Yep, confirmed that this fixed a possible issue, also tested it with openssl-1.1.
We are currently using the attached patch. On 17-11-26 19:03:41, Tim Ruehsen wrote: > Am Dienstag, den 21.11.2017, 00:07 -0600 schrieb Matthew Thode: > > Hi, > > > > It looks like openssl-1.1 support needs to be tweaked a bit to > > support > > building when openssl does not support depricated features. > > > > We are tracking the bug here, https://bugs.gentoo.org/604490 and have > > an > > attached patch here https://bugs.gentoo.org/attachment.cgi?id=498698 > > > > The patch looks straight forward to my untrained eyes, but I'd like > > an > > ack on it or to possibly get the patch committed. (if just an ack > > I'd > > start carrrying it in our tree). > > > > The patch seems to have a bug. IMO, it should be > > if (ssl_options) > SSL_CTX_set_options (ssl_ctx, ssl_options); > > +#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= > 0x10100000L) > + if (ssl_proto_version) > + SSL_CTX_set_min_proto_version(ssl_ctx, ssl_proto_version); > +#endif > + > > Because you only declare 'ssl_proto_version' only under the above > conditions. Which means, the patch won't compile on older versions of > Openssl. > > But please have a look and let me know if my assumption is right. The > commit can be found in branch 'openssl-1.1'. > > With Best Regards, Tim > > > -- Matthew Thode (prometheanfire)
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -174,11 +174,16 @@ ssl_init (void)
{
SSL_METHOD const *meth;
long ssl_options = 0;
+#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+ int ssl_proto_version = 0;
+#endif
#if OPENSSL_VERSION_NUMBER >= 0x00907000
if (ssl_true_initialized == 0)
{
+#if OPENSSL_API_COMPAT < 0x10100000L
OPENSSL_config (NULL);
+#endif
ssl_true_initialized = 1;
}
#endif
@@ -202,8 +207,12 @@ ssl_init (void)
CONF_modules_load_file(NULL, NULL,
CONF_MFLAGS_DEFAULT_SECTION|CONF_MFLAGS_IGNORE_MISSING_FILE);
#endif
+#if OPENSSL_API_COMPAT >= 0x10100000L
+ OPENSSL_init_ssl(0, NULL);
+#else
SSL_library_init ();
SSL_load_error_strings ();
+#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000L
SSLeay_add_all_algorithms ();
SSLeay_add_ssl_algorithms ();
@@ -229,16 +238,31 @@ ssl_init (void)
ssl_options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
break;
case secure_protocol_tlsv1:
+#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+ meth = TLS_client_method();
+ ssl_proto_version = TLS1_VERSION;
+#else
meth = TLSv1_client_method ();
+#endif
break;
#if OPENSSL_VERSION_NUMBER >= 0x10001000
case secure_protocol_tlsv1_1:
+#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+ meth = TLS_client_method();
+ ssl_proto_version = TLS1_1_VERSION;
+#else
meth = TLSv1_1_client_method ();
+#endif
break;
case secure_protocol_tlsv1_2:
+#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+ meth = TLS_client_method();
+ ssl_proto_version = TLS1_2_VERSION;
+#else
meth = TLSv1_2_client_method ();
+#endif
break;
#else
case secure_protocol_tlsv1_1:
@@ -262,8 +286,15 @@ ssl_init (void)
if (!ssl_ctx)
goto error;
+#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
if (ssl_options)
SSL_CTX_set_options (ssl_ctx, ssl_options);
+#endif
+
+#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >=0x10100000L)
+ if (ssl_proto_version)
+ SSL_CTX_set_min_proto_version(ssl_ctx, ssl_proto_version);
+#endif
/* OpenSSL ciphers: https://www.openssl.org/docs/apps/ciphers.html
* Since we want a good protection, we also use HIGH (that excludes MD4 ciphers and some more)
signature.asc
Description: PGP signature
