control: tags -1 patch On 2016-11-07 08:39:17 [-0500], Zack Weinberg wrote: > Nov 07 08:34:17 moxana dnssec-triggerd[20281]: Nov 07 08:34:17 > dnssec-triggerd[20281] error: could not set SSL_OP_NO_SSLv2 crypto > error:00000000
could someone please check if the patch attached works? I am confident but don't time todo it myself just now. Sebastian
>From 05cd529e19d317b8bcc69f7d883873a27195b904 Mon Sep 17 00:00:00 2001 From: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Date: Mon, 7 Nov 2016 20:59:11 +0000 Subject: [PATCH] dnssec-trigger: openssl 1.1.0 fixup - SSL_OP_NO_SSLv2 / SSLv2 has been removed from openssl 1.1.0 and as such it can't be tested (the way it is) if disabling it worked. - SSL_CTX_load_verify_locations() return 1 un success and 0 on failure. The check for the result code is bogus and has nothing to do with the switch to openssl 1.1.0 itself - ERR_remove_state() and friends are NOPs in current openssl 1.1.0 due the threading model. This operations are nops therefore and do nothing and can be removed in a later version. Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> --- riggerd/cfg.c | 2 ++ riggerd/net_help.c | 4 +++- riggerd/riggerd.c | 2 ++ riggerd/svr.c | 2 ++ 4 files changed, 9 insertions(+), 1 deletion(-) diff --git a/riggerd/cfg.c b/riggerd/cfg.c index 03f4f73..08b2028 100644 --- a/riggerd/cfg.c +++ b/riggerd/cfg.c @@ -540,9 +540,11 @@ cfg_setup_ctx_client(struct cfg* cfg, char* err, size_t errlen) if(!ctx) return ctx_err_ret(ctx, err, errlen, "could not allocate SSL_CTX pointer"); +#if OPENSSL_VERSION_NUMBER < 0x10100000 if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)) return ctx_err_ret(ctx, err, errlen, "could not set SSL_OP_NO_SSLv2"); +#endif if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM) || !SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM) || !SSL_CTX_check_private_key(ctx)) diff --git a/riggerd/net_help.c b/riggerd/net_help.c index 21e79e7..b17486c 100644 --- a/riggerd/net_help.c +++ b/riggerd/net_help.c @@ -447,11 +447,13 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem) return NULL; } /* no SSLv2 because has defects */ +#if OPENSSL_VERSION_NUMBER < 0x10100000 if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){ log_crypto_err("could not set SSL_OP_NO_SSLv2"); SSL_CTX_free(ctx); return NULL; } +#endif if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) { log_err("error for cert file: %s", pem); log_crypto_err("error in SSL_CTX use_certificate_file"); @@ -517,7 +519,7 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem) } } if(verifypem && verifypem[0]) { - if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL) != 1) { + if(SSL_CTX_load_verify_locations(ctx, verifypem, NULL) != 1) { log_crypto_err("error in SSL_CTX verify"); SSL_CTX_free(ctx); return NULL; diff --git a/riggerd/riggerd.c b/riggerd/riggerd.c index 9cb6023..2490a72 100644 --- a/riggerd/riggerd.c +++ b/riggerd/riggerd.c @@ -393,10 +393,12 @@ int main(int argc, char *argv[]) #ifdef HAVE_OPENSSL_CONF_H CONF_modules_free(); #endif +#if OPENSSL_VERSION_NUMBER < 0x10100000 CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); ERR_free_strings(); RAND_cleanup(); +#endif #ifdef USE_WINSOCK if(WSACleanup() != 0) { diff --git a/riggerd/svr.c b/riggerd/svr.c index 0b46b1d..5f232f4 100644 --- a/riggerd/svr.c +++ b/riggerd/svr.c @@ -162,10 +162,12 @@ static int setup_ssl_ctx(struct svr* s) return 0; } /* no SSLv2 because has defects */ +#if OPENSSL_VERSION_NUMBER < 0x10100000 if(!(SSL_CTX_set_options(s->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){ log_crypto_err("could not set SSL_OP_NO_SSLv2"); return 0; } +#endif s_cert = s->cfg->server_cert_file; s_key = s->cfg->server_key_file; verbose(VERB_ALGO, "setup SSL certificates"); -- 2.10.2