diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2020-02-22 05:47:58 +0900 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2021-10-24 17:24:50 +0900 |
commit | 5375a55ffc35cf378cd52aa4646028d7cbdbcb6f (patch) | |
tree | bd2143ab08b96caadfcfcf46edb3b169528464ce | |
parent | 2be6779b08161a084a1a5d2758de21a913740b94 (diff) | |
download | ruby-openssl-5375a55ffc35cf378cd52aa4646028d7cbdbcb6f.tar.gz |
ssl: use SSL_CTX_load_verify_{file,dir}() if available
SSL_CTX_load_verify_locations() is deprecated in OpenSSL 3.0 and
replaced with those two separate functions. Use them if they exist.
-rw-r--r-- | ext/openssl/extconf.rb | 1 | ||||
-rw-r--r-- | ext/openssl/ossl_ssl.c | 7 |
2 files changed, 8 insertions, 0 deletions
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index e64fe32f..e6066d69 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb @@ -174,6 +174,7 @@ have_func("EVP_PKEY_check") have_func("SSL_set0_tmp_dh_pkey") have_func("ERR_get_error_all") have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h") +have_func("SSL_CTX_load_verify_file") Logging::message "=== Checking done. ===\n" diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c index 1de0f989..5d6c400c 100644 --- a/ext/openssl/ossl_ssl.c +++ b/ext/openssl/ossl_ssl.c @@ -828,10 +828,17 @@ ossl_sslctx_setup(VALUE self) ca_file = NIL_P(val) ? NULL : StringValueCStr(val); val = rb_attr_get(self, id_i_ca_path); ca_path = NIL_P(val) ? NULL : StringValueCStr(val); +#ifdef HAVE_SSL_CTX_LOAD_VERIFY_FILE + if (ca_file && !SSL_CTX_load_verify_file(ctx, ca_file)) + ossl_raise(eSSLError, "SSL_CTX_load_verify_file"); + if (ca_path && !SSL_CTX_load_verify_dir(ctx, ca_path)) + ossl_raise(eSSLError, "SSL_CTX_load_verify_dir"); +#else if(ca_file || ca_path){ if (!SSL_CTX_load_verify_locations(ctx, ca_file, ca_path)) rb_warning("can't set verify locations"); } +#endif val = rb_attr_get(self, id_i_verify_mode); verify_mode = NIL_P(val) ? SSL_VERIFY_NONE : NUM2INT(val); |