Skip to content

MINIFICPP-2728 upgrade openssl to 3.3.6 #2115

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
szaszm wants to merge 4 commits into
base: main
Choose a base branch
from
+13 −12
Open

MINIFICPP-2728 upgrade openssl to 3.3.6 #2115

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b9fd3e0
MINIFICPP-2728 upgrade openssl to 3.3.6
szaszm Feb 23, 2026
d14aad8
restore apps, it's needed for something, maybe fips
szaszm Feb 23, 2026
93bf841
update OPENSSL_VERSION, refer to it from the URL
szaszm Feb 24, 2026
9499649
upgrade fips openssl
szaszm Feb 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 13 additions & 12 deletions cmake/BundledOpenSSL.cmake
View file
Open in desktop
Copy link
Contributor

@fgerlits fgerlits Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we (or do we want to) upgrade the FIPS OpenSSL version, too? 3.1.2 seems to be FIPS-validated now.

Copy link
Member Author

@szaszm szaszm Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't want to, but I can try doing that too

Copy link
Contributor

@fgerlits fgerlits Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should if it only takes changing the version from 3.0.9 to 3.1.2. If non-trivial changes are needed, we can postpone it to the next release.

Copy link
Contributor

@lordgamez lordgamez Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even if the change is trivial and builds successfully we should at least run the FIPS variant of the verify package jobs to see if all those tests also pass.

Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@

function(use_openssl SOURCE_DIR BINARY_DIR)
message("Using bundled OpenSSL")
set(OPENSSL_VERSION "3.3.6" CACHE STRING "" FORCE)
set(OPENSSL_FIPS_MODULE_VERSION "3.1.2")

if(APPLE OR WIN32 OR CMAKE_SIZEOF_VOID_P EQUAL 4 OR CMAKE_SYSTEM_PROCESSOR MATCHES "(arm64)|(ARM64)|(aarch64)|(armv8)")
set(LIBDIR "lib")
Expand Down Expand Up @@ -84,7 +86,7 @@ function(use_openssl SOURCE_DIR BINARY_DIR)
"-DCMAKE_VISIBILITY_INLINES_HIDDEN=ON"
)

# Note: when upgrading to a later release than 3.1.1 the --no-apps could be used instead of --no-tests to minimize the build size

if (WIN32)
find_program(JOM_EXECUTABLE_PATH
NAMES jom.exe
Expand All @@ -102,8 +104,8 @@ function(use_openssl SOURCE_DIR BINARY_DIR)
endif()
ExternalProject_Add(
openssl-external
URL https://github.com/openssl/openssl/releases/download/openssl-3.3.3/openssl-3.3.3.tar.gz
URL_HASH "SHA256=712590fd20aaa60ec75d778fe5b810d6b829ca7fb1e530577917a131f9105539"
URL "https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_VERSION}/openssl-${OPENSSL_VERSION}.tar.gz"
URL_HASH "SHA256=22db04f3c8f9a808c9795dcf7d2713ff40c12c410ea2d1f6435c6c9c8558958b"
SOURCE_DIR "${BINARY_DIR}/thirdparty/openssl-src"
BUILD_IN_SOURCE true
CONFIGURE_COMMAND perl Configure "CC=${CMAKE_C_COMPILER}" "CXX=${CMAKE_CXX_COMPILER}" "CFLAGS=${PASSTHROUGH_CMAKE_C_FLAGS} ${OPENSSL_WINDOWS_COMPILE_FLAGS}" "CXXFLAGS=${PASSTHROUGH_CMAKE_CXX_FLAGS} ${OPENSSL_WINDOWS_COMPILE_FLAGS}" ${OPENSSL_SHARED_FLAG} ${OPENSSL_EXTRA_FLAGS} "--prefix=${OPENSSL_BIN_DIR}" "--openssldir=${OPENSSL_BIN_DIR}"
Expand All @@ -117,8 +119,8 @@ function(use_openssl SOURCE_DIR BINARY_DIR)
else()
ExternalProject_Add(
openssl-external
URL https://github.com/openssl/openssl/releases/download/openssl-3.3.3/openssl-3.3.3.tar.gz
URL_HASH "SHA256=712590fd20aaa60ec75d778fe5b810d6b829ca7fb1e530577917a131f9105539"
URL "https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_VERSION}/openssl-${OPENSSL_VERSION}.tar.gz"
URL_HASH "SHA256=22db04f3c8f9a808c9795dcf7d2713ff40c12c410ea2d1f6435c6c9c8558958b"
SOURCE_DIR "${BINARY_DIR}/thirdparty/openssl-src"
BUILD_IN_SOURCE true
CONFIGURE_COMMAND ./Configure "CC=${CMAKE_C_COMPILER}" "CXX=${CMAKE_CXX_COMPILER}" "CFLAGS=${PASSTHROUGH_CMAKE_C_FLAGS} -fPIC" "CXXFLAGS=${PASSTHROUGH_CMAKE_CXX_FLAGS} -fPIC" ${OPENSSL_SHARED_FLAG} ${OPENSSL_EXTRA_FLAGS} "--prefix=${OPENSSL_BIN_DIR}" "--openssldir=${OPENSSL_BIN_DIR}"
Expand All @@ -135,7 +137,6 @@ function(use_openssl SOURCE_DIR BINARY_DIR)
set(OPENSSL_LIBRARIES "${OPENSSL_LIBRARIES_LIST};${CMAKE_DL_LIBS}" CACHE STRING "" FORCE)
set(OPENSSL_CRYPTO_LIBRARY "${OPENSSL_BIN_DIR}/${LIBDIR}/${BYPRODUCT_PREFIX}crypto${BYPRODUCT_SUFFIX}" CACHE STRING "" FORCE)
set(OPENSSL_SSL_LIBRARY "${OPENSSL_BIN_DIR}/${LIBDIR}/${BYPRODUCT_PREFIX}ssl${BYPRODUCT_SUFFIX}" CACHE STRING "" FORCE)
set(OPENSSL_VERSION "3.3.3" CACHE STRING "" FORCE)

# Set exported variables for FindPackage.cmake
set(PASSTHROUGH_VARIABLES ${PASSTHROUGH_VARIABLES} "-DEXPORTED_OPENSSL_INCLUDE_DIR=${OPENSSL_INCLUDE_DIR}" CACHE STRING "" FORCE)
Expand Down Expand Up @@ -234,21 +235,21 @@ function(use_openssl SOURCE_DIR BINARY_DIR)
endif()
ExternalProject_Add(
openssl-fips-external
URL https://github.com/openssl/openssl/releases/download/openssl-3.0.9/openssl-3.0.9.tar.gz
URL_HASH "SHA256=eb1ab04781474360f77c318ab89d8c5a03abc38e63d65a603cabbf1b00a1dc90"
URL "https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_FIPS_MODULE_VERSION}/openssl-${OPENSSL_FIPS_MODULE_VERSION}.tar.gz"
URL_HASH "SHA256=a0ce69b8b97ea6a35b96875235aa453b966ba3cba8af2de23657d8b6767d6539"
SOURCE_DIR "${BINARY_DIR}/thirdparty/openssl-fips-src"
BUILD_IN_SOURCE true
CONFIGURE_COMMAND perl Configure "CC=${CMAKE_C_COMPILER}" "CXX=${CMAKE_CXX_COMPILER}" "CFLAGS=${PASSTHROUGH_CMAKE_C_FLAGS} ${OPENSSL_WINDOWS_COMPILE_FLAGS}" "CXXFLAGS=${PASSTHROUGH_CMAKE_CXX_FLAGS} ${OPENSSL_WINDOWS_COMPILE_FLAGS}" ${OPENSSL_SHARED_FLAG} ${OPENSSL_FIPS_EXTRA_FLAGS} enable-fips "--prefix=${OPENSSL_FIPS_BIN_DIR}" "--openssldir=${OPENSSL_FIPS_BIN_DIR}"
BUILD_BYPRODUCTS ${OPENSSL_FIPS_FILE_LIST}
EXCLUDE_FROM_ALL TRUE
BUILD_COMMAND ${OPENSSL_BUILD_COMMAND}
INSTALL_COMMAND nmake install_fips
)
)
else()
ExternalProject_Add(
openssl-fips-external
URL https://github.com/openssl/openssl/releases/download/openssl-3.0.9/openssl-3.0.9.tar.gz
URL_HASH "SHA256=eb1ab04781474360f77c318ab89d8c5a03abc38e63d65a603cabbf1b00a1dc90"
openssl-fips-external
URL "https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_FIPS_MODULE_VERSION}/openssl-${OPENSSL_FIPS_MODULE_VERSION}.tar.gz"
URL_HASH "SHA256=a0ce69b8b97ea6a35b96875235aa453b966ba3cba8af2de23657d8b6767d6539"
SOURCE_DIR "${BINARY_DIR}/thirdparty/openssl-fips-src"
BUILD_IN_SOURCE true
CONFIGURE_COMMAND ./Configure "CC=${CMAKE_C_COMPILER}" "CXX=${CMAKE_CXX_COMPILER}" "CFLAGS=${PASSTHROUGH_CMAKE_C_FLAGS} -fPIC" "CXXFLAGS=${PASSTHROUGH_CMAKE_CXX_FLAGS} -fPIC" ${OPENSSL_SHARED_FLAG} ${OPENSSL_FIPS_EXTRA_FLAGS} "--prefix=${OPENSSL_FIPS_BIN_DIR}" "--openssldir=${OPENSSL_FIPS_BIN_DIR}"
Expand Down
Loading