Resolves: #1423519 - fix compatibility with OpenSSL 1.1

2017-02-17 16:53:46 +01:00 · 2017-02-17 16:53:46 +01:00 · a4f96767d0
commit a4f96767d0
parent 07b54aead5
2 changed files with 56 additions and 13 deletions
--- a/elinks-0.12pre6-openssl11.patch
+++ b/elinks-0.12pre6-openssl11.patch
@ -1,6 +1,53 @@
-diff -up elinks-0.12pre6/src/network/ssl/socket.c.openssl11 elinks-0.12pre6/src/network/ssl/socket.c
--- elinks-0.12pre6/src/network/ssl/socket.c.openssl11	2017-02-17 16:41:26.346909430 +0100
-+++ elinks-0.12pre6/src/network/ssl/socket.c	2017-02-17 16:40:34.000000000 +0100
+From d83c0edf4c6ae42359ff856d7a879ecba5769595 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Fri, 17 Feb 2017 16:51:41 +0100
+Subject: [PATCH 1/2] fix compatibility with OpenSSL 1.1
+
+---
+ src/network/ssl/socket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c
+index c9e2be4..467fc48 100644
+--- a/src/network/ssl/socket.c
+++ b/src/network/ssl/socket.c
+@@ -83,7 +83,7 @@ static void
+ ssl_set_no_tls(struct socket *socket)
+ {
+ #ifdef CONFIG_OPENSSL
+-	((ssl_t *) socket->ssl)->options |= SSL_OP_NO_TLSv1;
+	SSL_set_options((ssl_t *) socket->ssl, SSL_OP_NO_TLSv1);
+ #elif defined(CONFIG_GNUTLS)
+ 	{
+ 		/* GnuTLS does not support SSLv2 because it is "insecure".
+@@ -419,7 +419,7 @@ ssl_connect(struct socket *socket)
+ 		}
+ 
+ 		if (client_cert) {
+-			SSL_CTX *ctx = ((SSL *) socket->ssl)->ctx;
+			SSL_CTX *ctx = SSL_get_SSL_CTX((SSL *) socket->ssl);
+ 
+ 			SSL_CTX_use_certificate_chain_file(ctx, client_cert);
+ 			SSL_CTX_use_PrivateKey_file(ctx, client_cert,
+-- 
+2.7.4
+
+
+From ec952cc5b79973bee73fcfc813159d40c22b7228 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Fri, 17 Feb 2017 16:44:11 +0100
+Subject: [PATCH 2/2] drop disablement of TLS1.0 on second attempt to connect
+
+It would not work correctly anyway and the code does not build
+with OpenSSL-1.1.0.
+---
+ src/network/ssl/socket.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c
+index 467fc48..b981c1e 100644
+--- a/src/network/ssl/socket.c
+++ b/src/network/ssl/socket.c
@@ -82,6 +82,11 @@
 static void
 ssl_set_no_tls(struct socket *socket)
@ -11,7 +58,7 @@ diff -up elinks-0.12pre6/src/network/ssl/socket.c.openssl11 elinks-0.12pre6/src/
 + * because it would just switch off TLS 1.0 keeping TLS 1.1 and 1.2 enabled.
 + */
 #ifdef CONFIG_OPENSSL
- 	((ssl_t *) socket->ssl)->options |= SSL_OP_NO_TLSv1;
+ 	SSL_set_options((ssl_t *) socket->ssl, SSL_OP_NO_TLSv1);
 #elif defined(CONFIG_GNUTLS)
@@ -96,6 +101,7 @@ ssl_set_no_tls(struct socket *socket)
 		gnutls_protocol_set_priority(*(ssl_t *) socket->ssl, protocol_priority);
@ -21,12 +68,6 @@ diff -up elinks-0.12pre6/src/network/ssl/socket.c.openssl11 elinks-0.12pre6/src/
 }
 
 #ifdef USE_OPENSSL
-@@ -419,7 +425,7 @@ ssl_connect(struct socket *socket)
- 		}
- 
- 		if (client_cert) {
-			SSL_CTX *ctx = ((SSL *) socket->ssl)->ctx;
-+			SSL_CTX *ctx = SSL_get_SSL_CTX((SSL *) socket->ssl);
- 
- 			SSL_CTX_use_certificate_chain_file(ctx, client_cert);
- 			SSL_CTX_use_PrivateKey_file(ctx, client_cert,
+-- 
+2.7.4
+
--- a/elinks.spec
+++ b/elinks.spec
@ -75,6 +75,7 @@ Patch17: elinks-0.12pre6-libidn2.patch
 # make configure.ac recognize recent versions of GCC
 Patch18: elinks-0.12pre6-recent-gcc-versions.patch

+# fix compatibility with OpenSSL 1.1 (#1423519) and ...
 # drop disablement of TLS1.0 on second attempt to connect
 Patch19: elinks-0.12pre6-openssl11.patch

@ -166,6 +167,7 @@ exit 0

 %changelog
 * Fri Feb 17 2017 Kamil Dudka <kdudka@redhat.com> - 0.12-0.51.pre6
+- fix compatibility with OpenSSL 1.1 (#1423519)
 - make configure.ac recognize recent versions of GCC
 - apply patches automatically to ease maintenance