- protect X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS with ifdef for

  different openssl versions.

diff --git a/doc/Changelog b/doc/Changelog
index d9c72937a645b157fc473a0e6a979766df708f79..d599af68e4f24af8bb4814a77f17731558b8f8c2 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+18 February 2020: Wouter
+       - protect X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS with ifdef for
+         different openssl versions.
+
 17 February 2020: Wouter
        - changelog point where the tag for 1.10.0rc2 release is.
 

diff --git a/services/outside_network.c b/services/outside_network.c
index 80b1f12454d60bd3e36098fbfa7c22abfa62b721..d3ebe04f6602564e99e8e2c20690c06b813d27b3 100644 (file)
--- a/services/outside_network.c
+++ b/services/outside_network.c
@@ -398,7 +398,9 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
                 * set1_host like verification */
                if(w->tls_auth_name) {
                        X509_VERIFY_PARAM* param = SSL_get0_param(pend->c->ssl);
+#  ifdef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
                        X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+#  endif
                        if(!X509_VERIFY_PARAM_set1_host(param, w->tls_auth_name, strlen(w->tls_auth_name))) {
                                log_err("X509_VERIFY_PARAM_set1_host failed");
                                pend->c->fd = s;
@@ -2316,7 +2318,9 @@ setup_comm_ssl(struct comm_point* cp, struct outside_network* outnet,
         * set1_host like verification */
        if((SSL_CTX_get_verify_mode(outnet->sslctx)&SSL_VERIFY_PEER)) {
                X509_VERIFY_PARAM* param = SSL_get0_param(cp->ssl);
+#  ifdef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
                X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+#  endif
                if(!X509_VERIFY_PARAM_set1_host(param, host, strlen(host))) {
                        log_err("X509_VERIFY_PARAM_set1_host failed");
                        return 0;