new file mode 100644
@@ -0,0 +1,148 @@
+From f581a10cbf5b40afbee2d9fc9454ce12e1611668 Mon Sep 17 00:00:00 2001
+From: Rosen Penev <rosenp@gmail.com>
+Date: Tue, 19 Jun 2018 21:44:57 -0700
+Subject: [PATCH] OpenSSL: Fix compilation with deprecated APIs disabled on 1.1
+
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+---
+ src/openvpn/crypto_openssl.c | 9 +++++++++
+ src/openvpn/ssl_openssl.c | 32 +++++++++++++++++++++++++++++++-
+ src/openvpn/ssl_verify_openssl.c | 1 +
+ 3 files changed, 41 insertions(+), 1 deletion(-)
+
+diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
+index 4fb2f6d6..816d8002 100644
+--- a/src/openvpn/crypto_openssl.c
++++ b/src/openvpn/crypto_openssl.c
+@@ -670,11 +670,16 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, int key_len,
+ {
+ ASSERT(NULL != kt && NULL != ctx);
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ EVP_CIPHER_CTX_init(ctx);
++#else
++ EVP_CIPHER_CTX_new();
++#endif
+ if (!EVP_CipherInit(ctx, kt, NULL, NULL, enc))
+ {
+ crypto_msg(M_FATAL, "EVP cipher init #1");
+ }
++
+ #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
+ if (!EVP_CIPHER_CTX_set_key_length(ctx, key_len))
+ {
+@@ -693,7 +698,11 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, int key_len,
+ void
+ cipher_ctx_cleanup(EVP_CIPHER_CTX *ctx)
+ {
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ EVP_CIPHER_CTX_cleanup(ctx);
++#else
++ EVP_CIPHER_CTX_free(ctx);
++#endif
+ }
+
+ int
+diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
+index 527a600a..92ed4926 100644
+--- a/src/openvpn/ssl_openssl.c
++++ b/src/openvpn/ssl_openssl.c
+@@ -56,6 +56,15 @@
+ #include <openssl/pkcs12.h>
+ #include <openssl/x509.h>
+ #include <openssl/crypto.h>
++#ifndef OPENSSL_NO_DH
++#include <openssl/dh.h>
++#endif
++#ifndef OPENSSL_NO_DSA
++#include <openssl/dsa.h>
++#endif
++#ifndef OPENSSL_NO_RSA
++#include <openssl/rsa.h>
++#endif
+ #ifndef OPENSSL_NO_EC
+ #include <openssl/ec.h>
+ #endif
+@@ -71,11 +80,19 @@ int mydata_index; /* GLOBAL */
+ void
+ tls_init_lib(void)
+ {
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ SSL_library_init();
++ OpenSSL_add_all_algorithms();
+ #ifndef ENABLE_SMALL
+ SSL_load_error_strings();
+ #endif
+- OpenSSL_add_all_algorithms();
++#else
++#ifndef ENABLE_SMALL
++ OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
++#else
++ OPENSSL_init_ssl(OPENSSL_INIT_NO_LOAD_SSL_STRINGS, NULL);
++#endif
++#endif
+
+ mydata_index = SSL_get_ex_new_index(0, "struct session *", NULL, NULL, NULL);
+ ASSERT(mydata_index >= 0);
+@@ -84,10 +101,12 @@ tls_init_lib(void)
+ void
+ tls_free_lib(void)
+ {
++#if OPENSSL_VERSION_NUMBER < 0x10100000L //this is no-op in future versions
+ EVP_cleanup();
+ #ifndef ENABLE_SMALL
+ ERR_free_strings();
+ #endif
++#endif
+ }
+
+ void
+@@ -473,6 +492,11 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
+ goto cleanup; /* Nothing to check if there is no certificate */
+ }
+
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#define X509_get_notBefore X509_get0_notBefore
++#define X509_get_notAfter X509_get0_notAfter
++#endif
++
+ ret = X509_cmp_time(X509_get_notBefore(cert), NULL);
+ if (ret == 0)
+ {
+@@ -567,7 +591,9 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
+ #if OPENSSL_VERSION_NUMBER >= 0x10002000L
+ /* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter
+ * loading */
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ SSL_CTX_set_ecdh_auto(ctx->ctx, 1);
++#endif
+ return;
+ #else
+ /* For older OpenSSL we have to extract the curve from key on our own */
+@@ -2037,7 +2063,11 @@ get_highest_preference_tls_cipher(char *buf, int size)
+ const char *
+ get_ssl_library_version(void)
+ {
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ return SSLeay_version(SSLEAY_VERSION);
++#else
++ return OpenSSL_version(OPENSSL_VERSION);
++#endif
+ }
+
+ #endif /* defined(ENABLE_CRYPTO_OPENSSL) */
+diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
+index 9b984751..82460ae7 100644
+--- a/src/openvpn/ssl_verify_openssl.c
++++ b/src/openvpn/ssl_verify_openssl.c
+@@ -46,6 +46,7 @@
+
+ #include <openssl/x509v3.h>
+ #include <openssl/err.h>
++#include <openssl/bn.h>
+
+ int
+ verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
+--
+2.17.1
+
@@ -56,6 +56,15 @@
#include <openssl/pkcs12.h>
#include <openssl/x509.h>
#include <openssl/crypto.h>
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
#ifndef OPENSSL_NO_EC
#include <openssl/ec.h>
#endif
@@ -46,6 +46,7 @@
#include <openssl/x509v3.h>
#include <openssl/err.h>
+#include <openssl/bn.h>
int
verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
These get included when deprecated APIs are enabled. This is true on at least version 1.0.2 and 1.1.0. Without deprecated APIs, OpenVPN fails to compile. Signed-off-by: Rosen Penev <rosenp@gmail.com> --- ...ilation-with-deprecated-APIs-disable.patch | 148 ++++++++++++++++++ src/openvpn/ssl_openssl.c | 9 ++ src/openvpn/ssl_verify_openssl.c | 1 + 3 files changed, 158 insertions(+) create mode 100644 src/openvpn/0001-OpenSSL-Fix-compilation-with-deprecated-APIs-disable.patch