Build failure against openssl 1.1.1g

[charles-dyfis-net]

I'm able to build against the (now unsupported) OpenSSL 1.0.2, or LibreSSL 3.1.3, but not OpenSSL 1.1.1g.

Using the following Nix derivation (to reproducibly specify the build environment when combined with a pinned version of nixpkgs; using a snapshot of nixos-20.09 for the below):

{ nixpkgs ? import <nixpkgs> {}, stdenv ? nixpkgs.stdenv, openssl ? nixpkgs.openssl, fetchFromGitHub ? nixpkgs.fetchFromGitHub }:

stdenv.mkDerivation rec {
  pname = "2cca";
  version = "20201005";

  src = fetchFromGitHub {
    owner = "nicolas314";
    repo = pname;
    rev = "d27fc5d2a7d99d687c3eff895a5a3cd5bc260b64";
    sha256 = "1iwi3wq5p0jjnrmrbhxbamh96an4j2c609y2pjs3nsz9ak0bzpi9";
  };

  nativeBuildInputs = [ openssl ];

  installPhase = ''
    mkdir -p $out/bin
    cp -- 2cca{,.py} $out/bin/
  '';
}

...I receive the error:

building '/nix/store/szaxvcinfh9acgvxhb7h3vzl6p1yknva-2cca-20201005.drv'...
unpacking sources
unpacking source archive /nix/store/n73cp8mhc12c7axvlsi8qgl97dyl1gig-source
source root is source
patching sources
configuring
no configure script, doing nothing
building
build flags: SHELL=/nix/store/2jysm3dfsgby5sw5jgj43qjrb5v79ms9-bash-4.4-p23/bin/bash
gcc -g -Wall -o 2cca 2cca.c -lcrypto
2cca.c: In function 'build_identity':
2cca.c:239:9: warning: 'RSA_generate_key' is deprecated [-Wdeprecated-declarations]
  239 |         rsa = RSA_generate_key(certinfo.rsa_keysz, RSA_F4, progress, 0);
      |         ^~~
In file included from /nix/store/lwcrmj44j6s5ww3j0ybar2jc7kf9ddzq-openssl-1.1.1g-dev/include/openssl/e_os2.h:13,
                 from /nix/store/lwcrmj44j6s5ww3j0ybar2jc7kf9ddzq-openssl-1.1.1g-dev/include/openssl/asn1.h:14,
                 from 2cca.c:15:
/nix/store/lwcrmj44j6s5ww3j0ybar2jc7kf9ddzq-openssl-1.1.1g-dev/include/openssl/rsa.h:235:1: note: declared here
  235 | DEPRECATEDIN_0_9_8(RSA *RSA_generate_key(int bits, unsigned long e, void
      | ^~~~~~~~~~~~~~~~~~
2cca.c: In function 'show_crl':
2cca.c:398:34: error: dereferencing pointer to incomplete type 'X509_REVOKED' {aka 'struct x509_revoked_st'}
  398 |         i2a_ASN1_INTEGER(out, rev->serialNumber);
      |                                  ^~
2cca.c: In function 'set_serial128':
2cca.c:93:5: warning: ignoring return value of 'fread', declared with attribute warn_unused_result [-Wunused-result]
   93 |     fread(c_serial, SERIAL_SZ, 1, urandom);
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
make: *** [Makefile:23: 2cca] Error 1
builder for '/nix/store/szaxvcinfh9acgvxhb7h3vzl6p1yknva-2cca-20201005.drv' failed with exit code 2
error: build of '/nix/store/szaxvcinfh9acgvxhb7h3vzl6p1yknva-2cca-20201005.drv' failed

[nicolas314]

Yep. Between OpenSSL 1.0 and 1.1, the APIs have fundamentally changed so 2cca.c would need to be rewritten pretty much from scratch. As indicated in the README file, I have decided to maintain the Python version (2cca.py) instead as command-line openssl appears more stable.
Would you be more interested in a C-based version than a Python one?

[romanholidaypancakes]

Yep. Between OpenSSL 1.0 and 1.1, the APIs have fundamentally changed so 2cca.c would need to be rewritten pretty much from scratch. As indicated in the README file, I have decided to maintain the Python version (2cca.py) instead as command-line openssl appears more stable.
Would you be more interested in a C-based version than a Python one?

yes, we need C-based version.
or directly use openssl3 for development is a better choice： OpenSSL 3.0 Has Been Released!

[nicolas314]

I will have a look at openssl 3.0, though you will understand that having bit bitten hard by incompatible changes in the API without any warning whatsoever, I am reluctant to link against that library.
This is stuff I do in my spare time, and I stopped using OpenVPN a while ago now. Until this is done, pull requests are most welcome!