ssl: remove unsupported TLS versions from SSLContext::METHODS

Check for all version-specific SSL methods. We do check for existence of
TLSv1_1_method() and TLSv1_2_method(), but not for TLSv1_method(). This
fixes compile error when OpenSSL is configured with no-tls1-method.

Also check the OPENSSL_NO_TLS{1,1_1,1_2} macros for whether OpenSSL
supports the corresponding versions or not. This prevents :TLSv1 from
being in SSLContext::METHODS when OpenSSL is compiled with no-tls1.

In particular, Debian sid has disabled TLS 1.0/1.1 support recently.

The changes in ext/openssl are partial backport of 4eb4b3297a92 ("Remove
support for OpenSSL 0.9.8 and 1.0.0", 2016-11-30).

1 files changed, 4 insertions, 10 deletions

diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
index 8f604708..6782c046 100644
--- a/ext/openssl/extconf.rb
+++ b/ext/openssl/extconf.rb
@@ -109,16 +109,10 @@ end
 Logging::message "=== Checking for OpenSSL features... ===\n"
 # compile options
 
-# check OPENSSL_NO_{SSL2,SSL3_METHOD} macro: on some environment, these symbols
-# exist even if compiled with no-ssl2 or no-ssl3-method.
-unless have_macro("OPENSSL_NO_SSL2", "openssl/opensslconf.h")
-  have_func("SSLv2_method")
-end
-unless have_macro("OPENSSL_NO_SSL3_METHOD", "openssl/opensslconf.h")
-  have_func("SSLv3_method")
-end
-have_func("TLSv1_1_method")
-have_func("TLSv1_2_method")
+# SSLv2 and SSLv3 may be removed in future versions of OpenSSL, and even macros
+# like OPENSSL_NO_SSL2 may not be defined.
+have_func("SSLv2_method")
+have_func("SSLv3_method")
 have_func("RAND_egd")
 engines = %w{builtin_engines openbsd_dev_crypto dynamic 4758cca aep atalla chil
              cswift nuron sureware ubsec padlock capi gmp gost cryptodev aesni}