perl-Net-SSLeay/Net-SSLeay-1.85-Expose_SSL_CTX_set_post_handshake_auth.patch

commit 6a6bcf3d96115a6ef62289838cea418c185d8c88
Author: Paul Howarth <paul@city-fan.org>
Date:   Wed Sep 19 09:38:40 2018 +0100

    Expose SSL_CTX_set_post_handshake_auth
    
    TLS 1.3 removed renegotiation in favor of rekeying and post handshake
    authentication (PHA). With PHA, a server can request a client certificate from
    a client at some point after the handshake. The feature is commonly used by
    HTTP servers for conditional and path specific TLS client auth. For example, a
    server can decide to require a cert based on HTTP method and/or path. A client
    must announce support for PHA during the handshake.
    
    Apache mod_ssl uses PHA:
    https://github.com/apache/httpd/blob/trunk/modules/ssl/ssl_engine_kernel.c#L1207
    
    As of OpenSSL ticket https://github.com/openssl/openssl/issues/6933, TLS 1.3
    clients no longer send the PHA TLS extension by default. For on-demand auth,
    PHA extension must be enabled with SSL_CTX_set_post_handshake_auth(),
    https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_post_handshake_auth.html .
    
    This function is needed for the Apache httpd upstream test suite:
    https://bugzilla.redhat.com/show_bug.cgi?id=1630391 .

diff --git a/SSLeay.xs b/SSLeay.xs
index a4dcb0a..5777ffc 100644
--- a/SSLeay.xs
+++ b/SSLeay.xs
@@ -7291,4 +7291,13 @@ SSL_export_keying_material(ssl, outlen, label, p)
 
 #endif
 
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(LIBRESSL_VERSION_NUMBER) /* OpenSSL 1.1.1 */
+
+void
+SSL_CTX_set_post_handshake_auth(s,val)
+    SSL_CTX * s
+    int val
+
+#endif
+
 #define REM_EOF "/* EOF - SSLeay.xs */"
Accepting request 666145 from home:vitezslav_cizek:branches:devel:languages:perl - Expose SSL_CTX_set_post_handshake_auth * https://github.com/radiator-software/p5-net-ssleay/pull/68 - add Net-SSLeay-1.85-Expose_SSL_CTX_set_post_handshake_auth.patch - Fix build on SLE-12 * apparently %autopatch needs to be followed by an empty line there OBS-URL: https://build.opensuse.org/request/show/666145 OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/perl-Net-SSLeay?expand=0&rev=42 2019-01-15 09:41:44 +00:00			`commit 6a6bcf3d96115a6ef62289838cea418c185d8c88`
			`Author: Paul Howarth <paul@city-fan.org>`
			`Date: Wed Sep 19 09:38:40 2018 +0100`

			`Expose SSL_CTX_set_post_handshake_auth`

			`TLS 1.3 removed renegotiation in favor of rekeying and post handshake`
			`authentication (PHA). With PHA, a server can request a client certificate from`
			`a client at some point after the handshake. The feature is commonly used by`
			`HTTP servers for conditional and path specific TLS client auth. For example, a`
			`server can decide to require a cert based on HTTP method and/or path. A client`
			`must announce support for PHA during the handshake.`

			`Apache mod_ssl uses PHA:`
			`https://github.com/apache/httpd/blob/trunk/modules/ssl/ssl_engine_kernel.c#L1207`

			`As of OpenSSL ticket https://github.com/openssl/openssl/issues/6933, TLS 1.3`
			`clients no longer send the PHA TLS extension by default. For on-demand auth,`
			`PHA extension must be enabled with SSL_CTX_set_post_handshake_auth(),`
			`https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_post_handshake_auth.html .`

			`This function is needed for the Apache httpd upstream test suite:`
			`https://bugzilla.redhat.com/show_bug.cgi?id=1630391 .`

			`diff --git a/SSLeay.xs b/SSLeay.xs`
			`index a4dcb0a..5777ffc 100644`
			`--- a/SSLeay.xs`
			`+++ b/SSLeay.xs`
			`@@ -7291,4 +7291,13 @@ SSL_export_keying_material(ssl, outlen, label, p)`

			`#endif`

			`+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(LIBRESSL_VERSION_NUMBER) /* OpenSSL 1.1.1 */`
			`+`
			`+void`
			`+SSL_CTX_set_post_handshake_auth(s,val)`
			`+ SSL_CTX * s`
			`+ int val`
			`+`
			`+#endif`
			`+`
			`#define REM_EOF "/* EOF - SSLeay.xs */"`