Require minimum OpenSSL 1.0.1

As RHEL 5 has reached EOL, we no longer need to support OpenSSL v0.9.8. This also makes it possible to remove a few workaronds which was needed earlier, as well as some left overs from v0.9.6. This also makes ./configure really stop running unless a new enough OpenSSL library is found. Compile tested on RHEL7.3 and RHEL6.7 (mock chroot build), both shipping openssl-1.0.1e. Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <20170411173133.18060-1-davids@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14441.html Signed-off-by: David Sommerseth <davids@openvpn.net>
2026-05-28 04:03:29 -04:00 · 2017-04-11 19:31:33 +02:00 · 2017-04-11 19:31:33 +02:00 · 039a89c331
commit 039a89c331
parent 7a1b6a0dd7
7 changed files with 7 additions and 26 deletions
--- a/configure.ac
+++ b/configure.ac
@ -859,9 +859,9 @@ if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then
 		# if the user did not explicitly specify flags, try to autodetect
 		PKG_CHECK_MODULES(
 			[OPENSSL],
-			[libcrypto >= 0.9.8, libssl >= 0.9.8],
-	        [have_openssl="yes"],
-			[have_openssl="no"] # Provide if-not-found to prevent erroring out
+			[libcrypto >= 1.0.1, libssl >= 1.0.1],
+	                [have_openssl="yes"],
+			[AC_MSG_ERROR([Minimum supported OpenSSL version is 1.0.1])]
 		)

 		OPENSSL_LIBS=${OPENSSL_LIBS:--lssl -lcrypto}
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@ -2773,7 +2773,6 @@ OPENVPN_PLUGIN_TLS_FINAL callback.
 Note that exporter labels have the potential to collide with existing PRF
 labels. In order to prevent this, labels MUST begin with "EXPORTER".

-This option requires OpenSSL 1.0.1 or newer.
 .\"*********************************************************
 .SS Server Mode
 Starting with OpenVPN 2.0, a multi-client TCP/UDP server mode
--- a/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
+++ b/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
@ -143,8 +143,7 @@ session_user_set(struct session *sess, X509 *x509)
        {
            continue;
        }
-        /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */
-        unsigned char *buf = (unsigned char *)1;
+        unsigned char *buf = NULL;
        if (ASN1_STRING_to_UTF8(&buf, val) <= 0)
        {
            continue;
--- a/sample/sample-plugins/log/log_v3.c
+++ b/sample/sample-plugins/log/log_v3.c
@ -197,7 +197,7 @@ x509_print_info(X509 *x509crt)
    X509_NAME *x509_name;
    X509_NAME_ENTRY *ent;
    const char *objbuf;
-    unsigned char *buf;
+    unsigned char *buf = NULL;

    x509_name = X509_get_subject_name(x509crt);
    n = X509_NAME_entry_count(x509_name);
@ -228,7 +228,6 @@ x509_print_info(X509 *x509crt)
        {
            continue;
        }
-        buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */
        if (ASN1_STRING_to_UTF8(&buf, val) <= 0)
        {
            continue;
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@ -254,10 +254,7 @@ tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
            sslopt |= SSL_OP_NO_TLSv1_2;
        }
 #endif
-#ifdef SSL_OP_NO_COMPRESSION
-        /* Disable compression - flag not available in OpenSSL 0.9.8 */
        sslopt |= SSL_OP_NO_COMPRESSION;
-#endif
        SSL_CTX_set_options(ctx->ctx, sslopt);
    }

--- a/src/openvpn/ssl_openssl.h
+++ b/src/openvpn/ssl_openssl.h
@ -32,17 +32,6 @@

 #include <openssl/ssl.h>

-/**
- * SSL_OP_NO_TICKET tells OpenSSL to disable "stateless session resumption",
- * as this is something we do not want nor need, but could potentially be
- * used for a future attack.  For compatibility reasons we keep building if the
- * OpenSSL version is too old (pre-0.9.8f) to support stateless session
- * resumption (and the accompanying SSL_OP_NO_TICKET flag).
- */
-#ifndef SSL_OP_NO_TICKET
-#define SSL_OP_NO_TICKET 0
-#endif
-
 /**
 * Structure that wraps the TLS context. Contents differ depending on the
 * SSL library used.
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@ -458,8 +458,7 @@ x509_setenv_track(const struct x509_track *xt, struct env_set *es, const int dep
                        if (ent)
                        {
                            ASN1_STRING *val = X509_NAME_ENTRY_get_data(ent);
-                            unsigned char *buf;
-                            buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */
+                            unsigned char *buf = NULL;
                            if (ASN1_STRING_to_UTF8(&buf, val) > 0)
                            {
                                do_setenv_x509(es, xt->name, (char *)buf, depth);
@ -514,7 +513,7 @@ x509_setenv(struct env_set *es, int cert_depth, openvpn_x509_cert_t *peer_cert)
    ASN1_STRING *val;
    X509_NAME_ENTRY *ent;
    const char *objbuf;
-    unsigned char *buf;
+    unsigned char *buf = NULL;
    char *name_expand;
    size_t name_expand_size;
    X509_NAME *x509 = X509_get_subject_name(peer_cert);
@ -547,7 +546,6 @@ x509_setenv(struct env_set *es, int cert_depth, openvpn_x509_cert_t *peer_cert)
        {
            continue;
        }
-        buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */
        if (ASN1_STRING_to_UTF8(&buf, val) <= 0)
        {
            continue;