nut/openssl-1_1.patch

diff --git a/clients/upsclient.c b/clients/upsclient.c
index b90587b0..b7dd8f42 100644
--- a/clients/upsclient.c
+++ b/clients/upsclient.c
@@ -299,11 +299,6 @@ int upscli_init(int certverify, const char *certpath,
 {
 #ifdef WITH_OPENSSL
 	int ret, ssl_mode = SSL_VERIFY_NONE;
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
-	const SSL_METHOD	*ssl_method;
-#else
-	SSL_METHOD	*ssl_method;
-#endif
 #elif defined(WITH_NSS) /* WITH_OPENSSL */
 	SECStatus	status;
 #endif /* WITH_OPENSSL | WITH_NSS */
@@ -315,22 +310,35 @@ int upscli_init(int certverify, const char *certpath,
 	}
 	
 #ifdef WITH_OPENSSL
+
+	SSL_load_error_strings();
 	
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	SSL_library_init();
-	SSL_load_error_strings();
 
-	ssl_method = TLSv1_client_method();
+	ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+#else
+	OPENSSL_init_ssl(0, NULL);
 
-	if (!ssl_method) {
-		return 0;
-	}
+	ssl_ctx = SSL_CTX_new(TLS_client_method());
+#endif
 
-	ssl_ctx = SSL_CTX_new(ssl_method);
 	if (!ssl_ctx) {
 		upslogx(LOG_ERR, "Can not initialize SSL context");
 		return -1;
 	}
 	
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	/* set minimum protocol TLSv1 */
+	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+#else
+	ret = SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_VERSION);
+	if (ret != 1) {
+		upslogx(LOG_ERR, "Can not set minimum protocol to TLSv1");
+		return -1;
+	}
+#endif
+
 	if (!certpath) {
 		if (certverify == 1) {
 			upslogx(LOG_ERR, "Can not verify certificate if any is specified");
@@ -737,7 +745,7 @@ static int upscli_sslinit(UPSCONN_t *ups, int verifycert)
 	switch(res)
 	{
 	case 1:
-		upsdebugx(3, "SSL connected");
+		upsdebugx(3, "SSL connected (%s)", SSL_get_version(ups->ssl));
 		break;
 	case 0:
 		upslog_with_errno(1, "SSL_connect do not accept handshake.");
diff --git a/m4/nut_check_libopenssl.m4 b/m4/nut_check_libopenssl.m4
index 1b875077..5f29f4a3 100644
--- a/m4/nut_check_libopenssl.m4
+++ b/m4/nut_check_libopenssl.m4
@@ -57,8 +57,9 @@ if test -z "${nut_have_libopenssl_seen}"; then
 	AC_MSG_RESULT([${LIBS}])
 
 	dnl check if openssl is usable
-	AC_CHECK_HEADERS(openssl/ssl.h, [nut_have_openssl=yes], [nut_have_openssl=no], [AC_INCLUDES_DEFAULT])
-	AC_CHECK_FUNCS(SSL_library_init, [], [nut_have_openssl=no])
+	AC_CHECK_FUNCS(OPENSSL_init_ssl, [nut_have_openssl=yes], [nut_have_openssl=no])
+	AC_CHECK_FUNCS(SSL_library_init, [nut_have_openssl=yes], [])
+	AC_CHECK_HEADERS(openssl/ssl.h, [], [nut_have_openssl=no], [AC_INCLUDES_DEFAULT])
 
 	if test "${nut_have_openssl}" = "yes"; then
 		nut_with_ssl="yes"
diff --git a/server/netssl.c b/server/netssl.c
index c2f40989..6ae13e8d 100644
--- a/server/netssl.c
+++ b/server/netssl.c
@@ -275,7 +275,7 @@ void net_starttls(nut_ctype_t *client, int numarg, const char **arg)
 	{
 	case 1:
 		client->ssl_connected = 1;
-		upsdebugx(3, "SSL connected");
+		upsdebugx(3, "SSL connected (%s)", SSL_get_version(client->ssl));
 		break;
 		
 	case 0:
@@ -371,13 +371,7 @@ void ssl_init(void)
 {
 #ifdef WITH_NSS
 	SECStatus status;
-#elif defined(WITH_OPENSSL)
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
-	const SSL_METHOD	*ssl_method;
-#else
-	SSL_METHOD	*ssl_method;
-#endif
-#endif /* WITH_NSS|WITH_OPENSSL */
+#endif /* WITH_NSS */
 
 	if (!certfile) {
 		return;
@@ -388,17 +382,31 @@ void ssl_init(void)
 #ifdef WITH_OPENSSL
 
 	SSL_load_error_strings();
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	SSL_library_init();
 
-	if ((ssl_method = TLSv1_server_method()) == NULL) {
+	ssl_ctx = SSL_CTX_new(SSLv23_server_method());
+#else
+	OPENSSL_init_ssl(0, NULL);
+
+	ssl_ctx = SSL_CTX_new(TLS_server_method());
+#endif
+
+	if (!ssl_ctx) {
 		ssl_debug();
-		fatalx(EXIT_FAILURE, "TLSv1_server_method failed");
+		fatalx(EXIT_FAILURE, "SSL_CTX_new failed");
 	}
 
-	if ((ssl_ctx = SSL_CTX_new(ssl_method)) == NULL) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	/* set minimum protocol TLSv1 */
+	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+#else
+	if (SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_VERSION) != 1) {
 		ssl_debug();
-		fatalx(EXIT_FAILURE, "SSL_CTX_new failed");
+		fatalx(EXIT_FAILURE, "SSL_CTX_set_min_proto_version(TLS1_VERSION)");
 	}
+#endif
 
 	if (SSL_CTX_use_certificate_chain_file(ssl_ctx, certfile) != 1) {
 		ssl_debug();
Accepting request 547147 from home:adkorte:branches:hardware - Add support for OpenSSL 1.1.0 library, allow TLSv1 and higher (not just TLSv1) and report TLS version used in debug mode level 3 and higher (boo#1069988, openssl-1_1.patch) - Fix missing pointer dereference in upssched (nut-upssched.patch) - Support for allowfrom parameter was removed in version 2.4.0 (nut-preconfig.patch) OBS-URL: https://build.opensuse.org/request/show/547147 OBS-URL: https://build.opensuse.org/package/show/hardware/nut?expand=0&rev=74 2017-12-01 15:34:51 +00:00			`diff --git a/clients/upsclient.c b/clients/upsclient.c`
			`index b90587b0..b7dd8f42 100644`
			`--- a/clients/upsclient.c`
			`+++ b/clients/upsclient.c`
			`@@ -299,11 +299,6 @@ int upscli_init(int certverify, const char *certpath,`
			`{`
			`#ifdef WITH_OPENSSL`
			`int ret, ssl_mode = SSL_VERIFY_NONE;`
			`-#if OPENSSL_VERSION_NUMBER >= 0x10000000L`
			`- const SSL_METHOD *ssl_method;`
			`-#else`
			`- SSL_METHOD *ssl_method;`
			`-#endif`
			`#elif defined(WITH_NSS) /* WITH_OPENSSL */`
			`SECStatus status;`
			`#endif /* WITH_OPENSSL \| WITH_NSS */`
			`@@ -315,22 +310,35 @@ int upscli_init(int certverify, const char *certpath,`
			`}`

			`#ifdef WITH_OPENSSL`
			`+`
			`+ SSL_load_error_strings();`

			`+#if OPENSSL_VERSION_NUMBER < 0x10100000L`
			`SSL_library_init();`
			`- SSL_load_error_strings();`

			`- ssl_method = TLSv1_client_method();`
			`+ ssl_ctx = SSL_CTX_new(SSLv23_client_method());`
			`+#else`
			`+ OPENSSL_init_ssl(0, NULL);`

			`- if (!ssl_method) {`
			`- return 0;`
			`- }`
			`+ ssl_ctx = SSL_CTX_new(TLS_client_method());`
			`+#endif`

			`- ssl_ctx = SSL_CTX_new(ssl_method);`
			`if (!ssl_ctx) {`
			`upslogx(LOG_ERR, "Can not initialize SSL context");`
			`return -1;`
			`}`

			`+#if OPENSSL_VERSION_NUMBER < 0x10100000L`
			`+ /* set minimum protocol TLSv1 */`
			`+ SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2 \| SSL_OP_NO_SSLv3);`
			`+#else`
			`+ ret = SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_VERSION);`
			`+ if (ret != 1) {`
			`+ upslogx(LOG_ERR, "Can not set minimum protocol to TLSv1");`
			`+ return -1;`
			`+ }`
			`+#endif`
			`+`
			`if (!certpath) {`
			`if (certverify == 1) {`
			`upslogx(LOG_ERR, "Can not verify certificate if any is specified");`
			`@@ -737,7 +745,7 @@ static int upscli_sslinit(UPSCONN_t *ups, int verifycert)`
			`switch(res)`
			`{`
			`case 1:`
			`- upsdebugx(3, "SSL connected");`
			`+ upsdebugx(3, "SSL connected (%s)", SSL_get_version(ups->ssl));`
			`break;`
			`case 0:`
			`upslog_with_errno(1, "SSL_connect do not accept handshake.");`
			`diff --git a/m4/nut_check_libopenssl.m4 b/m4/nut_check_libopenssl.m4`
			`index 1b875077..5f29f4a3 100644`
			`--- a/m4/nut_check_libopenssl.m4`
			`+++ b/m4/nut_check_libopenssl.m4`
			`@@ -57,8 +57,9 @@ if test -z "${nut_have_libopenssl_seen}"; then`
			`AC_MSG_RESULT([${LIBS}])`

			`dnl check if openssl is usable`
			`- AC_CHECK_HEADERS(openssl/ssl.h, [nut_have_openssl=yes], [nut_have_openssl=no], [AC_INCLUDES_DEFAULT])`
			`- AC_CHECK_FUNCS(SSL_library_init, [], [nut_have_openssl=no])`
			`+ AC_CHECK_FUNCS(OPENSSL_init_ssl, [nut_have_openssl=yes], [nut_have_openssl=no])`
			`+ AC_CHECK_FUNCS(SSL_library_init, [nut_have_openssl=yes], [])`
			`+ AC_CHECK_HEADERS(openssl/ssl.h, [], [nut_have_openssl=no], [AC_INCLUDES_DEFAULT])`

			`if test "${nut_have_openssl}" = "yes"; then`
			`nut_with_ssl="yes"`
			`diff --git a/server/netssl.c b/server/netssl.c`
			`index c2f40989..6ae13e8d 100644`
			`--- a/server/netssl.c`
			`+++ b/server/netssl.c`
			`@@ -275,7 +275,7 @@ void net_starttls(nut_ctype_t client, int numarg, const char *arg)`
			`{`
			`case 1:`
			`client->ssl_connected = 1;`
			`- upsdebugx(3, "SSL connected");`
			`+ upsdebugx(3, "SSL connected (%s)", SSL_get_version(client->ssl));`
			`break;`

			`case 0:`
			`@@ -371,13 +371,7 @@ void ssl_init(void)`
			`{`
			`#ifdef WITH_NSS`
			`SECStatus status;`
			`-#elif defined(WITH_OPENSSL)`
			`-#if OPENSSL_VERSION_NUMBER >= 0x10000000L`
			`- const SSL_METHOD *ssl_method;`
			`-#else`
			`- SSL_METHOD *ssl_method;`
			`-#endif`
			`-#endif /* WITH_NSS\|WITH_OPENSSL */`
			`+#endif /* WITH_NSS */`

			`if (!certfile) {`
			`return;`
			`@@ -388,17 +382,31 @@ void ssl_init(void)`
			`#ifdef WITH_OPENSSL`

			`SSL_load_error_strings();`
			`+`
			`+#if OPENSSL_VERSION_NUMBER < 0x10100000L`
			`SSL_library_init();`

			`- if ((ssl_method = TLSv1_server_method()) == NULL) {`
			`+ ssl_ctx = SSL_CTX_new(SSLv23_server_method());`
			`+#else`
			`+ OPENSSL_init_ssl(0, NULL);`
			`+`
			`+ ssl_ctx = SSL_CTX_new(TLS_server_method());`
			`+#endif`
			`+`
			`+ if (!ssl_ctx) {`
			`ssl_debug();`
			`- fatalx(EXIT_FAILURE, "TLSv1_server_method failed");`
			`+ fatalx(EXIT_FAILURE, "SSL_CTX_new failed");`
			`}`

			`- if ((ssl_ctx = SSL_CTX_new(ssl_method)) == NULL) {`
			`+#if OPENSSL_VERSION_NUMBER < 0x10100000L`
			`+ /* set minimum protocol TLSv1 */`
			`+ SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2 \| SSL_OP_NO_SSLv3);`
			`+#else`
			`+ if (SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_VERSION) != 1) {`
			`ssl_debug();`
			`- fatalx(EXIT_FAILURE, "SSL_CTX_new failed");`
			`+ fatalx(EXIT_FAILURE, "SSL_CTX_set_min_proto_version(TLS1_VERSION)");`
			`}`
			`+#endif`

			`if (SSL_CTX_use_certificate_chain_file(ssl_ctx, certfile) != 1) {`
			`ssl_debug();`