As RHEL 5 has reached EOL, we no longer need to support OpenSSL v0.9.8.
This also makes it possible to remove a few workaronds which was
needed earlier, as well as some left overs from v0.9.6.
This also makes ./configure really stop running unless a new enough
OpenSSL library is found.
Compile tested on RHEL7.3 and RHEL6.7 (mock chroot build), both shipping
openssl-1.0.1e.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <
20170411173133.18060-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14441.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
# if the user did not explicitly specify flags, try to autodetect
PKG_CHECK_MODULES(
[OPENSSL],
- [libcrypto >= 0.9.8, libssl >= 0.9.8],
- [have_openssl="yes"],
- [have_openssl="no"] # Provide if-not-found to prevent erroring out
+ [libcrypto >= 1.0.1, libssl >= 1.0.1],
+ [have_openssl="yes"],
+ [AC_MSG_ERROR([Minimum supported OpenSSL version is 1.0.1])]
)
OPENSSL_LIBS=${OPENSSL_LIBS:--lssl -lcrypto}
Note that exporter labels have the potential to collide with existing PRF
labels. In order to prevent this, labels MUST begin with "EXPORTER".
-This option requires OpenSSL 1.0.1 or newer.
.\"*********************************************************
.SS Server Mode
Starting with OpenVPN 2.0, a multi-client TCP/UDP server mode
{
continue;
}
- /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */
- unsigned char *buf = (unsigned char *)1;
+ unsigned char *buf = NULL;
if (ASN1_STRING_to_UTF8(&buf, val) <= 0)
{
continue;
X509_NAME *x509_name;
X509_NAME_ENTRY *ent;
const char *objbuf;
- unsigned char *buf;
+ unsigned char *buf = NULL;
x509_name = X509_get_subject_name(x509crt);
n = X509_NAME_entry_count(x509_name);
{
continue;
}
- buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */
if (ASN1_STRING_to_UTF8(&buf, val) <= 0)
{
continue;
sslopt |= SSL_OP_NO_TLSv1_2;
}
#endif
-#ifdef SSL_OP_NO_COMPRESSION
- /* Disable compression - flag not available in OpenSSL 0.9.8 */
sslopt |= SSL_OP_NO_COMPRESSION;
-#endif
SSL_CTX_set_options(ctx->ctx, sslopt);
}
#include <openssl/ssl.h>
-/**
- * SSL_OP_NO_TICKET tells OpenSSL to disable "stateless session resumption",
- * as this is something we do not want nor need, but could potentially be
- * used for a future attack. For compatibility reasons we keep building if the
- * OpenSSL version is too old (pre-0.9.8f) to support stateless session
- * resumption (and the accompanying SSL_OP_NO_TICKET flag).
- */
-#ifndef SSL_OP_NO_TICKET
-#define SSL_OP_NO_TICKET 0
-#endif
-
/**
* Structure that wraps the TLS context. Contents differ depending on the
* SSL library used.
if (ent)
{
ASN1_STRING *val = X509_NAME_ENTRY_get_data(ent);
- unsigned char *buf;
- buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */
+ unsigned char *buf = NULL;
if (ASN1_STRING_to_UTF8(&buf, val) > 0)
{
do_setenv_x509(es, xt->name, (char *)buf, depth);
ASN1_STRING *val;
X509_NAME_ENTRY *ent;
const char *objbuf;
- unsigned char *buf;
+ unsigned char *buf = NULL;
char *name_expand;
size_t name_expand_size;
X509_NAME *x509 = X509_get_subject_name(peer_cert);
{
continue;
}
- buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */
if (ASN1_STRING_to_UTF8(&buf, val) <= 0)
{
continue;
projects / thirdparty / openvpn.git / commitdiff
