|
 |
06c6ff |
From d83c0edf4c6ae42359ff856d7a879ecba5769595 Mon Sep 17 00:00:00 2001
|
|
|
06c6ff |
From: Kamil Dudka <kdudka@redhat.com>
|
|
|
06c6ff |
Date: Fri, 17 Feb 2017 16:51:41 +0100
|
|
|
06c6ff |
Subject: [PATCH 1/2] fix compatibility with OpenSSL 1.1
|
|
|
06c6ff |
|
|
|
06c6ff |
---
|
|
|
06c6ff |
src/network/ssl/socket.c | 4 ++--
|
|
|
06c6ff |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
06c6ff |
|
|
|
06c6ff |
diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c
|
|
|
06c6ff |
index c9e2be4..467fc48 100644
|
|
|
06c6ff |
--- a/src/network/ssl/socket.c
|
|
|
06c6ff |
+++ b/src/network/ssl/socket.c
|
|
|
06c6ff |
@@ -83,7 +83,7 @@ static void
|
|
|
06c6ff |
ssl_set_no_tls(struct socket *socket)
|
|
|
06c6ff |
{
|
|
|
06c6ff |
#ifdef CONFIG_OPENSSL
|
|
|
06c6ff |
- ((ssl_t *) socket->ssl)->options |= SSL_OP_NO_TLSv1;
|
|
|
06c6ff |
+ SSL_set_options((ssl_t *) socket->ssl, SSL_OP_NO_TLSv1);
|
|
|
06c6ff |
#elif defined(CONFIG_GNUTLS)
|
|
|
06c6ff |
{
|
|
|
06c6ff |
/* GnuTLS does not support SSLv2 because it is "insecure".
|
|
|
06c6ff |
@@ -419,7 +419,7 @@ ssl_connect(struct socket *socket)
|
|
|
06c6ff |
}
|
|
|
06c6ff |
|
|
|
06c6ff |
if (client_cert) {
|
|
|
06c6ff |
- SSL_CTX *ctx = ((SSL *) socket->ssl)->ctx;
|
|
|
06c6ff |
+ SSL_CTX *ctx = SSL_get_SSL_CTX((SSL *) socket->ssl);
|
|
|
06c6ff |
|
|
|
06c6ff |
SSL_CTX_use_certificate_chain_file(ctx, client_cert);
|
|
|
06c6ff |
SSL_CTX_use_PrivateKey_file(ctx, client_cert,
|
|
|
06c6ff |
--
|
|
|
06c6ff |
2.7.4
|
|
|
06c6ff |
|
|
|
06c6ff |
|
|
|
06c6ff |
From ec952cc5b79973bee73fcfc813159d40c22b7228 Mon Sep 17 00:00:00 2001
|
|
|
06c6ff |
From: Tomas Mraz <tmraz@fedoraproject.org>
|
|
|
06c6ff |
Date: Fri, 17 Feb 2017 16:44:11 +0100
|
|
|
06c6ff |
Subject: [PATCH 2/2] drop disablement of TLS1.0 on second attempt to connect
|
|
|
06c6ff |
|
|
|
06c6ff |
It would not work correctly anyway and the code does not build
|
|
|
06c6ff |
with OpenSSL-1.1.0.
|
|
|
06c6ff |
---
|
|
|
06c6ff |
src/network/ssl/socket.c | 6 ++++++
|
|
|
06c6ff |
1 file changed, 6 insertions(+)
|
|
|
06c6ff |
|
|
|
06c6ff |
diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c
|
|
|
06c6ff |
index 467fc48..b981c1e 100644
|
|
|
06c6ff |
--- a/src/network/ssl/socket.c
|
|
|
06c6ff |
+++ b/src/network/ssl/socket.c
|
|
|
06c6ff |
@@ -82,6 +82,11 @@
|
|
|
06c6ff |
static void
|
|
|
06c6ff |
ssl_set_no_tls(struct socket *socket)
|
|
|
06c6ff |
{
|
|
|
06c6ff |
+#if 0
|
|
|
06c6ff |
+/* This implements the insecure renegotiation, which should not be used.
|
|
|
06c6ff |
+ * The code also would not work on current Fedora (>= Fedora 23) anyway,
|
|
|
06c6ff |
+ * because it would just switch off TLS 1.0 keeping TLS 1.1 and 1.2 enabled.
|
|
|
06c6ff |
+ */
|
|
|
06c6ff |
#ifdef CONFIG_OPENSSL
|
|
|
06c6ff |
SSL_set_options((ssl_t *) socket->ssl, SSL_OP_NO_TLSv1);
|
|
|
06c6ff |
#elif defined(CONFIG_GNUTLS)
|
|
|
06c6ff |
@@ -96,6 +101,7 @@ ssl_set_no_tls(struct socket *socket)
|
|
|
06c6ff |
gnutls_protocol_set_priority(*(ssl_t *) socket->ssl, protocol_priority);
|
|
|
06c6ff |
}
|
|
|
06c6ff |
#endif
|
|
|
06c6ff |
+#endif
|
|
|
06c6ff |
}
|
|
|
06c6ff |
|
|
|
06c6ff |
#ifdef USE_OPENSSL
|
|
|
06c6ff |
--
|
|
|
06c6ff |
2.7.4
|
|
|
06c6ff |
|