Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP2:GA
nut
openssl-1_1.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openssl-1_1.patch of Package nut
diff --git a/clients/upsclient.c b/clients/upsclient.c index b90587b0..b7dd8f42 100644 --- a/clients/upsclient.c +++ b/clients/upsclient.c @@ -299,11 +299,6 @@ int upscli_init(int certverify, const char *certpath, { #ifdef WITH_OPENSSL int ret, ssl_mode = SSL_VERIFY_NONE; -#if OPENSSL_VERSION_NUMBER >= 0x10000000L - const SSL_METHOD *ssl_method; -#else - SSL_METHOD *ssl_method; -#endif #elif defined(WITH_NSS) /* WITH_OPENSSL */ SECStatus status; #endif /* WITH_OPENSSL | WITH_NSS */ @@ -315,22 +310,35 @@ int upscli_init(int certverify, const char *certpath, } #ifdef WITH_OPENSSL + + SSL_load_error_strings(); +#if OPENSSL_VERSION_NUMBER < 0x10100000L SSL_library_init(); - SSL_load_error_strings(); - ssl_method = TLSv1_client_method(); + ssl_ctx = SSL_CTX_new(SSLv23_client_method()); +#else + OPENSSL_init_ssl(0, NULL); - if (!ssl_method) { - return 0; - } + ssl_ctx = SSL_CTX_new(TLS_client_method()); +#endif - ssl_ctx = SSL_CTX_new(ssl_method); if (!ssl_ctx) { upslogx(LOG_ERR, "Can not initialize SSL context"); return -1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L + /* set minimum protocol TLSv1 */ + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); +#else + ret = SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_VERSION); + if (ret != 1) { + upslogx(LOG_ERR, "Can not set minimum protocol to TLSv1"); + return -1; + } +#endif + if (!certpath) { if (certverify == 1) { upslogx(LOG_ERR, "Can not verify certificate if any is specified"); @@ -737,7 +745,7 @@ static int upscli_sslinit(UPSCONN_t *ups, int verifycert) switch(res) { case 1: - upsdebugx(3, "SSL connected"); + upsdebugx(3, "SSL connected (%s)", SSL_get_version(ups->ssl)); break; case 0: upslog_with_errno(1, "SSL_connect do not accept handshake."); diff --git a/m4/nut_check_libopenssl.m4 b/m4/nut_check_libopenssl.m4 index 1b875077..5f29f4a3 100644 --- a/m4/nut_check_libopenssl.m4 +++ b/m4/nut_check_libopenssl.m4 @@ -57,8 +57,9 @@ if test -z "${nut_have_libopenssl_seen}"; then AC_MSG_RESULT([${LIBS}]) dnl check if openssl is usable - AC_CHECK_HEADERS(openssl/ssl.h, [nut_have_openssl=yes], [nut_have_openssl=no], [AC_INCLUDES_DEFAULT]) - AC_CHECK_FUNCS(SSL_library_init, [], [nut_have_openssl=no]) + AC_CHECK_FUNCS(OPENSSL_init_ssl, [nut_have_openssl=yes], [nut_have_openssl=no]) + AC_CHECK_FUNCS(SSL_library_init, [nut_have_openssl=yes], []) + AC_CHECK_HEADERS(openssl/ssl.h, [], [nut_have_openssl=no], [AC_INCLUDES_DEFAULT]) if test "${nut_have_openssl}" = "yes"; then nut_with_ssl="yes" diff --git a/server/netssl.c b/server/netssl.c index c2f40989..6ae13e8d 100644 --- a/server/netssl.c +++ b/server/netssl.c @@ -275,7 +275,7 @@ void net_starttls(nut_ctype_t *client, int numarg, const char **arg) { case 1: client->ssl_connected = 1; - upsdebugx(3, "SSL connected"); + upsdebugx(3, "SSL connected (%s)", SSL_get_version(client->ssl)); break; case 0: @@ -371,13 +371,7 @@ void ssl_init(void) { #ifdef WITH_NSS SECStatus status; -#elif defined(WITH_OPENSSL) -#if OPENSSL_VERSION_NUMBER >= 0x10000000L - const SSL_METHOD *ssl_method; -#else - SSL_METHOD *ssl_method; -#endif -#endif /* WITH_NSS|WITH_OPENSSL */ +#endif /* WITH_NSS */ if (!certfile) { return; @@ -388,17 +382,31 @@ void ssl_init(void) #ifdef WITH_OPENSSL SSL_load_error_strings(); + +#if OPENSSL_VERSION_NUMBER < 0x10100000L SSL_library_init(); - if ((ssl_method = TLSv1_server_method()) == NULL) { + ssl_ctx = SSL_CTX_new(SSLv23_server_method()); +#else + OPENSSL_init_ssl(0, NULL); + + ssl_ctx = SSL_CTX_new(TLS_server_method()); +#endif + + if (!ssl_ctx) { ssl_debug(); - fatalx(EXIT_FAILURE, "TLSv1_server_method failed"); + fatalx(EXIT_FAILURE, "SSL_CTX_new failed"); } - if ((ssl_ctx = SSL_CTX_new(ssl_method)) == NULL) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L + /* set minimum protocol TLSv1 */ + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); +#else + if (SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_VERSION) != 1) { ssl_debug(); - fatalx(EXIT_FAILURE, "SSL_CTX_new failed"); + fatalx(EXIT_FAILURE, "SSL_CTX_set_min_proto_version(TLS1_VERSION)"); } +#endif if (SSL_CTX_use_certificate_chain_file(ssl_ctx, certfile) != 1) { ssl_debug();
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor