diff --git a/config.h.in b/config.h.in index 04fc74396..64d1c797a 100644 --- a/config.h.in +++ b/config.h.in @@ -395,6 +395,9 @@ /* Define if you have the SSL libraries installed. */ #undef HAVE_SSL +/* Define to 1 if you have the `SSL_CTX_set_security_level' function. */ +#undef HAVE_SSL_CTX_SET_SECURITY_LEVEL + /* Define to 1 if you have the header file. */ #undef HAVE_STDARG_H diff --git a/configure b/configure index fb0eeb4eb..5716f4995 100755 --- a/configure +++ b/configure @@ -17556,12 +17556,13 @@ done # these check_funcs need -lssl BAKLIBS="$LIBS" LIBS="-lssl $LIBS" -for ac_func in OPENSSL_init_ssl +for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level do : - ac_fn_c_check_func "$LINENO" "OPENSSL_init_ssl" "ac_cv_func_OPENSSL_init_ssl" -if test "x$ac_cv_func_OPENSSL_init_ssl" = xyes; then : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF -#define HAVE_OPENSSL_INIT_SSL 1 +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF fi diff --git a/configure.ac b/configure.ac index 3a8c55fd1..9ccde4d3d 100644 --- a/configure.ac +++ b/configure.ac @@ -681,7 +681,7 @@ AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_C # these check_funcs need -lssl BAKLIBS="$LIBS" LIBS="-lssl $LIBS" -AC_CHECK_FUNCS([OPENSSL_init_ssl]) +AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level]) LIBS="$BAKLIBS" AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [ diff --git a/daemon/remote.c b/daemon/remote.c index 70c7de7df..faee2f881 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -243,7 +243,7 @@ daemon_remote_create(struct config_file* cfg) if (cfg->remote_control_use_cert == 0) { /* No certificates are requested */ -#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(HAVE_LIBRESSL) +#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL SSL_CTX_set_security_level(rc->ctx, 0); #endif if(!SSL_CTX_set_cipher_list(rc->ctx, "aNULL")) { diff --git a/doc/Changelog b/doc/Changelog index 36017abe8..bdf5be627 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,8 @@ +4 November 2016: Wouter + - configure detects ssl security level API function in the autoconf + manner. Every function on its own, so that other libraries (eg. + LibreSSL) can develop their API without hindrance. + 3 November 2016: Ralph - Set OpenSSL security level to 0 when using aNULL ciphers. diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c index 857e0d641..663497205 100644 --- a/smallapp/unbound-control.c +++ b/smallapp/unbound-control.c @@ -176,7 +176,7 @@ setup_ctx(struct config_file* cfg) free(c_cert); } else { /* Use ciphers that don't require authentication */ -#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(HAVE_LIBRESSL) +#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL SSL_CTX_set_security_level(ctx, 0); #endif if(!SSL_CTX_set_cipher_list(ctx, "aNULL"))