The topic/jsiwek/openssl-1.1 branch in bro and cmake repos adds OpenSSL 1.1 support. There were some oddities, but the commit messages may explain those well enough.
can be closed if these changes get merged.
@robin - you put your comment into the wrong ticket.
I took a look at this - and this looks pretty great, thanks a lot Jon. It also looks like it was a pain to get to work correctly.
I will get this merged either today or tomorrow.
So - one thing that I wonder about:
If I understand everything correctly, this will make us unable to correctly parse the certificates from RDP connections.
Which from my point of view is sad - but not the hugest loss - and potentially also a bit hard to avoid. The old way of fixing this was a bit hacky.
Should we warn people about this somehow?
Ah, but it is only the key material that does not work. So - less of a problem probably...
I guess we could add this in a "known issues" field in the NEWS, depending on how everyone feels about it.
A "known issues" field may be fine – it was indeed just a problem w/ OpenSSL 1.1 and extracting key info from RDP certs.
Underlying issue seems to be Microsoft sets the wrong algorithm in the cert and the trickery of manually overwriting it no longer works. Not sure if there's some other way to update that hack, here was maybe one reference to code that looked a bit different and intended for OpenSSL 1.1 compatibility, but still didn't work for me: