get_issuer_name()
return "const X509_NAME *" results.  To avoid warnings the "const" qualifier
added to corresponding variables.

Note that in some cases it is safe to add qualifier unconditionally, since
all functions being used accept const arguments (in all supported OpenSSL
versions).  In particular, in ngx_ssl_ocsp_create_key() the name is only
used in X509_NAME_digest(), which accepts a const argument since at least
OpenSSL 0.9.8, and therefore it is safe to use "const" unconditionally.

In other cases conditional compilation is required, since at least some
functions being used require non-const arguments.  In particular,
X509_NAME_oneline() and X509_NAME_print_ex() accept const only starting
with OpenSSL 1.1.0.

diffstat:

 src/event/ngx_event_openssl.c          |  15 +++++++++++++++
 src/event/ngx_event_openssl_stapling.c |   6 +++---
 2 files changed, 18 insertions(+), 3 deletions(-)

diffs (69 lines):

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -1278,6 +1278,9 @@ ngx_ssl_verify_callback(int ok, X509_STO
     char              *subject, *issuer;
     int                err, depth;
     X509              *cert;
+#if OPENSSL_VERSION_NUMBER >= 0x40000000L
+    const
+#endif
     X509_NAME         *sname, *iname;
     ngx_connection_t  *c;
     ngx_ssl_conn_t    *ssl_conn;
@@ -6328,6 +6331,9 @@ ngx_ssl_get_subject_dn(ngx_connection_t 
 {
     BIO        *bio;
     X509       *cert;
+#if OPENSSL_VERSION_NUMBER >= 0x40000000L
+    const
+#endif
     X509_NAME  *name;
 
     s->len = 0;
@@ -6382,6 +6388,9 @@ ngx_ssl_get_issuer_dn(ngx_connection_t *
 {
     BIO        *bio;
     X509       *cert;
+#if OPENSSL_VERSION_NUMBER >= 0x40000000L
+    const
+#endif
     X509_NAME  *name;
 
     s->len = 0;
@@ -6438,6 +6447,9 @@ ngx_ssl_get_subject_dn_legacy(ngx_connec
     char       *p;
     size_t      len;
     X509       *cert;
+#if OPENSSL_VERSION_NUMBER >= 0x40000000L
+    const
+#endif
     X509_NAME  *name;
 
     s->len = 0;
@@ -6486,6 +6498,9 @@ ngx_ssl_get_issuer_dn_legacy(ngx_connect
     char       *p;
     size_t      len;
     X509       *cert;
+#if OPENSSL_VERSION_NUMBER >= 0x40000000L
+    const
+#endif
     X509_NAME  *name;
 
     s->len = 0;
diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c
+++ b/src/event/ngx_event_openssl_stapling.c
@@ -2629,9 +2629,9 @@ ngx_ssl_ocsp_cache_store(ngx_ssl_ocsp_ct
 static ngx_int_t
 ngx_ssl_ocsp_create_key(ngx_ssl_ocsp_ctx_t *ctx)
 {
-    u_char        *p;
-    X509_NAME     *name;
-    ASN1_INTEGER  *serial;
+    u_char           *p;
+    ASN1_INTEGER     *serial;
+    const X509_NAME  *name;
 
     p = ngx_pnalloc(ctx->pool, 60);
     if (p == NULL) {