[PATCH 3 of 4] SSL: stop using deprecated RSA_generate_key() function

Maxim Dounin mdounin at mdounin.ru
Mon Jul 7 23:32:24 UTC 2014 

Hello!

On Mon, Jul 07, 2014 at 03:02:14PM -0700, Piotr Sikora wrote:

> Hey Maxim,
> 
> > It's marked as deprecated in master branch, but not in the latest
> > release.  Try looking into the latest release docs, 1.0.1h -
> > doc/crypto/RSA_generate_key.pod doesn't even mention
> > RSA_generate_key_ex.
> 
> It's been deprecated before OpenSSL-0.9.8 release, see git history [1].

Correct link is:
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9224c717711eefb30038c9b37c69795dda93c9a

And it looks like the only rationale for deprecation is a new 
interface introduced.

> OpenSSL's documentation is terrible source of information and that's
> not news - nginx itself is using a lot of undocumented functions,
> especially in the OCSP stapling code.

It's not about quality of OpenSSL's documentation, it's about the 
fact that OpenSSL itself doesn't care about said deprecation.

> > Sure, it can and likely will be helpful.  In this particular case
> > the replacement code seems to be too long though.  For
> > development needs, it will probably be enough to just return NULL
> > if OPENSSL_NO_DEPRECATED is defined.
> 
> Sigh, I really don't think that the amount of code is really a problem
> here... But if you're really unhappy with it, maybe let's just remove

The amount of code is certainly a problem, and it indicates that 
the "new" interface, uhm, have problems.

> the callback altogether? It's not like it's used with nginx's default
> ciphers list and I'm not aware of anything since Windows NT 4.0 that
> would require it.

I don't think it's time to remove it, but as I previously said, I 
will be fine with something like this:

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -652,12 +652,16 @@ ngx_ssl_rsa512_key_callback(ngx_ssl_conn
 {
     static RSA  *key;
 
+#ifndef OPENSSL_NO_DEPRECATED
+
     if (key_length == 512) {
         if (key == NULL) {
             key = RSA_generate_key(512, RSA_F4, NULL, NULL);
         }
     }
 
+#endif
+
     return key;
 }
 

This won't change anything for normal builds, but will allow test 
builds with OPENSSL_NO_DEPRECATED defined.

-- 
Maxim Dounin
http://nginx.org/

More information about the nginx-devel mailing list