From b9fd3e0a418dad47c6fa9c8456a1c9410009bb82 Mon Sep 17 00:00:00 2001
From: Marton Szasz <szaszm@apache.org>
Date: Mon, 23 Feb 2026 17:16:03 +0100
Subject: [PATCH 1/4] MINIFICPP-2728 upgrade openssl to 3.3.6

Signed-off-by: Marton Szasz <szaszm@apache.org>
---
 cmake/BundledOpenSSL.cmake | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/cmake/BundledOpenSSL.cmake b/cmake/BundledOpenSSL.cmake
index 55bdf29cd2..8dea0ab95a 100644
--- a/cmake/BundledOpenSSL.cmake
+++ b/cmake/BundledOpenSSL.cmake
@@ -56,7 +56,7 @@ function(use_openssl SOURCE_DIR BINARY_DIR)
     endif()
 
     set(OPENSSL_EXTRA_FLAGS
-            no-tests            # Disable tests
+            no-apps             # disable tests and programs
             no-capieng          # disable CAPI engine (legacy)
             no-docs             # disable docs and manpages
             no-legacy           # disable legacy modules
@@ -84,7 +84,6 @@ function(use_openssl SOURCE_DIR BINARY_DIR)
             "-DCMAKE_VISIBILITY_INLINES_HIDDEN=ON"
             )
 
-    # Note: when upgrading to a later release than 3.1.1 the --no-apps could be used instead of --no-tests to minimize the build size
     if (WIN32)
         find_program(JOM_EXECUTABLE_PATH
             NAMES jom.exe
@@ -102,8 +101,8 @@ function(use_openssl SOURCE_DIR BINARY_DIR)
         endif()
         ExternalProject_Add(
                 openssl-external
-                URL https://github.com/openssl/openssl/releases/download/openssl-3.3.3/openssl-3.3.3.tar.gz
-                URL_HASH "SHA256=712590fd20aaa60ec75d778fe5b810d6b829ca7fb1e530577917a131f9105539"
+                URL https://github.com/openssl/openssl/releases/download/openssl-3.3.6/openssl-3.3.6.tar.gz
+                URL_HASH "SHA256=22db04f3c8f9a808c9795dcf7d2713ff40c12c410ea2d1f6435c6c9c8558958b"
                 SOURCE_DIR "${BINARY_DIR}/thirdparty/openssl-src"
                 BUILD_IN_SOURCE true
                 CONFIGURE_COMMAND perl Configure "CC=${CMAKE_C_COMPILER}" "CXX=${CMAKE_CXX_COMPILER}" "CFLAGS=${PASSTHROUGH_CMAKE_C_FLAGS} ${OPENSSL_WINDOWS_COMPILE_FLAGS}" "CXXFLAGS=${PASSTHROUGH_CMAKE_CXX_FLAGS} ${OPENSSL_WINDOWS_COMPILE_FLAGS}" ${OPENSSL_SHARED_FLAG} ${OPENSSL_EXTRA_FLAGS} "--prefix=${OPENSSL_BIN_DIR}" "--openssldir=${OPENSSL_BIN_DIR}"
@@ -117,8 +116,8 @@ function(use_openssl SOURCE_DIR BINARY_DIR)
     else()
         ExternalProject_Add(
                 openssl-external
-                URL https://github.com/openssl/openssl/releases/download/openssl-3.3.3/openssl-3.3.3.tar.gz
-                URL_HASH "SHA256=712590fd20aaa60ec75d778fe5b810d6b829ca7fb1e530577917a131f9105539"
+                URL https://github.com/openssl/openssl/releases/download/openssl-3.3.6/openssl-3.3.6.tar.gz
+                URL_HASH "SHA256=22db04f3c8f9a808c9795dcf7d2713ff40c12c410ea2d1f6435c6c9c8558958b"
                 SOURCE_DIR "${BINARY_DIR}/thirdparty/openssl-src"
                 BUILD_IN_SOURCE true
                 CONFIGURE_COMMAND ./Configure "CC=${CMAKE_C_COMPILER}" "CXX=${CMAKE_CXX_COMPILER}" "CFLAGS=${PASSTHROUGH_CMAKE_C_FLAGS} -fPIC" "CXXFLAGS=${PASSTHROUGH_CMAKE_CXX_FLAGS} -fPIC" ${OPENSSL_SHARED_FLAG} ${OPENSSL_EXTRA_FLAGS} "--prefix=${OPENSSL_BIN_DIR}" "--openssldir=${OPENSSL_BIN_DIR}"

From d14aad8b90a83dc538f126093e4bb7cc7c337db7 Mon Sep 17 00:00:00 2001
From: Marton Szasz <szaszm@apache.org>
Date: Mon, 23 Feb 2026 21:07:42 +0100
Subject: [PATCH 2/4] restore apps, it's needed for something, maybe fips

---
 cmake/BundledOpenSSL.cmake | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmake/BundledOpenSSL.cmake b/cmake/BundledOpenSSL.cmake
index 8dea0ab95a..4b4b378e9b 100644
--- a/cmake/BundledOpenSSL.cmake
+++ b/cmake/BundledOpenSSL.cmake
@@ -56,7 +56,7 @@ function(use_openssl SOURCE_DIR BINARY_DIR)
     endif()
 
     set(OPENSSL_EXTRA_FLAGS
-            no-apps             # disable tests and programs
+            no-tests            # Disable tests
             no-capieng          # disable CAPI engine (legacy)
             no-docs             # disable docs and manpages
             no-legacy           # disable legacy modules

From 93bf841e38dece9601128cc07fb5fae0aebc3d9b Mon Sep 17 00:00:00 2001
From: Marton Szasz <szaszm@apache.org>
Date: Tue, 24 Feb 2026 15:00:04 +0100
Subject: [PATCH 3/4] update OPENSSL_VERSION, refer to it from the URL

---
 cmake/BundledOpenSSL.cmake | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/cmake/BundledOpenSSL.cmake b/cmake/BundledOpenSSL.cmake
index 4b4b378e9b..82629c98db 100644
--- a/cmake/BundledOpenSSL.cmake
+++ b/cmake/BundledOpenSSL.cmake
@@ -84,6 +84,8 @@ function(use_openssl SOURCE_DIR BINARY_DIR)
             "-DCMAKE_VISIBILITY_INLINES_HIDDEN=ON"
             )
 
+    set(OPENSSL_VERSION "3.3.6" CACHE STRING "" FORCE)
+
     if (WIN32)
         find_program(JOM_EXECUTABLE_PATH
             NAMES jom.exe
@@ -101,7 +103,7 @@ function(use_openssl SOURCE_DIR BINARY_DIR)
         endif()
         ExternalProject_Add(
                 openssl-external
-                URL https://github.com/openssl/openssl/releases/download/openssl-3.3.6/openssl-3.3.6.tar.gz
+                URL "https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_VERSION}/openssl-${OPENSSL_VERSION}.tar.gz"
                 URL_HASH "SHA256=22db04f3c8f9a808c9795dcf7d2713ff40c12c410ea2d1f6435c6c9c8558958b"
                 SOURCE_DIR "${BINARY_DIR}/thirdparty/openssl-src"
                 BUILD_IN_SOURCE true
@@ -116,7 +118,7 @@ function(use_openssl SOURCE_DIR BINARY_DIR)
     else()
         ExternalProject_Add(
                 openssl-external
-                URL https://github.com/openssl/openssl/releases/download/openssl-3.3.6/openssl-3.3.6.tar.gz
+                URL "https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_VERSION}/openssl-${OPENSSL_VERSION}.tar.gz"
                 URL_HASH "SHA256=22db04f3c8f9a808c9795dcf7d2713ff40c12c410ea2d1f6435c6c9c8558958b"
                 SOURCE_DIR "${BINARY_DIR}/thirdparty/openssl-src"
                 BUILD_IN_SOURCE true
@@ -134,7 +136,6 @@ function(use_openssl SOURCE_DIR BINARY_DIR)
     set(OPENSSL_LIBRARIES "${OPENSSL_LIBRARIES_LIST};${CMAKE_DL_LIBS}"  CACHE STRING "" FORCE)
     set(OPENSSL_CRYPTO_LIBRARY "${OPENSSL_BIN_DIR}/${LIBDIR}/${BYPRODUCT_PREFIX}crypto${BYPRODUCT_SUFFIX}" CACHE STRING "" FORCE)
     set(OPENSSL_SSL_LIBRARY "${OPENSSL_BIN_DIR}/${LIBDIR}/${BYPRODUCT_PREFIX}ssl${BYPRODUCT_SUFFIX}" CACHE STRING "" FORCE)
-    set(OPENSSL_VERSION "3.3.3" CACHE STRING "" FORCE)
 
     # Set exported variables for FindPackage.cmake
     set(PASSTHROUGH_VARIABLES ${PASSTHROUGH_VARIABLES} "-DEXPORTED_OPENSSL_INCLUDE_DIR=${OPENSSL_INCLUDE_DIR}" CACHE STRING "" FORCE)

From 94996490abc4c9e36ca0786c443fdc5b1e86c93c Mon Sep 17 00:00:00 2001
From: Marton Szasz <szaszm@apache.org>
Date: Tue, 24 Feb 2026 17:32:51 +0100
Subject: [PATCH 4/4] upgrade fips openssl

---
 cmake/BundledOpenSSL.cmake | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/cmake/BundledOpenSSL.cmake b/cmake/BundledOpenSSL.cmake
index 82629c98db..0b9187c52b 100644
--- a/cmake/BundledOpenSSL.cmake
+++ b/cmake/BundledOpenSSL.cmake
@@ -17,6 +17,8 @@
 
 function(use_openssl SOURCE_DIR BINARY_DIR)
     message("Using bundled OpenSSL")
+    set(OPENSSL_VERSION "3.3.6" CACHE STRING "" FORCE)
+    set(OPENSSL_FIPS_MODULE_VERSION "3.1.2")
 
     if(APPLE OR WIN32 OR CMAKE_SIZEOF_VOID_P EQUAL 4 OR CMAKE_SYSTEM_PROCESSOR MATCHES "(arm64)|(ARM64)|(aarch64)|(armv8)")
         set(LIBDIR "lib")
@@ -84,7 +86,6 @@ function(use_openssl SOURCE_DIR BINARY_DIR)
             "-DCMAKE_VISIBILITY_INLINES_HIDDEN=ON"
             )
 
-    set(OPENSSL_VERSION "3.3.6" CACHE STRING "" FORCE)
 
     if (WIN32)
         find_program(JOM_EXECUTABLE_PATH
@@ -234,8 +235,8 @@ function(use_openssl SOURCE_DIR BINARY_DIR)
         endif()
         ExternalProject_Add(
                 openssl-fips-external
-                URL https://github.com/openssl/openssl/releases/download/openssl-3.0.9/openssl-3.0.9.tar.gz
-                URL_HASH "SHA256=eb1ab04781474360f77c318ab89d8c5a03abc38e63d65a603cabbf1b00a1dc90"
+                URL "https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_FIPS_MODULE_VERSION}/openssl-${OPENSSL_FIPS_MODULE_VERSION}.tar.gz"
+                URL_HASH "SHA256=a0ce69b8b97ea6a35b96875235aa453b966ba3cba8af2de23657d8b6767d6539"
                 SOURCE_DIR "${BINARY_DIR}/thirdparty/openssl-fips-src"
                 BUILD_IN_SOURCE true
                 CONFIGURE_COMMAND perl Configure "CC=${CMAKE_C_COMPILER}" "CXX=${CMAKE_CXX_COMPILER}" "CFLAGS=${PASSTHROUGH_CMAKE_C_FLAGS} ${OPENSSL_WINDOWS_COMPILE_FLAGS}" "CXXFLAGS=${PASSTHROUGH_CMAKE_CXX_FLAGS} ${OPENSSL_WINDOWS_COMPILE_FLAGS}" ${OPENSSL_SHARED_FLAG} ${OPENSSL_FIPS_EXTRA_FLAGS} enable-fips "--prefix=${OPENSSL_FIPS_BIN_DIR}" "--openssldir=${OPENSSL_FIPS_BIN_DIR}"
@@ -243,12 +244,12 @@ function(use_openssl SOURCE_DIR BINARY_DIR)
                 EXCLUDE_FROM_ALL TRUE
                 BUILD_COMMAND ${OPENSSL_BUILD_COMMAND}
                 INSTALL_COMMAND nmake install_fips
-            )
+        )
     else()
         ExternalProject_Add(
-            openssl-fips-external
-                URL https://github.com/openssl/openssl/releases/download/openssl-3.0.9/openssl-3.0.9.tar.gz
-                URL_HASH "SHA256=eb1ab04781474360f77c318ab89d8c5a03abc38e63d65a603cabbf1b00a1dc90"
+                openssl-fips-external
+                URL "https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_FIPS_MODULE_VERSION}/openssl-${OPENSSL_FIPS_MODULE_VERSION}.tar.gz"
+                URL_HASH "SHA256=a0ce69b8b97ea6a35b96875235aa453b966ba3cba8af2de23657d8b6767d6539"
                 SOURCE_DIR "${BINARY_DIR}/thirdparty/openssl-fips-src"
                 BUILD_IN_SOURCE true
                 CONFIGURE_COMMAND ./Configure "CC=${CMAKE_C_COMPILER}" "CXX=${CMAKE_CXX_COMPILER}" "CFLAGS=${PASSTHROUGH_CMAKE_C_FLAGS} -fPIC" "CXXFLAGS=${PASSTHROUGH_CMAKE_CXX_FLAGS} -fPIC" ${OPENSSL_SHARED_FLAG} ${OPENSSL_FIPS_EXTRA_FLAGS}  "--prefix=${OPENSSL_FIPS_BIN_DIR}" "--openssldir=${OPENSSL_FIPS_BIN_DIR}"