From: Stuart Henderson <stu@spacehopper.org>
Date: Sat, 7 Nov 2015 06:30:27 +0000 (-0800)
Subject: Fix SSL_get_certificate() problem detection
X-Git-Tag: SQUID_4_0_3~39
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1f3e038913f0ea843f2d903588e02312838af7b2;p=thirdparty%2Fsquid.git

Fix SSL_get_certificate() problem detection

The autoconf check for SQUID_SSLGETCERTIFICATE_BUGGY fails on ssl library
builds which don't include SSLv3; as a result of the autoconf decision
this can end up triggering the assert(0) in Ssl::verifySslCertificate()
in ssl/support.cc (line 1712 in 3.5.11).
---

diff --git a/acinclude/lib-checks.m4 b/acinclude/lib-checks.m4
index 57932b1fb6..d1207c776a 100644
--- a/acinclude/lib-checks.m4
+++ b/acinclude/lib-checks.m4
@@ -93,7 +93,11 @@ AC_DEFUN([SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS],[
     ],
     [
     SSLeay_add_ssl_algorithms();
-    SSL_CTX *sslContext = SSL_CTX_new(SSLv3_method());
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+    SSL_CTX *sslContext = SSL_CTX_new(TLS_method());
+#else
+    SSL_CTX *sslContext = SSL_CTX_new(SSLv23_method());
+#endif
     SSL *ssl = SSL_new(sslContext);
     X509* cert = SSL_get_certificate(ssl);
     return 0;
@@ -120,7 +124,11 @@ AC_DEFUN([SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS],[
     ],
     [
     SSLeay_add_ssl_algorithms();
-    SSL_CTX *sslContext = SSL_CTX_new(SSLv3_method());
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+    SSL_CTX *sslContext = SSL_CTX_new(TLS_method());
+#else
+    SSL_CTX *sslContext = SSL_CTX_new(SSLv23_method());
+#endif
     X509 ***pCert = (X509 ***)sslContext->cert;
     X509 *sslCtxCert = pCert && *pCert ? **pCert : (X509 *)0x1;
     if (sslCtxCert != NULL)