openssl: Disable OCSP in old versions of OpenSSL

Versions of OpenSSL prior to v0.9.8h do not support the necessary
functions for OCSP stapling.

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 68ca1fbcd194bbedc84ab2040655fd3510d7c568..38cf79a27f114033ecdd82ebf29303ed2174ffa4 100644 (file)
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -1323,7 +1323,8 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
   return result;
 }
 
-#if !defined(HAVE_BORINGSSL) && !defined(OPENSSL_NO_TLSEXT)
+#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
+    !defined(HAVE_BORINGSSL)
 static CURLcode verifystatus(struct connectdata *conn,
                              struct ssl_connect_data *connssl)
 {
@@ -2060,7 +2061,8 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
     return CURLE_OUT_OF_MEMORY;
   }
 
-#if !defined(HAVE_BORINGSSL) && !defined(OPENSSL_NO_TLSEXT)
+#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
+    !defined(HAVE_BORINGSSL)
   if(data->set.ssl.verifystatus)
     SSL_set_tlsext_status_type(connssl->handle, TLSEXT_STATUSTYPE_ocsp);
 #endif
@@ -2748,7 +2750,8 @@ static CURLcode servercert(struct connectdata *conn,
       infof(data, "\t SSL certificate verify ok.\n");
   }
 
-#if !defined(HAVE_BORINGSSL) && !defined(OPENSSL_NO_TLSEXT)
+#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
+    !defined(HAVE_BORINGSSL)
   if(data->set.ssl.verifystatus) {
     result = verifystatus(conn, connssl);
     if(result) {
@@ -3202,7 +3205,8 @@ void Curl_ossl_md5sum(unsigned char *tmp, /* input */
 
 bool Curl_ossl_cert_status_request(void)
 {
-#if !defined(HAVE_BORINGSSL) && !defined(OPENSSL_NO_TLSEXT)
+#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
+    !defined(HAVE_BORINGSSL)
   return TRUE;
 #else
   return FALSE;