Require minimum OpenSSL 1.0.1

As RHEL 5 has reached EOL, we no longer need to support OpenSSL v0.9.8. This also makes it possible to remove a few workaronds which was needed earlier, as well as some left overs from v0.9.6. This also makes ./configure really stop running unless a new enough OpenSSL library is found. Compile tested on RHEL7.3 and RHEL6.7 (mock chroot build), both shipping openssl-1.0.1e. Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <20170411173133.18060-1-davids@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14441.html Signed-off-by: David Sommerseth <davids@openvpn.net>
2026-05-28 04:03:29 -04:00 · 2017-04-11 19:31:33 +02:00 · 2017-04-11 19:31:33 +02:00 · 039a89c331
commit 039a89c331
parent 7a1b6a0dd7
7 changed files with 7 additions and 26 deletions
--- a/configure.ac
+++ b/configure.ac
@ -859,9 +859,9 @@ if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then
 		# if the user did not explicitly specify flags, try to autodetect
 		PKG_CHECK_MODULES(
 			[OPENSSL],
-			[libcrypto >= 0.9.8, libssl >= 0.9.8],
+			[libcrypto >= 1.0.1, libssl >= 1.0.1],
-	        [have_openssl="yes"],
+	                [have_openssl="yes"],
-			[have_openssl="no"] # Provide if-not-found to prevent erroring out
+			[AC_MSG_ERROR([Minimum supported OpenSSL version is 1.0.1])]
 		)
 		OPENSSL_LIBS=${OPENSSL_LIBS:--lssl -lcrypto}
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@ -2773,7 +2773,6 @@ OPENVPN_PLUGIN_TLS_FINAL callback.
 Note that exporter labels have the potential to collide with existing PRF
 labels. In order to prevent this, labels MUST begin with "EXPORTER".
 This option requires OpenSSL 1.0.1 or newer.
 .\"*********************************************************
 .SS Server Mode
 Starting with OpenVPN 2.0, a multi-client TCP/UDP server mode
--- a/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
+++ b/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
@ -143,8 +143,7 @@ session_user_set(struct session *sess, X509 *x509)
        {
            continue;
        }
-        /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */
+        unsigned char *buf = NULL;
        unsigned char *buf = (unsigned char *)1;
        if (ASN1_STRING_to_UTF8(&buf, val) <= 0)
        {
            continue;
--- a/sample/sample-plugins/log/log_v3.c
+++ b/sample/sample-plugins/log/log_v3.c
@ -197,7 +197,7 @@ x509_print_info(X509 *x509crt)
    X509_NAME *x509_name;
    X509_NAME_ENTRY *ent;
    const char *objbuf;
-    unsigned char *buf;
+    unsigned char *buf = NULL;
    x509_name = X509_get_subject_name(x509crt);
    n = X509_NAME_entry_count(x509_name);
@ -228,7 +228,6 @@ x509_print_info(X509 *x509crt)
        {
            continue;
        }
        buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */
        if (ASN1_STRING_to_UTF8(&buf, val) <= 0)
        {
            continue;
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@ -254,10 +254,7 @@ tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
            sslopt |= SSL_OP_NO_TLSv1_2;
        }
 #endif
 #ifdef SSL_OP_NO_COMPRESSION
        /* Disable compression - flag not available in OpenSSL 0.9.8 */
        sslopt |= SSL_OP_NO_COMPRESSION;
 #endif
        SSL_CTX_set_options(ctx->ctx, sslopt);
    }
--- a/src/openvpn/ssl_openssl.h
+++ b/src/openvpn/ssl_openssl.h
@ -32,17 +32,6 @@
 #include <openssl/ssl.h>
 /**
 * SSL_OP_NO_TICKET tells OpenSSL to disable "stateless session resumption",
 * as this is something we do not want nor need, but could potentially be
 * used for a future attack.  For compatibility reasons we keep building if the
 * OpenSSL version is too old (pre-0.9.8f) to support stateless session
 * resumption (and the accompanying SSL_OP_NO_TICKET flag).
 */
 #ifndef SSL_OP_NO_TICKET
 #define SSL_OP_NO_TICKET 0
 #endif
 /**
 * Structure that wraps the TLS context. Contents differ depending on the
 * SSL library used.
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@ -458,8 +458,7 @@ x509_setenv_track(const struct x509_track *xt, struct env_set *es, const int dep
                        if (ent)
                        {
                            ASN1_STRING *val = X509_NAME_ENTRY_get_data(ent);
-                            unsigned char *buf;
+                            unsigned char *buf = NULL;
                            buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */
                            if (ASN1_STRING_to_UTF8(&buf, val) > 0)
                            {
                                do_setenv_x509(es, xt->name, (char *)buf, depth);
@ -514,7 +513,7 @@ x509_setenv(struct env_set *es, int cert_depth, openvpn_x509_cert_t *peer_cert)
    ASN1_STRING *val;
    X509_NAME_ENTRY *ent;
    const char *objbuf;
-    unsigned char *buf;
+    unsigned char *buf = NULL;
    char *name_expand;
    size_t name_expand_size;
    X509_NAME *x509 = X509_get_subject_name(peer_cert);
@ -547,7 +546,6 @@ x509_setenv(struct env_set *es, int cert_depth, openvpn_x509_cert_t *peer_cert)
        {
            continue;
        }
        buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */
        if (ASN1_STRING_to_UTF8(&buf, val) <= 0)
        {
            continue;