From e97e50b68b0497f906a73a1acc26c3a97d9c9d7f Mon Sep 17 00:00:00 2001 From: Tzafrir Cohen Date: Sat, 21 Jan 2017 07:59:15 +0200 Subject: [PATCH] tcptls: use TLS_client_method with OpenSSL 1.1 OpenSSL 1.1 introduced TLS_client_method() and deprecated the previous version-specific methods (such as TLSv1_client_method(). Other than being simpler to use and more correct (gain support for TLS newer that TLS1, in our case), the older ones produce a deprecation warning that fails the build in dev-mode. ASTERISK-26109 #close Change-Id: I257b1c8afd09dcb0d96cda3a41cb9f7a15d0ba07 --- diff --git a/main/tcptls.c b/main/tcptls.c index 71bd92e..36a6c96 100644 --- a/main/tcptls.c +++ b/main/tcptls.c @@ -833,12 +833,16 @@ cfg->ssl_ctx = SSL_CTX_new(SSLv3_client_method()); } else #endif +#if defined(OPENSSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L) + cfg->ssl_ctx = SSL_CTX_new(TLS_client_method()); +#else if (ast_test_flag(&cfg->flags, AST_SSL_TLSV1_CLIENT)) { cfg->ssl_ctx = SSL_CTX_new(TLSv1_client_method()); } else { disable_ssl = 1; cfg->ssl_ctx = SSL_CTX_new(SSLv23_client_method()); } +#endif } else { disable_ssl = 1; cfg->ssl_ctx = SSL_CTX_new(SSLv23_server_method()); From 99b40e72ae347d7047547836f7f897d3ea2bc8dc Mon Sep 17 00:00:00 2001 From: Tzafrir Cohen Date: Fri, 03 Feb 2017 10:25:33 +0200 Subject: [PATCH] libasteriskssl: do nothing with OpenSSL >= 1.1 OpenSSL 1.1 requires no explicit initialization. The hacks in the library are not needed. They also happen to fail running Asterisk. ASTERISK-26109 #close Change-Id: I3b3efd5d80234a4c45a8ee58dcfe25b15d9ad100 --- diff --git a/main/libasteriskssl.c b/main/libasteriskssl.c index bf5ecc1..9dea3df 100644 --- a/main/libasteriskssl.c +++ b/main/libasteriskssl.c @@ -123,10 +123,13 @@ /*! * \internal * \brief Common OpenSSL initialization for all of Asterisk. + * + * Not needed for OpenSSL versions >= 1.1.0 */ int ast_ssl_init(void) { -#ifdef HAVE_OPENSSL +#if defined(HAVE_OPENSSL) && defined(OPENSSL_VERSION_NUMBER) && \ + OPENSSL_VERSION_NUMBER < 0x10100000L unsigned int i; int (*real_SSL_library_init)(void); void (*real_CRYPTO_set_id_callback)(unsigned long (*)(void)); @@ -191,7 +194,7 @@ startup_complete = 1; -#endif /* HAVE_OPENSSL */ +#endif /* HAVE_OPENSSL and its version < 1.1 */ return 0; } --- a/main/tcptls.c +++ b/main/tcptls.c @@ -400,11 +400,13 @@ if (!stream->ssl->server) { /* For client threads, ensure that the error stack is cleared */ -#if OPENSSL_VERSION_NUMBER >= 0x10000000L +#if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000L +#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10000000L ERR_remove_thread_state(NULL); #else ERR_remove_state(0); -#endif /* OPENSSL_VERSION_NUMBER >= 0x10000000L */ +#endif /* openssl == 1.0 */ +#endif /* openssl < 1.1 */ } SSL_free(stream->ssl); From c572e172665647abd27ea65a4c45f893161c8c44 Mon Sep 17 00:00:00 2001 From: Tzafrir Cohen Date: Sat, 21 Jan 2017 07:57:33 +0200 Subject: [PATCH] openssl 1.1 support: use OPENSSL_VERSION_NUMBER Use OPENSSL_VERSION_NUMBER instead of OPENSSL_API_COMPAT to detect the openssl 1.1 API. ASTERISK-26109 #close Change-Id: I4e448f55ef516aedf6ad154037c35577a421a458 --- --- a/main/libasteriskssl.c +++ b/main/libasteriskssl.c @@ -74,6 +74,7 @@ } } +#if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000L int SSL_library_init(void) { #if defined(AST_DEVMODE) @@ -115,6 +116,7 @@ { /* we can't allow this to be called, ever */ } +#endif /* !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000L */ #endif /* HAVE_OPENSSL */ --- a/main/tcptls.c +++ b/main/tcptls.c @@ -398,7 +398,11 @@ SSL_get_error(stream->ssl, res)); } +#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L + if (!SSL_is_server(stream->ssl)) { +#else if (!stream->ssl->server) { +#endif /* For client threads, ensure that the error stack is cleared */ #if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000L #if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10000000L --- a/main/tcptls.c +++ b/main/tcptls.c @@ -779,7 +779,7 @@ } if (client) { -#ifndef OPENSSL_NO_SSL2 +#if !defined(OPENSSL_NO_SSL2) && (OPENSSL_VERSION_NUMBER < 0x10100000L) if (ast_test_flag(&cfg->flags, AST_SSL_SSLV2_CLIENT)) { ast_log(LOG_WARNING, "Usage of SSLv2 is discouraged due to known vulnerabilities. Please use 'tlsv1' or leave the TLS method unspecified!\n"); cfg->ssl_ctx = SSL_CTX_new(SSLv2_client_method());