- Fix unreachable code in ssl set options code.

diff --git a/doc/Changelog b/doc/Changelog
index c14e796174c1058e3016e091af53360bd59b9061..684a5728b42d1fede4cb15d2061855af1d0eafa1 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,6 +1,7 @@
 10 January 2020: Wouter
        - Fix the relationship between serve-expired and prefetch options,
          patch from Saksham Manchanda from Secure64.
+       - Fix unreachable code in ssl set options code.
 
 8 January 2020: Ralph
        - Fix #138: stop binding pidfile inside chroot dir in systemd service

diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c
index ed8bad1e9719d58050fdd03aea7bcccc4aa93f1f..4f51e400eed66ee190a38372549979359d8b0a18 100644 (file)
--- a/smallapp/unbound-control.c
+++ b/smallapp/unbound-control.c
@@ -493,9 +493,11 @@ setup_ctx(struct config_file* cfg)
        ctx = SSL_CTX_new(SSLv23_client_method());
        if(!ctx)
                ssl_err("could not allocate SSL_CTX pointer");
+#if SSL_OP_NO_SSLv2 != 0
        if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
                != SSL_OP_NO_SSLv2)
                ssl_err("could not set SSL_OP_NO_SSLv2");
+#endif
        if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
                != SSL_OP_NO_SSLv3)
                ssl_err("could not set SSL_OP_NO_SSLv3");

diff --git a/testcode/petal.c b/testcode/petal.c
index dcc31fdc5d99aa56816469ea70cd8070249c4ba7..123684aab52da2a578065e01ed0127c0f71f9865 100644 (file)
--- a/testcode/petal.c
+++ b/testcode/petal.c
@@ -234,7 +234,9 @@ setup_ctx(char* key, char* cert)
 {
        SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method());
        if(!ctx) print_exit("out of memory");
+#if SSL_OP_NO_SSLv2 != 0
        (void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+#endif
        (void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
        if(!SSL_CTX_use_certificate_chain_file(ctx, cert))
                print_exit("cannot read cert");

diff --git a/util/net_help.c b/util/net_help.c
index 9747b5d55a781d06c99a45e5c2bd961547a2f19b..10c4acc47fb29c367f752478705134bd672f4875 100644 (file)
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -728,11 +728,13 @@ listen_sslctx_setup(void* ctxt)
 #ifdef HAVE_SSL
        SSL_CTX* ctx = (SSL_CTX*)ctxt;
        /* no SSLv2, SSLv3 because has defects */
+#if SSL_OP_NO_SSLv2 != 0
        if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
                != SSL_OP_NO_SSLv2){
                log_crypto_err("could not set SSL_OP_NO_SSLv2");
                return 0;
        }
+#endif
        if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
                != SSL_OP_NO_SSLv3){
                log_crypto_err("could not set SSL_OP_NO_SSLv3");
@@ -968,12 +970,14 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert)
                log_crypto_err("could not allocate SSL_CTX pointer");
                return NULL;
        }
+#if SSL_OP_NO_SSLv2 != 0
        if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
                != SSL_OP_NO_SSLv2) {
                log_crypto_err("could not set SSL_OP_NO_SSLv2");
                SSL_CTX_free(ctx);
                return NULL;
        }
+#endif
        if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
                != SSL_OP_NO_SSLv3) {
                log_crypto_err("could not set SSL_OP_NO_SSLv3");