Allow binding to OpenSSL 4 from portable builds

[bartonjs]

No description provided.

[dotnet-policy-service]

Tagging subscribers to this area: @bartonjs, @vcsjones, @dotnet/area-system-security
See info in area-owners.md if you want to be subscribed.

[Copilot]

Pull request overview

This PR updates the native OpenSSL shim and X509 stack creation logic to enable portable builds to bind against OpenSSL 4 (while still preferring earlier versions when available).

Changes:

• Probe libssl.so.4 in the distro-agnostic OpenSSL loader as a fallback when 3.x/1.1 aren’t found.
• Route X509 stack allocations in pal_x509.c through CryptoNative_NewX509Stack() to support OpenSSL 4 thunk behavior.
• Add portable-build logic in CryptoNative_NewX509Stack() to set OpenSSL 4 stack thunks when available.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
src/native/libs/System.Security.Cryptography.Native/pal_x509.c	Switches temporary X509 stack creation to CryptoNative_NewX509Stack() and includes openssl.h for the prototype.
src/native/libs/System.Security.Cryptography.Native/opensslshim.h	Removes the shim’s type-safe sk_X509_new_null() macro now that callers are moved off it.
src/native/libs/System.Security.Cryptography.Native/opensslshim.c	Adds runtime probing for libssl.so.4 after attempts for 3.x and 1.1.
src/native/libs/System.Security.Cryptography.Native/openssl.c	Adds portable-build thunk setup for X509 stacks via OPENSSL_sk_set_thunks when present.

[Copilot]

Pull request overview

This PR updates System.Security.Cryptography.Native’s OpenSSL shims to allow portable builds (distro-agnostic SSL) to successfully bind to OpenSSL 4 at runtime, and adjusts X509 stack creation so it can interoperate with OpenSSL 4’s stack free callback/thunking behavior.

Changes:

• Probe libssl.so.4 in the portable OpenSSL loader (after 3.x and 1.1.x).
• Route X509 stack allocations in pal_x509.c through CryptoNative_NewX509Stack() instead of direct sk_X509_new_null().
• In portable builds, configure newly-created OpenSSL stacks with OPENSSL_sk_set_thunks when available (to support OpenSSL 4).

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File	Description
src/native/libs/System.Security.Cryptography.Native/pal_x509.c	Switches internal X509 stack allocations to CryptoNative_NewX509Stack() and includes openssl.h for the declaration.
src/native/libs/System.Security.Cryptography.Native/opensslshim.h	Removes the local type-safe sk_X509_new_null() shim macro (callers moved to CryptoNative_NewX509Stack()).
src/native/libs/System.Security.Cryptography.Native/opensslshim.c	Extends runtime probing to try loading libssl.so.4 when 3.x and 1.1.x are not found.
src/native/libs/System.Security.Cryptography.Native/openssl.c	Updates CryptoNative_NewX509Stack() to use OPENSSL_sk_new_null() and (when present) OPENSSL_sk_set_thunks in portable builds.

[vcsjones]

Green run against OpenSSL 4.0 alpha1

• Portable: https://github.com/vcsjones/runtime-ci/actions/runs/23221863952
• Non-portable: https://github.com/vcsjones/runtime-ci/actions/runs/23221903838