diff -up openwsman-2.6.2/src/lib/wsman-curl-client-transport.c.orig openwsman-2.6.2/src/lib/wsman-curl-client-transport.c --- openwsman-2.6.2/src/lib/wsman-curl-client-transport.c.orig 2015-10-19 15:27:46.000000000 +0200 +++ openwsman-2.6.2/src/lib/wsman-curl-client-transport.c 2017-01-02 15:18:43.444990500 +0100 @@ -239,12 +239,16 @@ write_handler( void *ptr, size_t size, s static int ssl_certificate_thumbprint_verify_callback(X509_STORE_CTX *ctx, void *arg) { unsigned char *thumbprint = (unsigned char *)arg; - X509 *cert = ctx->cert; EVP_MD *tempDigest; unsigned char tempFingerprint[EVP_MAX_MD_SIZE]; unsigned int tempFingerprintLen; tempDigest = (EVP_MD*)EVP_sha1( ); + + X509 *cert = X509_STORE_CTX_get_current_cert(ctx); + if(!cert) + return 0; + if ( X509_digest(cert, tempDigest, tempFingerprint, &tempFingerprintLen ) <= 0) return 0; if(!memcmp(tempFingerprint, thumbprint, tempFingerprintLen)) diff -up openwsman-2.6.2/src/server/shttpd/config.c.orig openwsman-2.6.2/src/server/shttpd/config.c --- openwsman-2.6.2/src/server/shttpd/config.c.orig 2015-10-19 15:27:46.000000000 +0200 +++ openwsman-2.6.2/src/server/shttpd/config.c 2017-01-03 14:21:57.925415734 +0100 @@ -85,32 +85,24 @@ static void set_ssl(struct shttpd_ctx *ctx, void *arg, const char *pem) { SSL_CTX *CTX; + SSL_CONF_CTX *CCTX; void *lib; struct ssl_func *fp; char *ssl_disabled_protocols = wsmand_options_get_ssl_disabled_protocols(); + int ret; arg = NULL; /* Unused */ - /* Load SSL library dynamically */ - if ((lib = dlopen(SSL_LIB, RTLD_LAZY)) == NULL) { - elog(E_FATAL, NULL, "set_ssl: cannot load %s", SSL_LIB); - ctx->ssl_ctx = NULL; - return; - } - - for (fp = ssl_sw; fp->name != NULL; fp++) { - if ((fp->ptr.v_void = dlsym(lib, fp->name)) == NULL) { - elog(E_FATAL, NULL,"set_ssl: cannot find %s", fp->name); - ctx->ssl_ctx = NULL; - return; - } - } - /* Initialize SSL crap */ static int ssl_library_initialized = 0; if(!ssl_library_initialized) { debug("Initialize SSL"); + SSL_load_error_strings(); + #if OPENSSL_VERSION_NUMBER < 0x10100000L SSL_library_init(); + #else + OPENSSL_init_ssl(0, NULL); + #endif ssl_library_initialized = 1; } if ((CTX = SSL_CTX_new(SSLv23_server_method())) == NULL) { @@ -126,17 +118,26 @@ set_ssl(struct shttpd_ctx *ctx, void *ar SSL_CTX_free(CTX); CTX = NULL; } + if ((CCTX = SSL_CONF_CTX_new()) == NULL) { + elog(E_FATAL, NULL, "SSL_CONF_CTX_new error"); + debug("SSL_CONF_CTX_new error"); + } + else { + SSL_CONF_CTX_set_ssl_ctx(CCTX, CTX); + } + +/* while (ssl_disabled_protocols) { struct ctx_opts_t { char *name; - long opt; + char *opt; } protocols[] = { - { "SSLv2", SSL_OP_NO_SSLv2 }, - { "SSLv3", SSL_OP_NO_SSLv3 }, - { "TLSv1", SSL_OP_NO_TLSv1 }, + { "SSLv2", "SSLv2" }, + { "SSLv3", "SSLv3" }, + { "TLSv1", "TLSv1" }, # if OPENSSL_VERSION_NUMBER >= 0x10001000L - { "TLSv1_1", SSL_OP_NO_TLSv1_1 }, - { "TLSv1_2", SSL_OP_NO_TLSv1_2 }, + { "TLSv1_1", "TLSv1.1" }, + { "TLSv1_2", "TLSv1.2" }, # endif { NULL, 0 } }; @@ -150,7 +151,17 @@ set_ssl(struct shttpd_ctx *ctx, void *ar for (idx = 0; protocols[idx].name ; ++idx) { if (strncasecmp(protocols[idx].name, ssl_disabled_protocols, blank_ptr-ssl_disabled_protocols) == 0) { debug("SSL: disable %s protocol", protocols[idx].name); - SSL_CTX_ctrl(CTX, SSL_CTRL_OPTIONS, protocols[idx].opt, NULL); + debug("SSL: set '%s' as minimum protocol version - opt value", protocols[idx].opt); + ret = SSL_CONF_cmd(CTX, "MinProtocol", protocols[idx].opt); + if (ret > 2) { + debug("SSL: SSL_CONF_cmd OK"); + } + if (ret == -2) { + debug("SSL: SSL_CONF_cmd ret == -2"); + } + if (ret != -2) { + debug("Error processing SSL_CONF_cmd()"); + } break; } } @@ -158,6 +169,10 @@ set_ssl(struct shttpd_ctx *ctx, void *ar break; ssl_disabled_protocols = blank_ptr + 1; } +*/ + if (!SSL_CONF_CTX_finish(CCTX)) { + elog(E_FATAL, NULL, "SSL_CONF_CTX_finish error"); + } ctx->ssl_ctx = CTX; } diff -up openwsman-2.6.2/src/server/shttpd/io_ssl.c.orig openwsman-2.6.2/src/server/shttpd/io_ssl.c --- openwsman-2.6.2/src/server/shttpd/io_ssl.c.orig 2015-10-19 15:27:46.000000000 +0200 +++ openwsman-2.6.2/src/server/shttpd/io_ssl.c 2017-01-03 13:43:13.926524433 +0100 @@ -11,26 +11,6 @@ #include "shttpd_defs.h" #if !defined(NO_SSL) -struct ssl_func ssl_sw[] = { - {"SSL_free", {0}}, - {"SSL_accept", {0}}, - {"SSL_connect", {0}}, - {"SSL_read", {0}}, - {"SSL_write", {0}}, - {"SSL_get_error", {0}}, - {"SSL_set_fd", {0}}, - {"SSL_new", {0}}, - {"SSL_CTX_new", {0}}, - {"SSLv23_server_method", {0}}, - {"SSL_library_init", {0}}, - {"SSL_CTX_use_PrivateKey_file", {0}}, - {"SSL_CTX_use_certificate_file",{0}}, - {"SSL_CTX_free", {0}}, - {"SSL_pending", {0}}, - {"SSL_CTX_use_certificate_chain_file",{0}}, - {"SSL_CTX_ctrl", {0}}, - {NULL, {0}} -}; void ssl_handshake(struct stream *stream) diff -up openwsman-2.6.2/src/server/shttpd/ssl.h.orig openwsman-2.6.2/src/server/shttpd/ssl.h --- openwsman-2.6.2/src/server/shttpd/ssl.h.orig 2015-10-19 15:27:46.000000000 +0200 +++ openwsman-2.6.2/src/server/shttpd/ssl.h 2017-01-02 15:18:43.445990500 +0100 @@ -12,56 +12,4 @@ # include -#else - -/* - * Snatched from OpenSSL includes. I put the prototypes here to be independent - * from the OpenSSL source installation. Having this, shttpd + SSL can be - * built on any system with binary SSL libraries installed. - */ - -typedef struct ssl_st SSL; -typedef struct ssl_method_st SSL_METHOD; -typedef struct ssl_ctx_st SSL_CTX; - -#define SSL_ERROR_WANT_READ 2 -#define SSL_ERROR_WANT_WRITE 3 -#define SSL_ERROR_SYSCALL 5 -#define SSL_FILETYPE_PEM 1 - #endif - -/* - * Dynamically loaded SSL functionality - */ -struct ssl_func { - const char *name; /* SSL function name */ - union variant ptr; /* Function pointer */ -}; - -extern struct ssl_func ssl_sw[]; - -#define FUNC(x) ssl_sw[x].ptr.v_func - -#define SSL_free(x) (* (void (*)(SSL *)) FUNC(0))(x) -#define SSL_accept(x) (* (int (*)(SSL *)) FUNC(1))(x) -#define SSL_connect(x) (* (int (*)(SSL *)) FUNC(2))(x) -#define SSL_read(x,y,z) (* (int (*)(SSL *, void *, int)) FUNC(3))((x),(y),(z)) -#define SSL_write(x,y,z) \ - (* (int (*)(SSL *, const void *,int)) FUNC(4))((x), (y), (z)) -#define SSL_get_error(x,y)(* (int (*)(SSL *, int)) FUNC(5))((x), (y)) -#define SSL_set_fd(x,y) (* (int (*)(SSL *, int)) FUNC(6))((x), (y)) -#define SSL_new(x) (* (SSL * (*)(SSL_CTX *)) FUNC(7))(x) -#define SSL_CTX_new(x) (* (SSL_CTX * (*)(SSL_METHOD *)) FUNC(8))(x) -#define SSLv23_server_method() (* (SSL_METHOD * (*)(void)) FUNC(9))() -#define SSL_library_init() (* (int (*)(void)) FUNC(10))() -#define SSL_CTX_use_PrivateKey_file(x,y,z) (* (int (*)(SSL_CTX *, \ - const char *, int)) FUNC(11))((x), (y), (z)) -#define SSL_CTX_use_certificate_file(x,y,z) (* (int (*)(SSL_CTX *, \ - const char *, int)) FUNC(12))((x), (y), (z)) -#define SSL_CTX_use_certificate_chain_file(x,y) (* (int (*)(SSL_CTX *, \ - const char *)) FUNC(15))((x), (y)) -#define SSL_CTX_free(x) (*(void (*)(SSL_CTX *)) FUNC(13))(x) -#define SSL_pending(x) (*(int (*)(SSL *)) FUNC(14))(x) -#define SSL_CTX_ctrl(w,x,y,z) (*(long (*)(SSL_CTX *,int,long,void *)) FUNC(16))((w),(x),(y),(z)) -