Bug 5133: OpenSSL 3.0 support

[yadij]

This TLS update includes:

• Fix build with OpenSSL v3.
• Refactor RSA key generation to avoid deprecated RSA_*() APIs.
• Refactor DH parameter and key config to avoid deprecated DH_*() APIs.
• Refactor ECDH key creation to avoid deprecated EC_*() APIs.
• Deprecate ssl_engine support in builds with OpenSSL v1-.
• Disable ssl_engine support in builds OpenSSL v3+.

We deprecated/removed ssl_engine support (as summarized in the last two
bullets above) without providing an OpenSSL Providers-based alternative
because of the following factors:

1. We do not have the resources to update ssl_engine code to build
   (without deprecation warnings) with OpenSSL v3 when the feature is
   unused.

2. We do not have the resources to create an OpenSSL v3 Provider-based
   replacement for ssl_engine code that uses deprecated Engine APIs.

3. OpenSSL v3 deprecated Engine support (triggering deprecation warnings
   in applications that use Engine APIs with OpenSSL v3). Since Squid
   default builds use -Werror, doing nothing would break such builds.

4. Squid ssl_engine does not appear to be a popular feature.

[yadij]

@christos, this EVP change to cert generation seems to work fine for me with libssl1.1. But when I build against libssl3 the first "make check" test of default squid.conf parsing hangs when initializing the default "untrusted" server cert Squid uses for error responses.

Is there anything you can see I'm doing wrong or can think of elsewhere that may be leading to the hang?

Does this code work for you with OpenSSL 1.1 ?
i.e. is it good enough to merge the RSA upgrade for older OpenSSL and treat as a bug in v3.0?

If we cant track this down ourselves I will try to get in touch with OpenSSL dev about a possible v3 bug at their end.

[chtsanti]

@christos, this EVP change to cert generation seems to work fine for me with libssl1.1. But when I build against libssl3 the first "make check" test of default squid.conf parsing hangs when initializing the default "untrusted" server cert Squid uses for error responses.

The "make check" works for me using openSSL-1.1.1 and openSSL-3.0.0alpha5 releases.

Is there anything you can see I'm doing wrong or can think of elsewhere that may be leading to the hang?

My sense is that the CreateRsaPrivateKey is not correctly implemented. But I do not know if it can hang squid.

Does this code work for you with OpenSSL 1.1 ?
i.e. is it good enough to merge the RSA upgrade for older OpenSSL and treat as a bug in v3.0?

If we cant track this down ourselves I will try to get in touch with OpenSSL dev about a possible v3 bug at their end.

---

I must also note that when squid trying to use an openSSL-3.0.0 which is not compiled with OPENSSL_NO_ENGINE flag can not compile. It will fail inside Ssl::Initialize, support.cc file inside OPENSSL_NO_ENGINE related block of code

[yadij]

As of d4a42e7 all the requests that have been insisted on are resolved.

There is just #694 (comment) which I leave to @rousskov to submit a PR making the change. Since that is not being insisted on include AFAICT this PR is ready to go in.

Thank you for addressing all blocking concerns.

[rousskov]

AFAICT this PR is ready to go in.

I have no objections and have cleared this PR for merging.

@yadij yadij requested a review from chtsanti 9 months ago
@yadij yadij requested review from hno 27 days ago

However, I will not dismiss @yadij review requests to avoid creating a dangerous precedent. @yadij, please cancel those requests if you believe those reviews are no longer required. Anubis will not merge while those review requests are pending.

[wohlford]

Squid 5.7 (05 Sep 2022) officially contains support for OpenSSL 3.0.