apache · notroj · Jun 25, 2025 · Jun 25, 2025 · Jun 27, 2025
diff --git a/changes-entries/ssl-less-keylog.txt b/changes-entries/ssl-less-keylog.txt
@@ -0,0 +1,3 @@
+  *) mod_ssl: Drop $SSLKEYLOGFILE handling internally for OpenSSL 3.5
+     builds which enable it in libssl natively.  [Joe Orton]
+
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
@@ -290,8 +290,16 @@ void free_bio_methods(void);
 #define X509_get_notAfter   X509_getm_notAfter
 #endif
 
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
-#define HAVE_OPENSSL_KEYLOG
+/* The SSL_CTX_set_keylog_callback() API is present in 1.1.1+.
+ * 
+ * OpenSSL 3.5+ also provides optional native handling of
+ * $SSLKEYLOGFILE inside libssl, which duplicates the mod_ssl support.
+ * The mod_ssl support is hence disabled for 3.5+, unless that OpenSSL
+ * feature is itself disabled (and OPENSSL_NO_SSLKEYLOG is defined).
+ */
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) \
+    && (OPENSSL_VERSION_NUMBER <= 0x30500000L || defined(OPENSSL_NO_SSLKEYLOG))
+#define HAVE_OPENSSL_KEYLOG 
 #endif
 
 #ifdef HAVE_FIPS
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		*) mod_ssl: Drop $SSLKEYLOGFILE handling internally for OpenSSL 3.5
		builds which enable it in libssl natively. [Joe Orton]