From b6f4eeca7d4e3f8bef61dc68f72a4b6017b2ffb7 Mon Sep 17 00:00:00 2001
From: Kazuki Yamaguchi <k@rhe.jp>
Date: Thu, 21 Apr 2016 00:23:08 +0900
Subject: ext/openssl: avoid using deprecated protocol version specific
 methods.

They emit warnings with OpenSSL 1.1.0. Instead use
SSL_CTX_set_{min,max}_proto_version().
---
 ext/openssl/extconf.rb |  1 +
 ext/openssl/ossl_ssl.c | 77 +++++++++++++++++++++++++++-----------------------
 2 files changed, 43 insertions(+), 35 deletions(-)

diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
index 8a83cf58db..d3d6da633c 100644
--- a/ext/openssl/extconf.rb
+++ b/ext/openssl/extconf.rb
@@ -127,6 +127,7 @@ have_func("OCSP_SINGLERESP_get0_id")
 have_func("X509_up_ref")
 have_func("X509_CRL_up_ref")
 have_func("X509_STORE_up_ref")
+have_func_like("SSL_CTX_set_min_proto_version", "openssl/ssl.h")
 have_func("SSL_SESSION_up_ref")
 have_func("EVP_PKEY_up_ref")
 
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
index c66cea7d05..8c6cc35442 100644
--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@@ -84,35 +84,35 @@ static VALUE sym_exception, sym_wait_readable, sym_wait_writable;
  */
 static const struct {
     const char *name;
-    SSL_METHOD *(*func)(void);
+    const SSL_METHOD *(*func)(void);
+    int version;
 } ossl_ssl_method_tab[] = {
-#define OSSL_SSL_METHOD_ENTRY(name) { #name, (SSL_METHOD *(*)(void))name##_method }
-    OSSL_SSL_METHOD_ENTRY(TLSv1),
-    OSSL_SSL_METHOD_ENTRY(TLSv1_server),
-    OSSL_SSL_METHOD_ENTRY(TLSv1_client),
-#if defined(HAVE_TLSV1_2_METHOD)
-    OSSL_SSL_METHOD_ENTRY(TLSv1_2),
-    OSSL_SSL_METHOD_ENTRY(TLSv1_2_server),
-    OSSL_SSL_METHOD_ENTRY(TLSv1_2_client),
-#endif
-#if defined(HAVE_TLSV1_1_METHOD)
-    OSSL_SSL_METHOD_ENTRY(TLSv1_1),
-    OSSL_SSL_METHOD_ENTRY(TLSv1_1_server),
-    OSSL_SSL_METHOD_ENTRY(TLSv1_1_client),
+#if defined(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION)
+/* OpenSSL 1.1.0; version specific method is deprecated */
+#define OSSL_SSL_METHOD_ENTRY(name, version) \
+    { #name,          TLS_method, version }, \
+    { #name"_server", TLS_server_method, version }, \
+    { #name"_client", TLS_client_method, version }
+#else
+#define OSSL_SSL_METHOD_ENTRY(name, version) \
+    { #name,          name##_method, version }, \
+    { #name"_server", name##_server_method, version }, \
+    { #name"_client", name##_client_method, version }
 #endif
 #if defined(HAVE_SSLV2_METHOD)
-    OSSL_SSL_METHOD_ENTRY(SSLv2),
-    OSSL_SSL_METHOD_ENTRY(SSLv2_server),
-    OSSL_SSL_METHOD_ENTRY(SSLv2_client),
+    OSSL_SSL_METHOD_ENTRY(SSLv2, SSL2_VERSION),
 #endif
 #if defined(HAVE_SSLV3_METHOD)
-    OSSL_SSL_METHOD_ENTRY(SSLv3),
-    OSSL_SSL_METHOD_ENTRY(SSLv3_server),
-    OSSL_SSL_METHOD_ENTRY(SSLv3_client),
+    OSSL_SSL_METHOD_ENTRY(SSLv3, SSL3_VERSION),
+#endif
+    OSSL_SSL_METHOD_ENTRY(TLSv1, TLS1_VERSION),
+#if defined(HAVE_TLSV1_1_METHOD)
+    OSSL_SSL_METHOD_ENTRY(TLSv1_1, TLS1_1_VERSION),
+#endif
+#if defined(HAVE_TLSV1_2_METHOD)
+    OSSL_SSL_METHOD_ENTRY(TLSv1_2, TLS1_2_VERSION),
 #endif
-    OSSL_SSL_METHOD_ENTRY(SSLv23),
-    OSSL_SSL_METHOD_ENTRY(SSLv23_server),
-    OSSL_SSL_METHOD_ENTRY(SSLv23_client),
+    OSSL_SSL_METHOD_ENTRY(SSLv23, 0),
 #undef OSSL_SSL_METHOD_ENTRY
 };
 
@@ -173,30 +173,37 @@ ossl_sslctx_s_alloc(VALUE klass)
 static VALUE
 ossl_sslctx_set_ssl_version(VALUE self, VALUE ssl_method)
 {
-    SSL_METHOD *method = NULL;
+    SSL_CTX *ctx;
     const char *s;
     VALUE m = ssl_method;
     int i;
 
-    SSL_CTX *ctx;
+    GetSSLCTX(self, ctx);
     if (RB_TYPE_P(ssl_method, T_SYMBOL))
 	m = rb_sym2str(ssl_method);
     s = StringValueCStr(m);
     for (i = 0; i < numberof(ossl_ssl_method_tab); i++) {
         if (strcmp(ossl_ssl_method_tab[i].name, s) == 0) {
-            method = ossl_ssl_method_tab[i].func();
-            break;
+            SSL_METHOD *method = (SSL_METHOD *)ossl_ssl_method_tab[i].func();
+#if defined(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION)
+	    int version = ossl_ssl_method_tab[i].version;
+#endif
+
+	    if (SSL_CTX_set_ssl_version(ctx, method) != 1) {
+		ossl_raise(eSSLError, "SSL_CTX_set_ssl_version");
+	    }
+#if defined(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION)
+	    /* having SSL_CTX_set_min_proto_version() means versions specific methods is deprecated */
+	    if (!SSL_CTX_set_min_proto_version(ctx, version) ||
+		!SSL_CTX_set_max_proto_version(ctx, version)) {
+		ossl_raise(eSSLError, "SSL_CTX_set_{min,max}_proto_version");
+	    }
+#endif
+	    return ssl_method;
         }
     }
-    if (!method) {
-        ossl_raise(rb_eArgError, "unknown SSL method `%"PRIsVALUE"'.", m);
-    }
-    GetSSLCTX(self, ctx);
-    if (SSL_CTX_set_ssl_version(ctx, method) != 1) {
-        ossl_raise(eSSLError, "SSL_CTX_set_ssl_version");
-    }
 
-    return ssl_method;
+    ossl_raise(rb_eArgError, "unknown SSL method `%"PRIsVALUE"'.", m);
 }
 
 static VALUE
-- 
cgit v1.2.3