openssl: x509: allow build with OpenSSL 4.x by heitbaum · Pull Request #3560 · warmcat/libwebsockets

heitbaum · 2026-03-21T08:13:58Z

ASN1_STRING are now opaque types — the internal data and length fields are no longer directly accessible. Use the accessor API instead. Accessors have been available since OpenSSL 1.1.0

Signatures of numerous API functions, including those that are related to X509 processing, are changed to include const qualifiers for argument and return types, where suitable. Add const qualifer to variables.

fixes:

../lib/tls/openssl/openssl-x509.c: In function 'lws_tls_openssl_asn1time_to_unix':
../lib/tls/openssl/openssl-x509.c:42:41: error: invalid use of incomplete typedef 'ASN1_TIME' {aka 'struct asn1_string_st'}
   42 |         const char *p = (const char *)as->data;
      |                                         ^~
../lib/tls/openssl/openssl-x509.c: In function 'lws_tls_openssl_cert_info':
../lib/tls/openssl/openssl-x509.c:129:20: error: assignment discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers]
  129 |                 xn = X509_get_subject_name(x509);
      |                    ^
../lib/tls/openssl/openssl-x509.c:148:20: error: assignment discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers]
  148 |                 xn = X509_get_issuer_name(x509);
      |                    ^
../lib/tls/openssl/openssl-x509.c:218:21: error: assignment discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers]
  218 |                 ext = X509_get_ext(x509, (int)loc);
      |                     ^
../lib/tls/openssl/openssl-x509.c:229:48: error: invalid use of incomplete typedef 'ASN1_OCTET_STRING' {aka 'struct asn1_string_st'}
  229 |                 dp = (const unsigned char *)val->data;
      |                                                ^~
../lib/tls/openssl/openssl-x509.c:230:27: error: invalid use of incomplete typedef 'ASN1_OCTET_STRING' {aka 'struct asn1_string_st'}
  230 |                 xlen = val->length;
      |                           ^~
../lib/tls/openssl/openssl-x509.c:246:21: error: assignment discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers]
  246 |                 ext = X509_get_ext(x509, (int)loc);
      |                     ^
../lib/tls/openssl/openssl-x509.c:303:21: error: assignment discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers]
  303 |                 ext = X509_get_ext(x509, (int)loc);
      |                     ^
../lib/tls/openssl/openssl-x509.c:329:21: error: assignment discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers]
  329 |                 ext = X509_get_ext(x509, (int)loc);
      |                     ^
../lib/tls/openssl/openssl-x509.c:333:21: error: assignment discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers]
  333 |                 val = X509_EXTENSION_get_data(ext);
      |                     ^
../lib/tls/openssl/openssl-x509.c:340:48: error: invalid use of incomplete typedef 'ASN1_OCTET_STRING' {aka 'struct asn1_string_st'}
  340 |                 dp = (const unsigned char *)val->data;
      |                                                ^~
../lib/tls/openssl/openssl-x509.c:343:55: error: invalid use of incomplete typedef 'ASN1_OCTET_STRING' {aka 'struct asn1_string_st'}
  343 |                                     &tag, &xclass, val->length) & 0x80)
      |                                                       ^~
../lib/tls/openssl/openssl-x509.c: In function 'lws_x509_verify':
../lib/tls/openssl/openssl-x509.c:459:33: error: initialization discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers]
  459 |                 X509_NAME *xn = X509_get_subject_name(x509->cert);
      |                                 ^~~~~~~~~~~~~~~~~~~~~

Add a generic DTLS wrapper to lws that is able to work using any of the supported tls libraries as the backed: openssl (and variants), mbedtls, gnutls, schannel Note that schannel is not able to work with webrtc due to schannel api's own limitations. You must use openssl or mbedtls for windows if you want to use dtls for webrtc.

This adds support for webrtc serving along with ALSA, OPUS, V4L2, TRANSCODE and other critical pieces

p

Having added a member to lws_plugin_protocol, it's a good time to change the old struct initializer format to C9, since we'll have to visit them all anyway. Also modernize the event lib struct while we're at it.

Various things that Sai identified needed fixing

This changes the approach of Async DNS vs multiple DNS servers... - we will take all the platform tells us about - initially we will broadside the queries on all the servers - we'll measure the response performce over time, with decay - nonresponsive servers will get ignored and responsive ones will round-robin

lws-team · 2026-03-21T09:06:12Z

Thanks for the patch. Unfortunately more contortions are needed, since existing openssl3 doesn't have const, simply making things const fixes what's in front of you, and kills it for older openssl. I modified your patch so it still works on older openssl, can you confirm it's OK for your openssl4 case?

diff --git a/lib/tls/openssl/openssl-x509.c b/lib/tls/openssl/openssl-x509.c
index d8b5637c0..15c853ca9 100644
--- a/lib/tls/openssl/openssl-x509.c
+++ b/lib/tls/openssl/openssl-x509.c
@@ -1,7 +1,7 @@
 /*
  * libwebsockets - small server side websockets and web server implementation
  *
- * Copyright (C) 2010 - 2019 Andy Green <andy@warmcat.com>
+ * Copyright (C) 2010 - 2026 Andy Green <andy@warmcat.com>
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to
@@ -26,6 +26,12 @@
 #include "private-lib-core.h"
 #include "private-lib-tls-openssl.h"
 
+#if OPENSSL_VERSION_NUMBER >= 0x40000000L
+#define CAST_X509_EXTENSION(x)	(x)
+#else
+#define CAST_X509_EXTENSION(x)	((X509_EXTENSION *)(x))
+#endif
+
 #if !defined(LWS_PLAT_OPTEE)
 static int
 dec(char c)
@@ -39,7 +45,7 @@ lws_tls_openssl_asn1time_to_unix(ASN1_TIME *as)
 {
 #if !defined(LWS_PLAT_OPTEE)
 
-	const char *p = (const char *)as->data;
+	const char *p = (const char *)ASN1_STRING_get0_data(as);
 	struct tm t;
 
 	/* [YY]YYMMDDHHMMSSZ */
@@ -84,12 +90,13 @@ lws_tls_openssl_cert_info(X509 *x509, enum lws_tls_cert_info type,
 #ifndef USE_WOLFSSL
 	const unsigned char *dp;
 	ASN1_OCTET_STRING *val;
+	const ASN1_OCTET_STRING *val2;
 	AUTHORITY_KEYID *akid;
-	X509_EXTENSION *ext;
+	const X509_EXTENSION *ext;
 	int tag, xclass, r = 1;
 	long xlen, loc;
 #endif
-	X509_NAME *xn;
+	const X509_NAME *xn;
 #if !defined(LWS_PLAT_OPTEE)
 	char *p, *p1;
 	size_t rl;
@@ -219,15 +226,15 @@ lws_tls_openssl_cert_info(X509 *x509, enum lws_tls_cert_info type,
 		if (!ext)
 			return 1;
 #ifndef USE_WOLFSSL
-		akid = (AUTHORITY_KEYID *)X509V3_EXT_d2i(ext);
+		akid = (AUTHORITY_KEYID *)X509V3_EXT_d2i(CAST_X509_EXTENSION(ext));
 #else
 		akid = (AUTHORITY_KEYID *)wolfSSL_X509V3_EXT_d2i(ext);
 #endif
 		if (!akid || !akid->keyid)
 			return 1;
 		val = akid->keyid;
-		dp = (const unsigned char *)val->data;
-		xlen = val->length;
+		dp = ASN1_STRING_get0_data(val);
+		xlen = ASN1_STRING_length(val);
 
 		buf->ns.len = (int)xlen;
 		if (len < (size_t)buf->ns.len)
@@ -248,7 +255,7 @@ lws_tls_openssl_cert_info(X509 *x509, enum lws_tls_cert_info type,
 			return 1;
 
 #ifndef USE_WOLFSSL
-		akid = (AUTHORITY_KEYID *)X509V3_EXT_d2i(ext);
+		akid = (AUTHORITY_KEYID *)X509V3_EXT_d2i(CAST_X509_EXTENSION(ext));
 #else
 		akid = (AUTHORITY_KEYID *)wolfSSL_X509V3_EXT_d2i(ext);
 #endif
@@ -257,7 +264,7 @@ lws_tls_openssl_cert_info(X509 *x509, enum lws_tls_cert_info type,
 
 #if defined(LWS_HAVE_OPENSSL_STACK)
 		{
-			const X509V3_EXT_METHOD* method = X509V3_EXT_get(ext);
+			const X509V3_EXT_METHOD* method = X509V3_EXT_get(CAST_X509_EXTENSION(ext));
 			STACK_OF(CONF_VALUE) *cv;
 		#if defined(LWS_WITH_BORINGSSL) || defined(LWS_WITH_AWSLC)
 			size_t j;
@@ -303,7 +310,7 @@ bail_ak:
 		ext = X509_get_ext(x509, (int)loc);
 		if (!ext)
 			return 1;
-		akid = (AUTHORITY_KEYID *)X509V3_EXT_d2i(ext);
+		akid = (AUTHORITY_KEYID *)X509V3_EXT_d2i(CAST_X509_EXTENSION(ext));
 		if (!akid || !akid->serial)
 			return 1;
 
@@ -330,17 +337,17 @@ bail_ak:
 		if (!ext)
 			return 1;
 
-		val = X509_EXTENSION_get_data(ext);
-		if (!val)
+		val2 = X509_EXTENSION_get_data(CAST_X509_EXTENSION(ext));
+		if (!val2)
 			return 1;
 
 #if defined(USE_WOLFSSL)
 		return 1;
 #else
-		dp = (const unsigned char *)val->data;
+		dp = ASN1_STRING_get0_data(val2);
 
 		if (ASN1_get_object(&dp, &xlen,
-				    &tag, &xclass, val->length) & 0x80)
+				    &tag, &xclass, ASN1_STRING_length(val2)) & 0x80)
 			return -1;
 
 		if (tag != V_ASN1_OCTET_STRING) {
@@ -456,7 +463,7 @@ lws_x509_verify(struct lws_x509_cert *x509, struct lws_x509_cert *trusted,
 	int ret;
 
 	if (common_name) {
-		X509_NAME *xn = X509_get_subject_name(x509->cert);
+		const X509_NAME *xn = X509_get_subject_name(x509->cert);
 		if (!xn)
 			return -1;
 		X509_NAME_oneline(xn, c, (int)sizeof(c) - 2);

heitbaum · 2026-03-21T09:25:42Z

Thanks for the patch. Unfortunately more contortions are needed, since existing openssl3 doesn't have const, simply making things const fixes what's in front of you, and kills it for older openssl. I modified your patch so it still works on older openssl, can you confirm it's OK for your openssl4 case?

diff --git a/lib/tls/openssl/openssl-x509.c b/lib/tls/openssl/openssl-x509.c
index d8b5637c0..15c853ca9 100644
--- a/lib/tls/openssl/openssl-x509.c
+++ b/lib/tls/openssl/openssl-x509.c
@@ -1,7 +1,7 @@
 /*
  * libwebsockets - small server side websockets and web server implementation
  *
- * Copyright (C) 2010 - 2019 Andy Green <andy@warmcat.com>
+ * Copyright (C) 2010 - 2026 Andy Green <andy@warmcat.com>
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to
@@ -26,6 +26,12 @@
 #include "private-lib-core.h"
 #include "private-lib-tls-openssl.h"
 
+#if OPENSSL_VERSION_NUMBER >= 0x40000000L
+#define CAST_X509_EXTENSION(x)	(x)
+#else
+#define CAST_X509_EXTENSION(x)	((X509_EXTENSION *)(x))
+#endif
+
 #if !defined(LWS_PLAT_OPTEE)
 static int
 dec(char c)
@@ -39,7 +45,7 @@ lws_tls_openssl_asn1time_to_unix(ASN1_TIME *as)
 {
 #if !defined(LWS_PLAT_OPTEE)
 
-	const char *p = (const char *)as->data;
+	const char *p = (const char *)ASN1_STRING_get0_data(as);
 	struct tm t;
 
 	/* [YY]YYMMDDHHMMSSZ */
@@ -84,12 +90,13 @@ lws_tls_openssl_cert_info(X509 *x509, enum lws_tls_cert_info type,
 #ifndef USE_WOLFSSL
 	const unsigned char *dp;
 	ASN1_OCTET_STRING *val;
+	const ASN1_OCTET_STRING *val2;
 	AUTHORITY_KEYID *akid;
-	X509_EXTENSION *ext;
+	const X509_EXTENSION *ext;
 	int tag, xclass, r = 1;
 	long xlen, loc;
 #endif
-	X509_NAME *xn;
+	const X509_NAME *xn;
 #if !defined(LWS_PLAT_OPTEE)
 	char *p, *p1;
 	size_t rl;
@@ -219,15 +226,15 @@ lws_tls_openssl_cert_info(X509 *x509, enum lws_tls_cert_info type,
 		if (!ext)
 			return 1;
 #ifndef USE_WOLFSSL
-		akid = (AUTHORITY_KEYID *)X509V3_EXT_d2i(ext);
+		akid = (AUTHORITY_KEYID *)X509V3_EXT_d2i(CAST_X509_EXTENSION(ext));
 #else
 		akid = (AUTHORITY_KEYID *)wolfSSL_X509V3_EXT_d2i(ext);
 #endif
 		if (!akid || !akid->keyid)
 			return 1;
 		val = akid->keyid;
-		dp = (const unsigned char *)val->data;
-		xlen = val->length;
+		dp = ASN1_STRING_get0_data(val);
+		xlen = ASN1_STRING_length(val);
 
 		buf->ns.len = (int)xlen;
 		if (len < (size_t)buf->ns.len)
@@ -248,7 +255,7 @@ lws_tls_openssl_cert_info(X509 *x509, enum lws_tls_cert_info type,
 			return 1;
 
 #ifndef USE_WOLFSSL
-		akid = (AUTHORITY_KEYID *)X509V3_EXT_d2i(ext);
+		akid = (AUTHORITY_KEYID *)X509V3_EXT_d2i(CAST_X509_EXTENSION(ext));
 #else
 		akid = (AUTHORITY_KEYID *)wolfSSL_X509V3_EXT_d2i(ext);
 #endif
@@ -257,7 +264,7 @@ lws_tls_openssl_cert_info(X509 *x509, enum lws_tls_cert_info type,
 
 #if defined(LWS_HAVE_OPENSSL_STACK)
 		{
-			const X509V3_EXT_METHOD* method = X509V3_EXT_get(ext);
+			const X509V3_EXT_METHOD* method = X509V3_EXT_get(CAST_X509_EXTENSION(ext));
 			STACK_OF(CONF_VALUE) *cv;
 		#if defined(LWS_WITH_BORINGSSL) || defined(LWS_WITH_AWSLC)
 			size_t j;
@@ -303,7 +310,7 @@ bail_ak:
 		ext = X509_get_ext(x509, (int)loc);
 		if (!ext)
 			return 1;
-		akid = (AUTHORITY_KEYID *)X509V3_EXT_d2i(ext);
+		akid = (AUTHORITY_KEYID *)X509V3_EXT_d2i(CAST_X509_EXTENSION(ext));
 		if (!akid || !akid->serial)
 			return 1;
 
@@ -330,17 +337,17 @@ bail_ak:
 		if (!ext)
 			return 1;
 
-		val = X509_EXTENSION_get_data(ext);
-		if (!val)
+		val2 = X509_EXTENSION_get_data(CAST_X509_EXTENSION(ext));
+		if (!val2)
 			return 1;
 
 #if defined(USE_WOLFSSL)
 		return 1;
 #else
-		dp = (const unsigned char *)val->data;
+		dp = ASN1_STRING_get0_data(val2);
 
 		if (ASN1_get_object(&dp, &xlen,
-				    &tag, &xclass, val->length) & 0x80)
+				    &tag, &xclass, ASN1_STRING_length(val2)) & 0x80)
 			return -1;
 
 		if (tag != V_ASN1_OCTET_STRING) {
@@ -456,7 +463,7 @@ lws_x509_verify(struct lws_x509_cert *x509, struct lws_x509_cert *trusted,
 	int ret;
 
 	if (common_name) {
-		X509_NAME *xn = X509_get_subject_name(x509->cert);
+		const X509_NAME *xn = X509_get_subject_name(x509->cert);
 		if (!xn)
 			return -1;
 		X509_NAME_oneline(xn, c, (int)sizeof(c) - 2);

Your version works correctly with OpenSSL 4.0.0-alpha1 too.

ASN1_STRING are now opaque types — the internal data and length fields are no longer directly accessible. Use the accessor API instead. Accessors have been available since OpenSSL 1.1.0 Signatures of numerous API functions, including those that are related to X509 processing, are changed to include const qualifiers for argument and return types, where suitable. Add const qualifer to variables. Co-authored-by: Andy Green <andy@warmcat.com> Signed-off-by: Rudi Heitbaum <rudi@heitbaum.com>

heitbaum · 2026-03-22T05:50:56Z

Force pushed updated commit.

lws-team added 30 commits March 14, 2026 18:01

lws_switches_print_help

d091950

mnemonic

09733ad

genhash: lws_genhash_render

b3462ed

dht: peer server

65dbd9f

mbedtls-fixes

84ac686

rtp

fea5194

mixer

1e71fdf

This adds support for webrtc serving along with ALSA, OPUS, V4L2, TRANSCODE and other critical pieces

LWS_WITH_LATENCY

5909858

async-serving

cd2d53d

layout-speaker

57ae24c

1080p

1579404

dht-conf

2a381ed

plugins: document and enable inclusion

4729f89

authoritative_dns-signing

2ac8e53

authoritative-dns-server

d18f5d8

async-dns-tcp-fallback

1851733

async_dns: DNSSEC

0ac63a5

p

plugins: modernize to C99

2e45bb3

Having added a member to lws_plugin_protocol, it's a good time to change the old struct initializer format to C9, since we'll have to visit them all anyway. Also modernize the event lib struct while we're at it.

fixes

2199103

Various things that Sai identified needed fixing

lws_adapt: improve api

42dbff9

gnutls: gencrypto-extra

362bf38

jws-alignment-with-gnutls

c82bd2b

cove-fixes-8

89ebcd4

adopt: use correct sockaddr length

8aad73c

dht: deduplicate

e2db10c

dht-dnssec-plugin

9458a1e

minimal-crypto-dnssec

5432e18

help: provide --help for every app that takes commandline args

18a19a5

acme: dns-01 and refactor

c73edb3

lws-team added 7 commits March 14, 2026 18:01

protocol_lws_dht_dnssec_monitor

158f27e

dht: dnssec: implement change notification

789f734

dnssec: add dht backend

7bf89e0

crypto: improve help

2a0eac5

gencrypto: jose: cose: support ED25519 and ED448

064d6c8

sai-fixes

ad2cc07

heitbaum mentioned this pull request Mar 21, 2026

OpenSSL: update to 4.0.x LibreELEC/LibreELEC.tv#11104

Draft

heitbaum force-pushed the openssl branch from ab5a2b0 to 8059288 Compare March 22, 2026 05:50

lws-team force-pushed the main branch 3 times, most recently from 6790fe8 to 609de65 Compare March 27, 2026 14:43

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

openssl: x509: allow build with OpenSSL 4.x#3560

openssl: x509: allow build with OpenSSL 4.x#3560
heitbaum wants to merge 38 commits intowarmcat:mainfrom
heitbaum:openssl

heitbaum commented Mar 21, 2026

Uh oh!

lws-team commented Mar 21, 2026

Uh oh!

heitbaum commented Mar 21, 2026

Uh oh!

heitbaum commented Mar 22, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

heitbaum commented Mar 21, 2026

Uh oh!

lws-team commented Mar 21, 2026

Uh oh!

heitbaum commented Mar 21, 2026

Uh oh!

heitbaum commented Mar 22, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants