From: Emmanuel Deloget Date: Fri, 17 Feb 2017 22:00:53 +0000 (+0100) Subject: OpenSSL: check for the SSL reason, not the full error X-Git-Tag: v2.4.1~29 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c4c359736e3ab7f06a21f1eab09e6fd4cf2bef2f;p=thirdparty%2Fopenvpn.git OpenSSL: check for the SSL reason, not the full error OpenSSL 1.1 changed the SSLv3 API and removed many SSL_L_SSL3_* constants. Moreover, new code might use different function code for the same error. Thus, we extract the error reason from the error code before we compare it instead of trying to rebuild an error code that might not be correct. The new version is compatible with OpenSSL 1.0.x as well as with older versions (starting at 0.9.8). Signed-off-by: Emmanuel Deloget Acked-by: Steffan Karger Message-Id: <0e0d4a67192b563cd07d3f06685f85e34c304142.1487368114.git.logout@free.fr> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14087.html Signed-off-by: Gert Doering (cherry picked from commit 6ddc43d1bf9b3ea3ee5db8c50d56a98fe4db4c97) --- diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index e45571561..a66ee71e5 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -193,8 +193,7 @@ crypto_print_openssl_errors(const unsigned int flags) while ((err = ERR_get_error())) { /* Be more clear about frequently occurring "no shared cipher" error */ - if (err == ERR_PACK(ERR_LIB_SSL,SSL_F_SSL3_GET_CLIENT_HELLO, - SSL_R_NO_SHARED_CIPHER)) + if (ERR_GET_REASON(err) == SSL_R_NO_SHARED_CIPHER) { msg(D_CRYPT_ERRORS, "TLS error: The server has no TLS ciphersuites " "in common with the client. Your --tls-cipher setting might be "