iksemel - remove support for SSLv23 in iks_proceed_tls (was a FS addition to iksemel...

diff --git a/libs/iksemel/include/iksemel.h b/libs/iksemel/include/iksemel.h
index 2b11070671e16cd09a58a8c87b67ddd6bed6f9e7..dc6df91022e9b70cb723205c052b942f50ae1442 100644 (file)
--- a/libs/iksemel/include/iksemel.h
+++ b/libs/iksemel/include/iksemel.h
@@ -226,7 +226,7 @@ void iks_disconnect (iksparser *prs);
 int iks_has_tls (void);
 int iks_is_secure (iksparser *prs);
 int iks_start_tls (iksparser *prs);
-int iks_proceed_tls (iksparser *prs, const char *cert_file, const char *key_file, int use_ssl);
+int iks_proceed_tls (iksparser *prs, const char *cert_file, const char *key_file);
 int iks_start_sasl (iksparser *prs, enum ikssasltype type, char *username, char *pass);
 
 /*****  jabber  *****/

diff --git a/libs/iksemel/src/stream.c b/libs/iksemel/src/stream.c
index 658c40207c43f2713e743c2d635c2c18bf528fc2..eda6cb0fe70876cf912ebabe697df9561bdaa0ba 100644 (file)
--- a/libs/iksemel/src/stream.c
+++ b/libs/iksemel/src/stream.c
@@ -36,7 +36,6 @@ typedef unsigned __int32 uint32_t;
 #define SF_TRY_SECURE 2
 #define SF_SECURE 4
 #define SF_SERVER 8
-#define SF_SSLv23 16
 
 struct stream_data {
        iksparser *prs;
@@ -319,11 +318,7 @@ handshake (struct stream_data *data)
        SSL_load_error_strings();
        
        if (data->flags & SF_SERVER) {
-               if (data->flags & SF_SSLv23) {
-                       data->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
-               } else {
-                       data->ssl_ctx = SSL_CTX_new(TLSv1_server_method());
-               }
+               data->ssl_ctx = SSL_CTX_new(TLSv1_server_method());
                if(!data->ssl_ctx) return IKS_NOMEM;
 
                if (SSL_CTX_use_certificate_file(data->ssl_ctx, data->cert_file, SSL_FILETYPE_PEM) <= 0) {
@@ -985,7 +980,7 @@ iks_start_tls (iksparser *prs)
 }
 
 int
-iks_proceed_tls (iksparser *prs, const char *cert_file, const char *key_file, int use_ssl)
+iks_proceed_tls (iksparser *prs, const char *cert_file, const char *key_file)
 {
 #ifdef HAVE_GNUTLS
        int ret;
@@ -996,9 +991,6 @@ iks_proceed_tls (iksparser *prs, const char *cert_file, const char *key_file, in
        data->cert_file = iks_stack_strdup(data->s, cert_file, 0);
        data->key_file = iks_stack_strdup(data->s, key_file, 0);
        data->flags |= SF_TRY_SECURE | SF_SERVER;
-       if (use_ssl) {
-               data->flags |= SF_SSLv23;
-       }
        return handshake (data);
 #elif HAVE_SSL
        int ret;
@@ -1009,9 +1001,6 @@ iks_proceed_tls (iksparser *prs, const char *cert_file, const char *key_file, in
        data->cert_file = iks_stack_strdup(data->s, cert_file, 0);
        data->key_file = iks_stack_strdup(data->s, key_file, 0);
        data->flags |= SF_TRY_SECURE | SF_SERVER;
-       if (use_ssl) {
-               data->flags |= SF_SSLv23;
-       }
        return handshake (data);
 #else
        return IKS_NET_NOTSUPP;

diff --git a/src/mod/event_handlers/mod_rayo/xmpp_streams.c b/src/mod/event_handlers/mod_rayo/xmpp_streams.c
index cf5aafb413744d8746f407591999fd83ece8a50d..7fe27e22fb2113e45895aab4aae6e5d0fe353b49 100644 (file)
--- a/src/mod/event_handlers/mod_rayo/xmpp_streams.c
+++ b/src/mod/event_handlers/mod_rayo/xmpp_streams.c
@@ -450,7 +450,7 @@ static void xmpp_send_outbound_server_header(struct xmpp_stream *stream)
 static void on_stream_starttls(struct xmpp_stream *stream, iks *node)
 {
        /* wait for handshake to start */
-       if (iks_proceed_tls(stream->parser, stream->context->cert_pem_file, stream->context->key_pem_file, 1) == IKS_OK) {
+       if (iks_proceed_tls(stream->parser, stream->context->cert_pem_file, stream->context->key_pem_file) == IKS_OK) {
                stream->state = XSS_SECURE;
        } else {
                stream->state = XSS_ERROR;