[openssl] Forward-port some more cleanups from fixes to 3.5

This commit is contained in:
Aaron Jones 2016-04-30 21:45:16 +00:00
parent 3b0b4037d0
commit 92404a1a98
No known key found for this signature in database
GPG key ID: 6E854C0FAAD4CEA4

View file

@ -360,6 +360,9 @@ rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile, c
return 0;
}
if(cipher_list == NULL)
cipher_list = librb_ciphers;
if (ssl_server_ctx)
SSL_CTX_free(ssl_server_ctx);
@ -368,43 +371,48 @@ rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile, c
#ifdef LRB_HAVE_TLS_METHOD_API
ssl_server_ctx = SSL_CTX_new(TLS_server_method());
ssl_client_ctx = SSL_CTX_new(TLS_client_method());
#else
ssl_server_ctx = SSL_CTX_new(SSLv23_server_method());
ssl_client_ctx = SSL_CTX_new(SSLv23_client_method());
#endif
if(ssl_server_ctx == NULL)
{
rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL server context: %s",
get_ssl_error(ERR_get_error()));
return 0;
}
else
{
long server_options = 0;
if(ssl_client_ctx == NULL)
{
rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL client context: %s",
get_ssl_error(ERR_get_error()));
return 0;
}
#ifndef LRB_HAVE_TLS_METHOD_API
server_options |= SSL_OP_NO_SSLv2;
server_options |= SSL_OP_NO_SSLv3;
SSL_CTX_set_options(ssl_server_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
#endif
#ifdef SSL_OP_SINGLE_DH_USE
server_options |= SSL_OP_SINGLE_DH_USE;
SSL_CTX_set_options(ssl_server_ctx, SSL_OP_SINGLE_DH_USE);
#endif
#ifdef SSL_OP_SINGLE_ECDH_USE
server_options |= SSL_OP_SINGLE_ECDH_USE;
SSL_CTX_set_options(ssl_server_ctx, SSL_OP_SINGLE_ECDH_USE);
#endif
#ifdef SSL_OP_NO_TICKET
server_options |= SSL_OP_NO_TICKET;
SSL_CTX_set_options(ssl_server_ctx, SSL_OP_NO_TICKET);
SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_TICKET);
#endif
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
server_options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
SSL_CTX_set_options(ssl_server_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
#endif
SSL_CTX_set_options(ssl_server_ctx, server_options);
SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb);
SSL_CTX_set_session_cache_mode(ssl_server_ctx, SSL_SESS_CACHE_OFF);
@ -426,33 +434,6 @@ rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile, c
EC_KEY_free(key);
}
#endif
}
#ifdef LRB_HAVE_TLS_METHOD_API
ssl_client_ctx = SSL_CTX_new(TLS_client_method());
#else
ssl_client_ctx = SSL_CTX_new(SSLv23_client_method());
#endif
if(ssl_client_ctx == NULL)
{
rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL client context: %s",
get_ssl_error(ERR_get_error()));
}
else
{
#ifndef LRB_HAVE_TLS_METHOD_API
SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
#endif
#ifdef SSL_OP_NO_TICKET
SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_TICKET);
#endif
}
if(cipher_list == NULL)
cipher_list = librb_ciphers;
SSL_CTX_set_cipher_list(ssl_server_ctx, cipher_list);
SSL_CTX_set_cipher_list(ssl_client_ctx, cipher_list);