From: Gert Doering <gert@greenie.muc.de>
Date: Sun, 23 Mar 2014 12:19:08 +0000 (+0100)
Subject: Workaround missing SSL_OP_NO_TICKET in earlier OpenSSL versions
X-Git-Tag: v2.3.3~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2cf9d4e3f06f4a61cb6d159728ac6c8a790d6849;p=thirdparty%2Fopenvpn.git

Workaround missing SSL_OP_NO_TICKET in earlier OpenSSL versions

058e889d introduced using SSL_OP_NO_TICKET, leading to build failures on
systems that could build 2.3.2 fine.  Inside the 2.3 release train, we
do not want to change requirements, so for those build environments, ignore
missing SSL_OP_NO_TICKET.  2.4 will require more recent OpenSSL, though.

Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20140322183508.GZ16637@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8384

Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/src/openvpn/ssl_openssl.h b/src/openvpn/ssl_openssl.h
index fc2052cb6..73a6c4920 100644
--- a/src/openvpn/ssl_openssl.h
+++ b/src/openvpn/ssl_openssl.h
@@ -32,6 +32,18 @@
 
 #include <openssl/ssl.h>
 
+/**
+ * SSL_OP_NO_TICKET tells OpenSSL to disable "stateless session resumption",
+ * as this is something we do not want nor need, but could potentially be
+ * used for a future attack.  For compatibility reasons, in the 2.3.x
+ * series, we keep building if the OpenSSL version is too old to support
+ * this.  2.4 requires it and will fail configure if not present.
+ */
+#ifndef SSL_OP_NO_TICKET
+# define SSL_OP_NO_TICKET 0
+#endif
+
+
 /**
  * Structure that wraps the TLS context. Contents differ depending on the
  * SSL library used.