HsOpenSSL icon indicating copy to clipboard operation
HsOpenSSL copied to clipboard
verified publisher icon haskell-cryptography

OpenSSL 3.0 deprecations

Open vshabanov opened this issue 4 years ago • 5 comments

There are a lot of deprecated functions in OpenSSL 3.0 (see #62 for example).

https://www.openssl.org/docs/man3.0/man7/migration_guide.html#Deprecation-of-Low-Level-Functions

Haven't looked into details but I suppose that there should be two cases:

  1. Haskell module exports deprecated OpenSSL functions. Such bindings should have deprecation warning in Haskell as well (when compiled with OpenSSL 3.0) and alternative bindings should be added if necessary (with deprecation message pointing to them).
  2. Haskell modules that don't export deprecated functions but use them underneath should be updated to use new functions from migration guide.

Looks like a lot of work for me at the moment (we may need to replace import ccall with import capi to see all deprecations). So it will be amazing if somebody would take a leap and send PR for this issue.

vshabanov avatar Sep 28 '21 12:09 vshabanov

Need to add import capi anyway to get rid from linking errors in #73.

vshabanov avatar Dec 11 '22 17:12 vshabanov

FreeBSD 14 imported OpenSSL 3 into its base and now I can't get HsOpenSSL working.

When building without any additional defines I get undefined reference to DSA_generate_parameters and with --gcc-option=-DOPENSSL_NO_DEPRECATED I get

cbits/HsOpenSSL.h:107:24: error: unknown type name 'DSA'
int HsOpenSSL_dsa_sign(DSA *dsa, const unsigned char *ddata, int len,
                       ^

What can be done about that?

arrowd avatar Oct 19 '23 12:10 arrowd

Unfortunately, many DSA functions are deprecated. They need to be replaced with EVP_* functions as described in https://www.openssl.org/docs/man3.0/man7/migration_guide.html#Deprecated-low-level-key-generation-functions I will gladly accept a PR that uses new functions.

vshabanov avatar Oct 21 '23 20:10 vshabanov

servant is getting hit by this in its development repo. Unfortunately I am very unfamiliar with OpenSSL. Is there anything I can do to help or should this be left to someone who knows their stuff?

tchoutri avatar Jul 05 '24 13:07 tchoutri

There are no active HsOpenSSL developers at the moment. Maybe it worth to try to remove all deprecated functions and make HsOpenSSL 0.12 which is incompatible with previous versions because OpenSSL 3.0 is not.

There's no DSA_generate_parameters in OpenSSL 3.0, so I think it makes not much sense trying emulating it.

I don't know how much stuff will be broken due to this. I suppose the SSL connection setup and I/O should still work, and that's probably the lion's share of HsOpenSSL usage.

You can try to remove everything that no longer works (probably by dropping the whole OpenSSL.DSA module) and check whether servant (and maybe http-client-openssl) still works. If it is, this would be the next HsOpenSSL version.

It won't break on OpenSSL 3.0 systems, and missing features will be added by those who need them and can check whether they really work.

vshabanov avatar Jul 06 '24 22:07 vshabanov