Doc: OpenSSL API modernization (SparkPost/Momentum#1276)

content/momentum/3/3-api/hooks-core-ec-ssl-ssl-ctx-fixup.md

@@ -1,5 +1,5 @@
 ---
-lastUpdated: "06/30/2024"
+lastUpdated: "06/03/2026"
 title: "ec_ssl_SSL_CTX_fixup"
 description: "ec ssl SSL CTX fixup This hook provides an opportunity for modules to alter the context and add passphrase callbacks via Open SSL functions"
 ---
@@ -32,6 +32,14 @@ This hook provides an opportunity for modules to alter the context and add passp
 *   *`SSL_CTX_set_default_passwd_cb()`*
 *   *`SSL_CTX_set_default_passwd_cb_userdata()`*
 
+> **NOTE: OpenSSL compatibility (Momentum 5.3.0 and later).** This hook is unchanged — the signature and the passphrase callbacks above remain valid. The items below were already inert on the OpenSSL build Momentum actually links against (1.1.1, as on RHEL 8), so 5.3.0 makes their status explicit rather than withdrawing a working capability. The supported range is 1.1.1 through the 3.x series. Points to be aware of if your module alters the context here:
+>
+> *   The context is created with `TLS_method()`. This is a rename, not a behavior change: `SSLv23_*_method()` has been a `#define` alias for `TLS_method()` since OpenSSL 1.1.0. `SSLv2`/`SSLv3` were already never negotiated, and `TLSv1.0`/`TLSv1.1` are typically blocked by the system crypto policy (for example, the RHEL 8 DEFAULT policy permits only TLS 1.2 and TLS 1.3). See [tls_protocols](/momentum/4/config/tls-protocols).
+> *   The temporary-RSA mechanism (`SSL_CTX_set_tmp_rsa_callback()`) is retired. It was already a no-op on 1.1.1 — export-grade cipher suites, the only thing it served, do not exist in TLS 1.1 and later — so a fixup that set such a callback was already having no effect.
+> *   `ENGINE`-based manipulation is the one genuine version dependency, not an "already ignored" case: it **still works on OpenSSL 1.1.1 builds (such as RHEL 8)** and only stops working if your deployment moves to an OpenSSL 3.x build, where the `ENGINE` API gives way to the provider model. On OpenSSL 3.x, configure the appropriate provider at the library level instead. See [crypto_engine](/momentum/4/config/ref-crypto-engine).
+>
+> So when upgrading to 5.3.0 on the same OpenSSL 1.1.1 platform, an existing fixup module behaves as before. The case that warrants review is moving to an OpenSSL 3.x build, where `ENGINE`-based context manipulation done here will silently have no effect (no build or runtime error).
+
 **<a name="idp42803952"></a> Parameters**
 
 <dl class="variablelist">

content/momentum/4/4-console-commands.md

@@ -158,7 +158,7 @@ This table lists all console commands alphabetically giving a brief description.
 | [threads io queue](/momentum/4/console-commands/threads) – Display summary statistics for the IO thread pools | 4.0 |   | stats |
 | [threads stats](/momentum/4/console-commands/threads) – Display summary statistics for thread pools | 4.0 |   | stats |
 | [tls flush cache](/momentum/4/console-commands/tls) – Flush the TLS cache | 4.0 |   | tls |
-| [tls rekey](/momentum/4/console-commands/tls) – Remove the temporary RSA key | 4.0 |   | tls |
+| [tls rekey](/momentum/4/console-commands/tls) – Remove the temporary RSA key | 4.0 through 5.2 |   | tls |
 | [tls show cache](/momentum/4/console-commands/tls) – Show the TLS cache | 4.0 |   | tls |
 | [trace smtp add](/momentum/4/console-commands/trace-smtp) – Add an SMTP trace | 4.0 |   | misc |
 | [trace smtp list](/momentum/4/console-commands/trace-smtp) – List smtp traces | 4.0 |   | misc |

content/momentum/4/config-options-summary.md

@@ -107,7 +107,7 @@ The `Version` column indicated the version(s) of Momentum that support the optio
 | [control_listener](/momentum/4/control-listener#control_listener.config) *(scope)* – Listener for incoming control connections | na |   | 4.0 and later | global |
 | [critical](/momentum/4/config/ref-debug-flags) – Set the debug level | na | ALL | 4.0 and later | debug_flags |
 | [crypto_engine](/momentum/4/config/ref-crypto-engine) – Enable hardware cryptography acceleration | both |   | 4.0 and later | global |
-| [crypto_lock_method](/momentum/4/config/crypto-lock-method) – Set the locking method used by the TLS layer | receiving and sending | EC_SSL_DEFAULTLOCK (*non-dynamic*) | 4.0 and later | global |
+| [crypto_lock_method](/momentum/4/config/crypto-lock-method) – Set the locking method used by the TLS layer | receiving and sending | EC_SSL_DEFAULTLOCK (*non-dynamic*) | 4.0 through 5.2 | global |
 | [debug](/momentum/4/config/ref-debug-flags) – Set the debug level | na |   | 4.0 and later | debug_flags |
 | [debug_flags](/momentum/4/config/ref-debug-flags) *(scope)* – Configure debug verbosity | na |   | 4.0 and later | global |
 | [debug_level](/momentum/4/4-module-config) – Set the module debug level (applicable to all modules) (cluster-specific) | na | error | 4.0 and later | cluster |
@@ -331,7 +331,7 @@ The `Version` column indicated the version(s) of Momentum that support the optio
 | [soft_bounce_drain_rate](/momentum/4/config/ref-soft-bounce-drain-rate) – How many soft bounces to place into the mail queues in a single scheduler iteration | sending | 100 | 4.0 and later | global |
 | [spool_mode](/momentum/4/config/ref-spool-mode) – Set the file mode for newly created spool files | na | 0640 (*non-dynamic*) | 4.0 and later | global |
 | [spoolbase](/momentum/4/config/ref-spoolbase) – Set the base directory for the spool | na | /var/spool/ecelerity (*non-dynamic*) | 4.0 and later | global |
-| [ssl_lock_method](/momentum/4/config/ssl-lock-method) – Specify the SSL lock method | na | mutex (*non-dynamic*) | 4.0 and later | global |
+| [ssl_lock_method](/momentum/4/config/ssl-lock-method) – Specify the SSL lock method | na | mutex (*non-dynamic*) | 4.0 through 5.2 | global |
 | [stack_size](/momentum/4/config/ref-threadpool) – Stack space for a threadpool | na | 0 (*non-dynamic*) | 4.0 and later | threadpool |
 | [starttls_injection_policy](/momentum/4/config/starttls-injection-policy) – Protect against SMTP injections prior to TLS | receiving | reject | 4.0 and later | esmtp_listener, listen, pathway, pathway_group, peer |
 | [state](/momentum/4/config/ref-snmp) – Whether to enable the SNMP agent | na | 1 (*non-dynamic*) | 4.0 and later | snmp |

content/momentum/4/config/crypto-lock-method.md

@@ -1,5 +1,5 @@
 ---
-lastUpdated: "03/26/2020"
+lastUpdated: "06/03/2026"
 title: "crypto_lock_method"
 description: "crypto lock method set the locking method used by the TLS layer Crypto Lock Method EC SSL SPINLOCK Crypto Lock Method EC SSL MUTEX Crypto Lock Method EC SSL DEFAULTLOCK This option affects how thread safe locking is performed You should not need to change the default value of this..."
 ---
@@ -9,6 +9,8 @@ description: "crypto lock method set the locking method used by the TLS layer Cr
 
 crypto_lock_method — set the locking method used by the TLS layer
 
+> **NOTE: This option is DEPRECATED as of Momentum 5.3.0 and has no effect.** OpenSSL 1.1.1 and later (the supported range, from 1.1.1 on RHEL 8 through the 3.x series) is internally thread-safe; the `CRYPTO_set_locking_callback()`-based locking that this option configured was retired from OpenSSL itself. The option is still accepted so existing configurations continue to load, but it is ignored and logs a deprecation warning when set; remove it from `ecelerity.conf` to silence the warning. This page is retained for reference on releases prior to 5.3.0. See also [ssl_lock_method](/momentum/4/config/ssl-lock-method).
+
 ## Synopsis
 
 `Crypto_Lock_Method = "EC_SSL_SPINLOCK"`
@@ -27,4 +29,4 @@ The default value for option is `EC_SSL_DEFAULTLOCK`.
 <a name="idp24013872"></a> 
 ## Scope
 
-`crypto_lock_method` is valid in the global scope.
+`crypto_lock_method` is valid in the global scope.

content/momentum/4/config/ref-crypto-engine.md

@@ -9,6 +9,8 @@ description: "crypto engine enable hardware cryptography acceleration crypto eng
 
 crypto_engine — enable hardware cryptography acceleration
 
+> **NOTE: This option depends on the OpenSSL ENGINE API, which was removed in OpenSSL 3.0 in favor of the provider model.** On builds running OpenSSL 3.x, `crypto_engine` has no effect and is silently ignored; it remains functional only on OpenSSL 1.1.1 builds (for example, RHEL 8).
+
 ## Synopsis
 
 crypto_engine = "*`engine_name`*"
@@ -27,4 +29,4 @@ The example below shows how to configure Momentum to use the pkcs12 engine.
 <a name="idp23999840"></a> 
 ## Scope
 
-crypto_engine is valid in the global scope.
+crypto_engine is valid in the global scope.

content/momentum/4/config/ssl-lock-method.md

@@ -1,5 +1,5 @@
 ---
-lastUpdated: "03/26/2020"
+lastUpdated: "06/03/2026"
 title: "ssl_lock_method"
 description: "ssl lock method the SSL lock method SSL Lock Method mutex spinlock This option specifies the SSL lock method This option should be changed in consultation with Message Systems support only if SSL performance issues are encountered with the default method This option can be set to the following mutex..."
 ---
@@ -9,6 +9,8 @@ description: "ssl lock method the SSL lock method SSL Lock Method mutex spinlock
 
 ssl_lock_method — the SSL lock method
 
+> **NOTE: This option is DEPRECATED as of Momentum 5.3.0 and has no effect.** OpenSSL 1.1.1 and later (the supported range, from 1.1.1 on RHEL 8 through the 3.x series) is internally thread-safe and no longer uses the application-supplied crypto locking callbacks that this option controlled. The option is still accepted so existing configurations continue to load, but it is ignored and logs a deprecation warning when set; remove it from `ecelerity.conf` to silence the warning. This page is retained for reference on releases prior to 5.3.0. See also [crypto_lock_method](/momentum/4/config/crypto-lock-method).
+
 ## Synopsis
 
 `SSL_Lock_Method = "mutex|spinlock"`
@@ -33,4 +35,4 @@ The default value for this option is `mutex`.
 <a name="idp26659552"></a> 
 ## Scope
 
-`ssl_lock_method` is valid in the global scope.
+`ssl_lock_method` is valid in the global scope.

content/momentum/4/config/tls-protocols.md

@@ -1,5 +1,5 @@
 ---
-lastUpdated: "09/20/2023"
+lastUpdated: "06/03/2026"
 title: "tls_protocols"
 description: "tls protocols allowable ciphers for TLS inbound and outbound sessions tls protocols baseprotocol additional protocols Configuration Change This option is available as of version 4 1 0 2 tls protocols specifies the allowable protocols for an Open SSL TLS session The available protocols are ALL SS Lv 2 SS Lv..."
 ---
@@ -16,21 +16,29 @@ tls_protocols — allowable ciphers for TLS inbound and outbound sessions
 <a name="idp26990416"></a> 
 ## Description
 
-**Configuration Change. ** This option is available as of version 4.1.0.2\.
+`tls_protocols` specifies the allowable protocols for an OpenSSL TLS session. Momentum parses the
+tokens `ALL`, `SSLv2`, `SSLv3`, `TLSv1.0`, `TLSv1.1`, `TLSv1.2` and `TLSv1.3` (the last since Momentum
+4.6). Each is enabled or disabled by prefixing its name with a “+” or “-“ respectively. The following example disables the older protocols, leaving TLS 1.2 and TLS 1.3:
 
-`tls_protocols` specifies the allowable protocols for an OpenSSL TLS session. The available
-protocols are `ALL`, `SSLv2`, `SSLv3`, `TLSv1.0`, `TLSv1.1`, `TLSv1.2` and `TLSv1.3` (since Momentum
-4.6). Each set can be enabled or disabled by prefixing its name with a “+” or “-“ respectively. The following example shows the SSLv2 and SSLv3 protocols being disabled:
-
-`TLS_Protocols = "+ALL:-SSLv2:-SSLv3"`
+`TLS_Protocols = "+ALL:-SSLv3:-TLSv1.0:-TLSv1.1"`
 
 This option has no meaning for GNUTLS.
 
 The default value is “+ALL”.
 
 ### Note
 
-In Centos/RHEL 5, which are typically shipped with OpenSSL 0.98, TLSv1.1, TLSv1.2 and TLSv1.3 are not available.
+The tokens above are still accepted for backward compatibility, but which protocols can **actually** be negotiated is determined by the OpenSSL build (1.1.1, as on RHEL 8, through the 3.x series) and — on distributions that ship one — the system-wide crypto policy:
+
+*   **SSLv2** — removed from OpenSSL as of 1.1.0 and never negotiated. Momentum builds its contexts with `TLS_method()`, so the `SSLv2` token has no effect.
+
+*   **SSLv3** — insecure and disabled by default; platform OpenSSL packages (including RHEL 8) typically compile it out or block it via the crypto policy. Treat it as unavailable.
+
+*   **TLSv1.0 / TLSv1.1** — deprecated; still implemented by OpenSSL but commonly disabled by the OS crypto policy. For example, the RHEL 8 DEFAULT policy permits only TLS 1.2 and TLS 1.3, so enabling these tokens has no effect there.
+
+*   **TLSv1.2 / TLSv1.3** — the protocols in normal use.
+
+As a result, `+ALL` no longer implies SSLv2 or SSLv3, and on a typical RHEL 8 deployment it resolves to TLS 1.2 and TLS 1.3 only.
 
 <a name="idp26999712"></a> 
 ## Scope

content/momentum/4/config/tlsv13-ciphersuites.md

@@ -1,5 +1,5 @@
 ---
-lastUpdated: "09/20/2023"
+lastUpdated: "06/03/2026"
 title: "tlsv13_ciphersuites"
 description: "specify allowable ciphersuites for TLS inbound and outbound sessions when TLSv1.3 protocol is negotiated and used"
 ---
@@ -24,7 +24,7 @@ allowable ciphersuites must be a subset of the available TLSv1.3 ciphersuites on
 
 When TLS_Engine is set to `openssl`, `TLSv13_Ciphersuites` specifies a "ciphersuite list", which is a
 colon (":") separated list of the supported TLSv1.3 ciphersuite names in order of preference.
-There are 5 valid TLSv1.3 ciphersuites that are supported by OpenSSL 1.1.1:
+There are 5 valid TLSv1.3 ciphersuites, supported across the full OpenSSL range used by Momentum (1.1.1 — as on RHEL 8 — through the 3.x series):
 ```
     TLS_AES_256_GCM_SHA384
     TLS_CHACHA20_POLY1305_SHA256
@@ -33,14 +33,14 @@ There are 5 valid TLSv1.3 ciphersuites that are supported by OpenSSL 1.1.1:
     TLS_AES_128_CCM_SHA256
 ```
 By default (if not explicitly specified through this configuration option), only the first three are enabled.
-On the host machine, `openssl11 ciphers -s -tls1_3` can show the default TLSv1.3 ciphersuites;
-`openssl11 ciphers -tls1_3 -v -s -ciphersuites TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256` can
+On the host machine, `openssl ciphers -s -tls1_3` can show the default TLSv1.3 ciphersuites;
+`openssl ciphers -tls1_3 -v -s -ciphersuites TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256` can
 check whether the last two ciphersuites are supported if enabled.
 For more information about the TLSv1.3 ciphersuites, see
 [https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites](https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites).
 
 
-* To set the option to all the 5 TLSv1.3 ciphersuites supported by OpenSSL 1.1.1:
+* To set the option to all 5 supported TLSv1.3 ciphersuites:
 
 ```
 TLSv13_Ciphersuites = "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256"

content/momentum/4/console-commands/tls.md

@@ -1,5 +1,5 @@
 ---
-lastUpdated: "03/26/2020"
+lastUpdated: "06/03/2026"
 title: "tls"
 description: "tls show cache tls flush cache tls rekey manage TLS cache used by Momentum tls flush cache tls rekey tls show cache tls show cache shows information of the TLS cache used by the server tls flush cache flushes TLS cache tls rekey removes the temporary RSA key Next use..."
 ---
@@ -9,6 +9,8 @@ description: "tls show cache tls flush cache tls rekey manage TLS cache used by
 
 tls show cache, tls flush cache, tls rekey — manage TLS cache used by Momentum
 
+> **NOTE: The `tls rekey` subcommand was REMOVED in Momentum 5.3.0 and is no longer a valid command.** It managed a temporary RSA key used for export-grade cipher suites; that mechanism was retired from OpenSSL (the `SSL_CTX_set_tmp_rsa_callback()` API) and from Momentum as part of the OpenSSL 1.1.1+/3.x modernization. On 5.3.0 and later, `tls show cache` no longer prints a "Temp RSA key" line. The `tls rekey` description below is retained for reference on releases prior to 5.3.0.
+
 ## Synopsis
 
 `tls flush cache`
@@ -51,4 +53,4 @@ Cache flush request submitted.
 ```
 13:34:55 ecelerity(/tmp/2025)> tls rekey
 Rekey request submitted.
-```
+```