What were you trying to do that didn't work?

I started looking inside ldns and have found it masks deprecated API calls for OpenSSL 3 by CFLAGS="-DOPENSSL_API_COMPAT=10100 $CFLAGS" in configure. Quite a lot of functionality still requires deprecated calls. At least creating DSA and RSA keys should be converted into EVP_PKEY_fromdata usage and create directly EVP_PKEY from functions like ldns_key_buf2rsa_raw.

While it should be possible to keep backward compatibility when those APIs are still available, I think possibility to use only non-deprecated APIs should be started on. Eventually it would have to be required to switch. At least optional support would be great for a start.

EVP_PKEY-RSA(7), OSSL_PARAM_int(3ossl) and OSSL_PARAM_BLD manuals might help.

That would be prerequisite for implementing EVP_PKEY_CTX_new_from_name key creation using alternative providers as a replacement for ENGINE support deprecated.

Please provide the package NVR for which bug is seen:

ldns-1.8.3-15.el10

How reproducible:

Steps to reproduce

1. Remove manual -DOPENSSL_API_COMPAT=10100 from CFLAGS
2. compile source code
3.  

Expected results

No warnings. Or warnings only on deprecated calls.

Actual results

Deprecated calls are used from non-deprecated ldns calls, which have no alternative using supported APIs.

Created upstream issue https://github.com/NLnetLabs/ldns/issues/243