]>
Commit | Line | Data |
---|---|---|
3b10b313 MT |
1 | From d83c0edf4c6ae42359ff856d7a879ecba5769595 Mon Sep 17 00:00:00 2001 |
2 | From: Kamil Dudka <kdudka@redhat.com> | |
3 | Date: Fri, 17 Feb 2017 16:51:41 +0100 | |
4 | Subject: [PATCH 1/2] fix compatibility with OpenSSL 1.1 | |
5 | ||
6 | --- | |
7 | src/network/ssl/socket.c | 4 ++-- | |
8 | 1 file changed, 2 insertions(+), 2 deletions(-) | |
9 | ||
10 | diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c | |
11 | index c9e2be4..467fc48 100644 | |
12 | --- a/src/network/ssl/socket.c | |
13 | +++ b/src/network/ssl/socket.c | |
14 | @@ -83,7 +83,7 @@ static void | |
15 | ssl_set_no_tls(struct socket *socket) | |
16 | { | |
17 | #ifdef CONFIG_OPENSSL | |
18 | - ((ssl_t *) socket->ssl)->options |= SSL_OP_NO_TLSv1; | |
19 | + SSL_set_options((ssl_t *) socket->ssl, SSL_OP_NO_TLSv1); | |
20 | #elif defined(CONFIG_GNUTLS) | |
21 | { | |
22 | /* GnuTLS does not support SSLv2 because it is "insecure". | |
23 | @@ -419,7 +419,7 @@ ssl_connect(struct socket *socket) | |
24 | } | |
25 | ||
26 | if (client_cert) { | |
27 | - SSL_CTX *ctx = ((SSL *) socket->ssl)->ctx; | |
28 | + SSL_CTX *ctx = SSL_get_SSL_CTX((SSL *) socket->ssl); | |
29 | ||
30 | SSL_CTX_use_certificate_chain_file(ctx, client_cert); | |
31 | SSL_CTX_use_PrivateKey_file(ctx, client_cert, | |
32 | -- | |
33 | 2.7.4 | |
34 | ||
35 | ||
36 | From ec952cc5b79973bee73fcfc813159d40c22b7228 Mon Sep 17 00:00:00 2001 | |
37 | From: Tomas Mraz <tmraz@fedoraproject.org> | |
38 | Date: Fri, 17 Feb 2017 16:44:11 +0100 | |
39 | Subject: [PATCH 2/2] drop disablement of TLS1.0 on second attempt to connect | |
40 | ||
41 | It would not work correctly anyway and the code does not build | |
42 | with OpenSSL-1.1.0. | |
43 | --- | |
44 | src/network/ssl/socket.c | 6 ++++++ | |
45 | 1 file changed, 6 insertions(+) | |
46 | ||
47 | diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c | |
48 | index 467fc48..b981c1e 100644 | |
49 | --- a/src/network/ssl/socket.c | |
50 | +++ b/src/network/ssl/socket.c | |
51 | @@ -82,6 +82,11 @@ | |
52 | static void | |
53 | ssl_set_no_tls(struct socket *socket) | |
54 | { | |
55 | +#if 0 | |
56 | +/* This implements the insecure renegotiation, which should not be used. | |
57 | + * The code also would not work on current Fedora (>= Fedora 23) anyway, | |
58 | + * because it would just switch off TLS 1.0 keeping TLS 1.1 and 1.2 enabled. | |
59 | + */ | |
60 | #ifdef CONFIG_OPENSSL | |
61 | SSL_set_options((ssl_t *) socket->ssl, SSL_OP_NO_TLSv1); | |
62 | #elif defined(CONFIG_GNUTLS) | |
63 | @@ -96,6 +101,7 @@ ssl_set_no_tls(struct socket *socket) | |
64 | gnutls_protocol_set_priority(*(ssl_t *) socket->ssl, protocol_priority); | |
65 | } | |
66 | #endif | |
67 | +#endif | |
68 | } | |
69 | ||
70 | #ifdef USE_OPENSSL | |
71 | -- | |
72 | 2.7.4 | |
73 |