configure.ac: check for SSL_OP_NO_TICKET flag in OpenSSL

SSL_OP_NO_TICKET tells OpenSSL to disable "stateless session resumption".
This is something we do not want nor need, but could potentially be used
for a future attack. OpenVPN 2.4 requires the flag to be set and will fail
configure if the flag is not present.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <CAA1AbxJh17KYmVU1BVa5kp4iJsUJT+xnXp0rVU_3g3c5hPnqDQ@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8389

Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/configure.ac b/configure.ac
index efd29db2e852c336fba2d4d982eee220f2a30519..7e94280dfccc84356f058aeb558f278487375967 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -793,6 +793,21 @@ if test "${have_openssl_crypto}" = "yes"; then
        LIBS="${saved_LIBS}"
 fi
 
+if test "${have_openssl_ssl}" = "yes"; then
+    AC_MSG_CHECKING([for SSL_OP_NO_TICKET flag in OpenSSL])
+    AC_EGREP_CPP(have_ssl_op_no_ticket, [
+    #include <openssl/ssl.h>
+    #ifdef SSL_OP_NO_TICKET
+    have_ssl_op_no_ticket
+    #endif
+    ], [
+        AC_MSG_RESULT([yes])
+    ], [
+        AC_MSG_RESULT([no])
+        AC_ERROR([OpenVPN 2.4+ requires SSL_OP_NO_TICKET in OpenSSL])
+    ])
+fi
+
 AC_ARG_VAR([POLARSSL_CFLAGS], [C compiler flags for polarssl])
 AC_ARG_VAR([POLARSSL_LIBS], [linker flags for polarssl])
 have_polarssl_ssl="yes"