Browse Source

[core] compile with upcoming openssl 1.1.0 release (fixes #2727)

(thx falemagn)

x-ref:
  "Won't compile with OpenSSL 1.1.0"
  https://redmine.lighttpd.net/issues/2727
personal/stbuehler/mod-csrf-old
Glenn Strauss 6 years ago
parent
commit
49c74fff65
  1. 1
      NEWS
  2. 6
      src/connections-glue.c
  3. 16
      src/network.c
  4. 3
      src/response.c
  5. 6
      src/server.c

1
NEWS

@ -81,6 +81,7 @@ NEWS
* [core] open fd when appending file to cq (fixes #2655)
* [config] server.listen-backlog option (fixes #1825, #2116)
* [core] retry tempdirs on partial write, ENOSPC (fixes #2588)
* [core] compile with upcoming openssl 1.1.0 release (fixes #2727)
- 1.4.39 - 2016-01-02
* [core] fix memset_s call (fixes #2698)

6
src/connections-glue.c

@ -180,9 +180,15 @@ static int connection_handle_read_ssl(server *srv, connection *con) {
while((ssl_err = ERR_get_error())) {
switch (ERR_GET_REASON(ssl_err)) {
case SSL_R_SSL_HANDSHAKE_FAILURE:
#ifdef SSL_R_TLSV1_ALERT_UNKNOWN_CA
case SSL_R_TLSV1_ALERT_UNKNOWN_CA:
#endif
#ifdef SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN
case SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN:
#endif
#ifdef SSL_R_SSLV3_ALERT_BAD_CERTIFICATE
case SSL_R_SSLV3_ALERT_BAD_CERTIFICATE:
#endif
if (!con->conf.log_ssl_noise) continue;
break;
default:

16
src/network.c

@ -826,20 +826,28 @@ int network_init(server *srv) {
return -1;
}
} else {
BIGNUM *dh_p, *dh_g;
/* Default DH parameters from RFC5114 */
dh = DH_new();
if (dh == NULL) {
log_error_write(srv, __FILE__, __LINE__, "s", "SSL: DH_new () failed");
return -1;
}
dh->p = BN_bin2bn(dh1024_p,sizeof(dh1024_p), NULL);
dh->g = BN_bin2bn(dh1024_g,sizeof(dh1024_g), NULL);
dh->length = 160;
if ((dh->p == NULL) || (dh->g == NULL)) {
dh_p = BN_bin2bn(dh1024_p,sizeof(dh1024_p), NULL);
dh_g = BN_bin2bn(dh1024_g,sizeof(dh1024_g), NULL);
if ((dh_p == NULL) || (dh_g == NULL)) {
DH_free(dh);
log_error_write(srv, __FILE__, __LINE__, "s", "SSL: BN_bin2bn () failed");
return -1;
}
#if OPENSSL_VERSION_NUMBER < 0x10100000L
dh->p = dh_p;
dh->g = dh_g;
dh->length = 160;
#else
DH_set0_pqg(dh, dh_p, NULL, dh_g);
DH_set_length(dh, 160);
#endif
}
SSL_CTX_set_tmp_dh(s->ssl_ctx,dh);
SSL_CTX_set_options(s->ssl_ctx,SSL_OP_SINGLE_DH_USE);

3
src/response.c

@ -167,7 +167,8 @@ static void https_add_ssl_entries(connection *con) {
buffer_append_string(envds->key, xobjsn);
buffer_copy_string_len(
envds->value,
(const char *)xe->value->data, xe->value->length
(const char *)X509_NAME_ENTRY_get_data(xe)->data,
X509_NAME_ENTRY_get_data(xe)->length
);
/* pick one of the exported values as "REMOTE_USER", for example
* ssl.verifyclient.username = "SSL_CLIENT_S_DN_UID" or "SSL_CLIENT_S_DN_emailAddress"

6
src/server.c

@ -381,7 +381,13 @@ static void server_free(server *srv) {
if (srv->ssl_is_init) {
CRYPTO_cleanup_all_ex_data();
ERR_free_strings();
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
ERR_remove_thread_state();
#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
ERR_remove_thread_state(NULL);
#else
ERR_remove_state(0);
#endif
EVP_cleanup();
}
#endif

Loading…
Cancel
Save