Skip to content

Fix build warnings with OpenSSL 4.0#4016

Merged
zuiderkwast merged 1 commit into
valkey-io:unstablefrom
pkhartsk:support-openssl4
Jun 26, 2026
Merged

Fix build warnings with OpenSSL 4.0#4016
zuiderkwast merged 1 commit into
valkey-io:unstablefrom
pkhartsk:support-openssl4

Conversation

@pkhartsk

@pkhartsk pkhartsk commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Some functions are newly deprecated in OpenSSL 4.0, this commits works around those. More specifically:

  • X509_cmp_current_time() in isCertValid() is no longer necessary as X509_check_certificate_times() compares the notBefore and notAfter on its own. Had to add a version check since this function is new in OpenSSL 4.0.

  • Replace deprecated X509_NAME_get_text_by_NID. Not a perfect fix, because the new implementation still assumes that the name does not contain embedded null characters which may not be true, e.g., if the name is of type UniversalString or BMPString.

  • Also fix constness of X509_get_subject_name return value.

The latter two fixes are taken from this Fedora patch: https://src.fedoraproject.org/rpms/valkey/c/1a9c8847172ef3fb116a1e2fdb3871692378adae?branch=rawhide

Closes #4012

@coderabbitai

coderabbitai Bot commented Jun 22, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Two functions in src/tls.c are updated for OpenSSL 4.0 compatibility. isCertValid gains a preprocessor-guarded path that calls X509_check_certificate_times() on OpenSSL ≥ 4.0. getCertSubjectFieldByName tightens input validation to reject zero output length and replaces the deprecated X509_NAME_get_text_by_NID() with manual NID-based subject entry lookup and bounded ASN1_STRING copying.

Changes

OpenSSL 4.0 TLS Compatibility

Layer / File(s) Summary
Certificate validity check and subject field extraction
src/tls.c
isCertValid adds a #if OPENSSL_VERSION_NUMBER >= 0x40000000L branch calling X509_check_certificate_times() with failure handling and optional error logging; the pre-4.0 path using X509_get0_notBefore/notAfter and X509_cmp_current_time() is preserved. getCertSubjectFieldByName rejects calls with zero outlen, removes the deprecated X509_NAME_get_text_by_NID() call, and replaces it with X509_get_subject_name(), X509_NAME_get_index_by_NID(), X509_NAME_get_entry(), X509_NAME_ENTRY_get_data(), and an explicit memcpy with length bounds and null termination.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description check ✅ Passed The description clearly matches the changes: OpenSSL 4.0 certificate-time checks, deprecated subject-name lookup replacement, and constness fixes.
Title check ✅ Passed The title accurately reflects the OpenSSL 4.0 compatibility work, though the changes address more than warnings alone.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/tls.c`:
- Around line 1322-1325: The buffer copy logic in the null-termination code path
has an unsigned integer underflow vulnerability when outlen is 0, causing
SIZE_MAX to be used as copy_len. Add a guard check at the beginning of this code
block to return early or handle the case where outlen equals 0, before the
subtraction operation in the copy_len calculation occurs. This prevents the
expression outlen - 1 from underflowing and writing past the buffer bounds.
- Around line 469-477: The error variable is declared but not initialized before
being passed to X509_check_certificate_times(). Since this function only writes
to the error parameter when it returns 0 (indicating failure or invalidity), but
the code only reads the error variable when the function returns 1 (success),
the variable is accessed uninitialized. Initialize the error variable to 0
before the X509_check_certificate_times() function call to ensure it has a
defined value when read.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 76719a62-45c2-42d9-a91b-55da8c9a88d2

📥 Commits

Reviewing files that changed from the base of the PR and between bee30d4 and 1f62de1.

📒 Files selected for processing (1)
  • src/tls.c

Comment thread src/tls.c
Comment thread src/tls.c

@zuiderkwast zuiderkwast left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

Do we run with OpenSSL 4 in any of the CI jobs or daily jobs? If not, is there an easy way to update one of them to use a distro that does, or just update OpenSSL in one of them?

@pkhartsk

pkhartsk commented Jun 23, 2026

Copy link
Copy Markdown
Contributor Author

Do we run with OpenSSL 4 in any of the CI jobs or daily jobs?

fedora rawhide (test-fedorarawhide-tls-module) has it, so should be good :)

Comment thread src/tls.c
@codecov

codecov Bot commented Jun 23, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 76.78%. Comparing base (436dcae) to head (b3e7ab1).
⚠️ Report is 2 commits behind head on unstable.

Additional details and impacted files
@@             Coverage Diff              @@
##           unstable    #4016      +/-   ##
============================================
+ Coverage     76.75%   76.78%   +0.03%     
============================================
  Files           162      162              
  Lines         81017    81021       +4     
============================================
+ Hits          62187    62216      +29     
+ Misses        18830    18805      -25     
Files with missing lines Coverage Δ
src/tls.c 17.64% <ø> (ø)

... and 19 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@zuiderkwast zuiderkwast added the run-extra-tests Run extra tests on this PR (Runs all tests from daily except valgrind and RESP) label Jun 23, 2026
Some functions are newly deprecated in OpenSSL 4.0,
this commits works around those. More specifically:

- X509_cmp_current_time() in isCertValid() is no longer
  necessary as X509_check_certificate_times() compares
  the notBefore and notAfter on its own. Had to add
  a version check since this function is new in OpenSSL 4.0.

- Replace deprecated X509_NAME_get_text_by_NID. Not a perfect
  fix, because the new implementation still assumes that
  the name does not contain embedded null characters
  which may not be true, e.g., if the name is of type
  UniversalString or BMPString.

- Also fix constness of X509_get_subject_name return value
  for modern OpenSSL versions

The latter two fixes are taken from this Fedora patch:
https://src.fedoraproject.org/rpms/valkey/c/1a9c8847172ef3fb116a1e2fdb3871692378adae?branch=rawhide

Signed-off-by: Petr Khartskhaev <pkhartsk@redhat.com>
@pkhartsk

Copy link
Copy Markdown
Contributor Author

Yup, the fedora test passes, where openssl 4 is installed here

@zuiderkwast zuiderkwast changed the title Fix build failures with OpenSSL 4.0 (#4012) Fix build warnings with OpenSSL 4.0 (#4012) Jun 23, 2026
@zuiderkwast

Copy link
Copy Markdown
Contributor

Changed the title "Fix build failures" -> "warnings". It's just deprecated functions - so unless compiled with -Werror it's just warnings, right?

@zuiderkwast

Copy link
Copy Markdown
Contributor

Let's backport to all versions. Old versions can run on new OS versions with new OpenSSL versions too, so backporting prevents future CI problems for these branches. (Assuming it applies cleanly - if not we could skip it.)

@pkhartsk

Copy link
Copy Markdown
Contributor Author

it's just warnings, right?

Yes, should I rename the commit too?

Assuming it applies cleanly - if not we could skip it.

I think the first hunk will fail as that function doesn't exist in any released version as of now, the second one seems to only be present in =>9.0

Comment thread src/tls.c
return false;
}
if (error > 0) {
serverLog(LL_WARNING, "X509_check_certificate_times() returned error %d", error);

@sarthakaggarwal97 sarthakaggarwal97 Jun 24, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we need this warning in logs. I could be wrong but seems like a specific error for a function.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The integer pointed to by error will be set to X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD or X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD if the certificate has an invalid notBefore or notAfter field, respectively.

The integer pointed to by error will be set to X509_V_ERR_CERT_NOT_YET_VALID or X509_V_ERR_CERT_HAS_EXPIRED if the verification time is outside of the certificate's correctly encoded validity window as per RFC5280.

I'd say this is actually pretty useful to have, though I agree that just outputting a random integer is hardly helpful. Also this is stupid since this if statement will never be reached. Could be solved by either switch casing it or outputting a better-worded general error BEFORE returning false, or just removing this statement completely.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, this is not logged when the certificate is simply expired. It's only on other errors, which are likely configuration/admin errors. I agree it can be good to have.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see you've already merged (thanks!), so I put the code fixing this into #4064. This unreachable if statement does no harm, but still.. :D

Comment thread src/tls.c

if (nid == -1) return 0;

#if OPENSSL_VERSION_NUMBER >= 0x30000000L

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any harm in directly using const? without the version check?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apparently, in 1.1.1 it's not const. Not sure if we have 1.1.1 in any of our CI jobs though - it would show a compile warning I guess. See #4016 (comment) above.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Threw a warning for me on RHEL8 w/ 1.1.1.

See this almalinux8 build before I pushed this version check https://github.com/valkey-io/valkey/actions/runs/28020409485/job/82935479930

@zuiderkwast

Copy link
Copy Markdown
Contributor

it's just warnings, right?

Yes, should I rename the commit too?

No, it's not necessary. We squash-merge and use the PR title and description as commit message.

I think the first hunk will fail as that function doesn't exist in any released version as of now, the second one seems to only be present in =>9.0

Ok, so we should backport to 9.0 and 9.1 only then. Thanks for checking!

@zuiderkwast zuiderkwast changed the title Fix build warnings with OpenSSL 4.0 (#4012) Fix build warnings with OpenSSL 4.0 Jun 26, 2026
@zuiderkwast zuiderkwast merged commit aaa859d into valkey-io:unstable Jun 26, 2026
72 of 74 checks passed
@github-project-automation github-project-automation Bot moved this to To be backported in Valkey 9.1 Jun 26, 2026
@github-project-automation github-project-automation Bot moved this to To be backported in Valkey 9.0 Jun 26, 2026
valkeyrie-ops Bot pushed a commit that referenced this pull request Jun 27, 2026
Some functions are newly deprecated in OpenSSL 4.0. This commit works
around those. More specifically:

- X509_cmp_current_time() in isCertValid() is no longer necessary as
X509_check_certificate_times() compares the notBefore and notAfter on
its own. Had to add a version check since this function is new in
OpenSSL 4.0.

- Replace deprecated X509_NAME_get_text_by_NID. Not a perfect fix,
because the new implementation still assumes that the name does not
contain embedded null characters which may not be true, e.g., if the
name is of type UniversalString or BMPString.

- Also fix constness of X509_get_subject_name return value.

The latter two fixes are taken from this Fedora patch:
https://src.fedoraproject.org/rpms/valkey/c/1a9c8847172ef3fb116a1e2fdb3871692378adae?branch=rawhide

Closes #4012

Signed-off-by: Petr Khartskhaev <pkhartsk@redhat.com>
valkeyrie-ops Bot pushed a commit that referenced this pull request Jun 27, 2026
Some functions are newly deprecated in OpenSSL 4.0. This commit works
around those. More specifically:

- X509_cmp_current_time() in isCertValid() is no longer necessary as
X509_check_certificate_times() compares the notBefore and notAfter on
its own. Had to add a version check since this function is new in
OpenSSL 4.0.

- Replace deprecated X509_NAME_get_text_by_NID. Not a perfect fix,
because the new implementation still assumes that the name does not
contain embedded null characters which may not be true, e.g., if the
name is of type UniversalString or BMPString.

- Also fix constness of X509_get_subject_name return value.

The latter two fixes are taken from this Fedora patch:
https://src.fedoraproject.org/rpms/valkey/c/1a9c8847172ef3fb116a1e2fdb3871692378adae?branch=rawhide

Closes #4012

Signed-off-by: Petr Khartskhaev <pkhartsk@redhat.com>
@sarthakaggarwal97 sarthakaggarwal97 added the test-failure An issue indicating a test failure label Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

run-extra-tests Run extra tests on this PR (Runs all tests from daily except valgrind and RESP) test-failure An issue indicating a test failure

Projects

Status: To be backported
Status: To be backported

Development

Successfully merging this pull request may close these issues.

Valkey fails to build against OpenSSL 4

3 participants