[ipfire-2.x.git] / src / patches / elinks-0.12pre6-openssl11.patch

From d83c0edf4c6ae42359ff856d7a879ecba5769595 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Fri, 17 Feb 2017 16:51:41 +0100
Subject: [PATCH 1/2] fix compatibility with OpenSSL 1.1

---
 src/network/ssl/socket.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c
index c9e2be4..467fc48 100644
--- a/src/network/ssl/socket.c
+++ b/src/network/ssl/socket.c
@@ -83,7 +83,7 @@ static void
 ssl_set_no_tls(struct socket *socket)
 {
 #ifdef CONFIG_OPENSSL
-	((ssl_t *) socket->ssl)->options |= SSL_OP_NO_TLSv1;
+	SSL_set_options((ssl_t *) socket->ssl, SSL_OP_NO_TLSv1);
 #elif defined(CONFIG_GNUTLS)
 	{
 		/* GnuTLS does not support SSLv2 because it is "insecure".
@@ -419,7 +419,7 @@ ssl_connect(struct socket *socket)
 		}
 
 		if (client_cert) {
-			SSL_CTX *ctx = ((SSL *) socket->ssl)->ctx;
+			SSL_CTX *ctx = SSL_get_SSL_CTX((SSL *) socket->ssl);
 
 			SSL_CTX_use_certificate_chain_file(ctx, client_cert);
 			SSL_CTX_use_PrivateKey_file(ctx, client_cert,
-- 
2.7.4


From ec952cc5b79973bee73fcfc813159d40c22b7228 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Fri, 17 Feb 2017 16:44:11 +0100
Subject: [PATCH 2/2] drop disablement of TLS1.0 on second attempt to connect

It would not work correctly anyway and the code does not build
with OpenSSL-1.1.0.
---
 src/network/ssl/socket.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c
index 467fc48..b981c1e 100644
--- a/src/network/ssl/socket.c
+++ b/src/network/ssl/socket.c
@@ -82,6 +82,11 @@
 static void
 ssl_set_no_tls(struct socket *socket)
 {
+#if 0
+/* This implements the insecure renegotiation, which should not be used.
+ * The code also would not work on current Fedora (>= Fedora 23) anyway,
+ * because it would just switch off TLS 1.0 keeping TLS 1.1 and 1.2 enabled.
+ */
 #ifdef CONFIG_OPENSSL
 	SSL_set_options((ssl_t *) socket->ssl, SSL_OP_NO_TLSv1);
 #elif defined(CONFIG_GNUTLS)
@@ -96,6 +101,7 @@ ssl_set_no_tls(struct socket *socket)
 		gnutls_protocol_set_priority(*(ssl_t *) socket->ssl, protocol_priority);
 	}
 #endif
+#endif
 }
 
 #ifdef USE_OPENSSL
-- 
2.7.4
Commit	Line	Data
3b10b313 MT	1	From d83c0edf4c6ae42359ff856d7a879ecba5769595 Mon Sep 17 00:00:00 2001
	2	From: Kamil Dudka <kdudka@redhat.com>
	3	Date: Fri, 17 Feb 2017 16:51:41 +0100
	4	Subject: [PATCH 1/2] fix compatibility with OpenSSL 1.1
	5
	6	---
	7	src/network/ssl/socket.c \| 4 ++--
	8	1 file changed, 2 insertions(+), 2 deletions(-)
	9
	10	diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c
	11	index c9e2be4..467fc48 100644
	12	--- a/src/network/ssl/socket.c
	13	+++ b/src/network/ssl/socket.c
	14	@@ -83,7 +83,7 @@ static void
	15	ssl_set_no_tls(struct socket *socket)
	16	{
	17	#ifdef CONFIG_OPENSSL
	18	- ((ssl_t *) socket->ssl)->options \|= SSL_OP_NO_TLSv1;
	19	+ SSL_set_options((ssl_t *) socket->ssl, SSL_OP_NO_TLSv1);
	20	#elif defined(CONFIG_GNUTLS)
	21	{
	22	/* GnuTLS does not support SSLv2 because it is "insecure".
	23	@@ -419,7 +419,7 @@ ssl_connect(struct socket *socket)
	24	}
	25
	26	if (client_cert) {
	27	- SSL_CTX ctx = ((SSL ) socket->ssl)->ctx;
	28	+ SSL_CTX ctx = SSL_get_SSL_CTX((SSL ) socket->ssl);
	29
	30	SSL_CTX_use_certificate_chain_file(ctx, client_cert);
	31	SSL_CTX_use_PrivateKey_file(ctx, client_cert,
	32	--
	33	2.7.4
	34
	35
	36	From ec952cc5b79973bee73fcfc813159d40c22b7228 Mon Sep 17 00:00:00 2001
	37	From: Tomas Mraz <tmraz@fedoraproject.org>
	38	Date: Fri, 17 Feb 2017 16:44:11 +0100
	39	Subject: [PATCH 2/2] drop disablement of TLS1.0 on second attempt to connect
	40
	41	It would not work correctly anyway and the code does not build
	42	with OpenSSL-1.1.0.
	43	---
	44	src/network/ssl/socket.c \| 6 ++++++
	45	1 file changed, 6 insertions(+)
	46
	47	diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c
	48	index 467fc48..b981c1e 100644
	49	--- a/src/network/ssl/socket.c
	50	+++ b/src/network/ssl/socket.c
	51	@@ -82,6 +82,11 @@
	52	static void
	53	ssl_set_no_tls(struct socket *socket)
	54	{
	55	+#if 0
	56	+/* This implements the insecure renegotiation, which should not be used.
	57	+ * The code also would not work on current Fedora (>= Fedora 23) anyway,
	58	+ * because it would just switch off TLS 1.0 keeping TLS 1.1 and 1.2 enabled.
	59	+ */
	60	#ifdef CONFIG_OPENSSL
	61	SSL_set_options((ssl_t *) socket->ssl, SSL_OP_NO_TLSv1);
	62	#elif defined(CONFIG_GNUTLS)
	63	@@ -96,6 +101,7 @@ ssl_set_no_tls(struct socket *socket)
	64	gnutls_protocol_set_priority((ssl_t ) socket->ssl, protocol_priority);
65	}
66	#endif
67	+#endif
68	}
69
70	#ifdef USE_OPENSSL
71	--
72	2.7.4
73