ssl: Drop support for older OpenSSL versions

Enterprise / Virtualization / SPICE - Christophe Fergeau [redhat.com] - 8 December 2017 14:22 EST

SSL_OP_NO_COMPRESSION was introduced in OpenSSL_0_9_8k, which is no longer supported. This commit raises the minimum OpenSSL version to 1.0.0, which is also out of support.

###

diff --git a/configure.ac b/configure.ac
index 3401dba8..62d1a020 100644
--- a/configure.ac
+++ b/configure.ac
@@ -186,7 +186,7 @@ if test "x$enable_celt051" = "xyes"; then
AS_VAR_APPEND([SPICE_REQUIRES], [" celt051 >= $CELT051_REQUIRED"]))
fi

-PKG_CHECK_MODULES(SSL, openssl)
+PKG_CHECK_MODULES(SSL, openssl >= 1.0.0)
AC_SUBST(SSL_CFLAGS)
AC_SUBST(SSL_LIBS)
AS_VAR_APPEND([SPICE_REQUIRES], [" openssl"])
diff --git a/server/reds.c b/server/reds.c
index f5b9ffd2..325af5e8 100644
--- a/server/reds.c
+++ b/server/reds.c
@@ -2819,15 +2819,12 @@ static gpointer openssl_global_init(gpointer arg)
static int reds_init_ssl(RedsState *reds)
{
static GOnce openssl_once = G_ONCE_INIT;
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
const SSL_METHOD *ssl_method;
-#else
- SSL_METHOD *ssl_method;
-#endif
int return_code;
- /* When some other SSL/TLS version becomes obsolete, add it to this
+ /* Limit connection to TLSv1 only.
+ * When some other SSL/TLS version becomes obsolete, add it to this
* variable. */
- long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+ long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;

/* Global system initialization*/
g_once(&openssl_once, openssl_global_init, NULL);
@@ -2841,10 +2838,6 @@ static int reds_init_ssl(RedsState *reds)
return -1;
}

- /* Limit connection to TLSv1 only */
-#ifdef SSL_OP_NO_COMPRESSION
- ssl_options |= SSL_OP_NO_COMPRESSION;
-#endif
SSL_CTX_set_options(reds->ctx, ssl_options);

/* Load our keys and certificates*/
@@ -2877,10 +2870,6 @@ static int reds_init_ssl(RedsState *reds)
return -1;
}

-#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
- SSL_CTX_set_verify_depth(reds->ctx, 1);
-#endif
-
if (strlen(reds->config->ssl_parameters.dh_key_file) > 0) {
if (load_dh_params(reds->ctx, reds->config->ssl_parameters.dh_key_file) < 0) {
return -1;
@@ -2894,11 +2883,6 @@ static int reds_init_ssl(RedsState *reds)
}
}

-#ifndef SSL_OP_NO_COMPRESSION
- STACK *cmp_stack = SSL_COMP_get_compression_methods();
- sk_zero(cmp_stack);
-#endif
-
return 0;
}

7ff434b1 ssl: Drop support for older OpenSSL versions
configure.ac | 2 +-
server/reds.c | 22 +++-------------------
2 files changed, 4 insertions(+), 20 deletions(-)

Upstream: cgit.freedesktop.org


  • Share