These changes worked for my build.

These changes worked for my build.

Ok, thanks for testing.

Looks good, just two questions:

• Do we care about OpenSSL before 3.0 built with no-dh?
• Do you want to check OPENSSL_NO_DH before including openssl/dh.h? DH_free is the only symbol we use from this header.

I briefly wondered about the lifetime expectancy for the OPENSSL_NO_DEPRECATED_X_Y macros, but I doubt we'll learn that before the OpenSSL 4.0 release next year. No reason to worry about it right now.

I briefly wondered about the lifetime expectancy for the OPENSSL_NO_DEPRECATED_X_Y macros, but I doubt we'll learn that before the OpenSSL 4.0 release next year. No reason to worry about it right now.

They are documented in the internal deprecation.pod:

B<OSSL_DEPRECATEDIN_I<version>> and B<OPENSSL_NO_DEPRECATED_I<version>> are
defined in F<< <openssl/macros.h> >>.

In those macro names, B<I<version>> corresponds to the OpenSSL release since
which the deprecation applies

And further in openssl/macros.h:

 * The macros OPENSSL_NO_DEPRECATED_{major}_{minor} are defined for
 * all OpenSSL versions up to or equal to the version given with
 * OPENSSL_API_COMPAT.  They are used as guards around anything that's
 * deprecated up to that version, as an effect of the developer option
 * 'no-deprecated'.
 */

So we can assume that at least the macros won't be renamed.
What concerns me is that they are not publicly documented.

The current scheme of testing OPENSSL_NO_DEPRECATED and OPENSSL_VERSION_NUMBER
is used to work as well to some extent.

The difference is that OPENSSL_NO_DEPRECATED_X_Y better suites our needs
when OPENSSL_NO_DEPRECATED is defined but OPENSSL_API_LEVEL is set lower than a tested version.

For example, using SSL_SESSION_get_time in OpenSSL 3.5 deprecated in 3.4:

1. #if (OPENSSL_VERSION_NUMBER >= 0x3040000fL && defined OPENSSL_NO_DEPRECATED)

2. #ifdef OPENSSL_NO_DEPRECATED_3_4

As emphasized above, the current scheme[1] suffers in that case.
Specifically, SSL_SESSION_get_time() declaration is "redefined" by our macro to the _ex version,
as seen from cc -E -DOPENSSL_NO_DEPRECATED -DOPENSSL_API_COMPAT=0x10100000L ... src/event/ngx_event_openssl.c:

       long SSL_SESSION_get_time(const SSL_SESSION *s);
...
            time = SSL_SESSION_get_time_ex(sess);

This is used to work until SSL_SESSION_get_time() becomes a macro for some reason.
Amending with undef to make this future-proof looks somewhat superfluous though.

* Do we care about OpenSSL before 3.0 built with `no-dh`?

* Do you want to check `OPENSSL_NO_DH` before including `openssl/dh.h`? `DH_free` is the only symbol we use from this header.

Fixed, thanks.