diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2017-08-08 16:39:36 +0900 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2017-08-08 18:08:03 +0900 |
commit | 3e5a009966bd7f806f7180d82cf830a04be28986 (patch) | |
tree | aede31ead0aa817b4066ffc70211371700f27f47 /ext | |
parent | 579afc4584840644b23b7ccd640d62683fd725e5 (diff) | |
download | ruby-openssl-3e5a009966bd7f806f7180d82cf830a04be28986.tar.gz |
ssl: remove unsupported TLS versions from SSLContext::METHODS
Check for all version-specific SSL methods. We do check for existence of
TLSv1_1_method() and TLSv1_2_method(), but not for TLSv1_method(). This
fixes compile error when OpenSSL is configured with no-tls1-method.
Also check the OPENSSL_NO_TLS{1,1_1,1_2} macros for whether OpenSSL
supports the corresponding versions or not. This prevents :TLSv1 from
being in SSLContext::METHODS when OpenSSL is compiled with no-tls1.
In particular, Debian sid has disabled TLS 1.0/1.1 support recently.
The changes in ext/openssl are partial backport of 4eb4b3297a92 ("Remove
support for OpenSSL 0.9.8 and 1.0.0", 2016-11-30).
Diffstat (limited to 'ext')
-rw-r--r-- | ext/openssl/extconf.rb | 14 | ||||
-rw-r--r-- | ext/openssl/ossl_ssl.c | 10 |
2 files changed, 10 insertions, 14 deletions
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index 8f604708..6782c046 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb @@ -109,16 +109,10 @@ end Logging::message "=== Checking for OpenSSL features... ===\n" # compile options -# check OPENSSL_NO_{SSL2,SSL3_METHOD} macro: on some environment, these symbols -# exist even if compiled with no-ssl2 or no-ssl3-method. -unless have_macro("OPENSSL_NO_SSL2", "openssl/opensslconf.h") - have_func("SSLv2_method") -end -unless have_macro("OPENSSL_NO_SSL3_METHOD", "openssl/opensslconf.h") - have_func("SSLv3_method") -end -have_func("TLSv1_1_method") -have_func("TLSv1_2_method") +# SSLv2 and SSLv3 may be removed in future versions of OpenSSL, and even macros +# like OPENSSL_NO_SSL2 may not be defined. +have_func("SSLv2_method") +have_func("SSLv3_method") have_func("RAND_egd") engines = %w{builtin_engines openbsd_dev_crypto dynamic 4758cca aep atalla chil cswift nuron sureware ubsec padlock capi gmp gost cryptodev aesni} diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c index e2c8eb5e..12b5536c 100644 --- a/ext/openssl/ossl_ssl.c +++ b/ext/openssl/ossl_ssl.c @@ -65,17 +65,19 @@ static const struct { { #name"_server", (SSL_METHOD *(*)(void))name##_server_method, version }, \ { #name"_client", (SSL_METHOD *(*)(void))name##_client_method, version } #endif -#if defined(HAVE_SSLV2_METHOD) +#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL2_METHOD) && defined(HAVE_SSLV2_METHOD) OSSL_SSL_METHOD_ENTRY(SSLv2, SSL2_VERSION), #endif -#if defined(HAVE_SSLV3_METHOD) +#if !defined(OPENSSL_NO_SSL3) && !defined(OPENSSL_NO_SSL3_METHOD) && defined(HAVE_SSLV3_METHOD) OSSL_SSL_METHOD_ENTRY(SSLv3, SSL3_VERSION), #endif +#if !defined(OPENSSL_NO_TLS1) && !defined(OPENSSL_NO_TLS1_METHOD) OSSL_SSL_METHOD_ENTRY(TLSv1, TLS1_VERSION), -#if defined(HAVE_TLSV1_1_METHOD) +#endif +#if !defined(OPENSSL_NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_1_METHOD) OSSL_SSL_METHOD_ENTRY(TLSv1_1, TLS1_1_VERSION), #endif -#if defined(HAVE_TLSV1_2_METHOD) +#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_2_METHOD) OSSL_SSL_METHOD_ENTRY(TLSv1_2, TLS1_2_VERSION), #endif OSSL_SSL_METHOD_ENTRY(SSLv23, 0), |