[spice-server 2/2] ssl: Drop support for older OpenSSL versions

Christophe Fergeau <cfergeau@xxxxxxxxxx> · Fri, 8 Dec 2017 14:40:18 +0100

SSL_OP_NO_COMPRESSION was introduced in OpenSSL_0_9_8k, which is no
longer supported. This commit raises the minimum OpenSSL version to
1.0.0, which is also out of support.

Signed-off-by: Christophe Fergeau <cfergeau@xxxxxxxxxx>
---
 configure.ac  |  2 +-
 server/reds.c | 22 +++-------------------
 2 files changed, 4 insertions(+), 20 deletions(-)

diff --git a/configure.ac b/configure.ac
index 3401dba83..62d1a0209 100644
--- a/configure.ac
+++ b/configure.ac
@@ -186,7 +186,7 @@ if test "x$enable_celt051" = "xyes"; then
                       AS_VAR_APPEND([SPICE_REQUIRES], [" celt051 >= $CELT051_REQUIRED"]))
 fi
 
-PKG_CHECK_MODULES(SSL, openssl)
+PKG_CHECK_MODULES(SSL, openssl >= 1.0.0)
 AC_SUBST(SSL_CFLAGS)
 AC_SUBST(SSL_LIBS)
 AS_VAR_APPEND([SPICE_REQUIRES], [" openssl"])
diff --git a/server/reds.c b/server/reds.c
index f5b9ffd28..325af5e8b 100644
--- a/server/reds.c
+++ b/server/reds.c
@@ -2819,15 +2819,12 @@ static gpointer openssl_global_init(gpointer arg)
 static int reds_init_ssl(RedsState *reds)
 {
     static GOnce openssl_once = G_ONCE_INIT;
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
     const SSL_METHOD *ssl_method;
-#else
-    SSL_METHOD *ssl_method;
-#endif
     int return_code;
-    /* When some other SSL/TLS version becomes obsolete, add it to this
+    /* Limit connection to TLSv1 only.
+     * When some other SSL/TLS version becomes obsolete, add it to this
      * variable. */
-    long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+    long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
 
     /* Global system initialization*/
     g_once(&openssl_once, openssl_global_init, NULL);
@@ -2841,10 +2838,6 @@ static int reds_init_ssl(RedsState *reds)
         return -1;
     }
 
-    /* Limit connection to TLSv1 only */
-#ifdef SSL_OP_NO_COMPRESSION
-    ssl_options |= SSL_OP_NO_COMPRESSION;
-#endif
     SSL_CTX_set_options(reds->ctx, ssl_options);
 
     /* Load our keys and certificates*/
@@ -2877,10 +2870,6 @@ static int reds_init_ssl(RedsState *reds)
         return -1;
     }
 
-#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
-    SSL_CTX_set_verify_depth(reds->ctx, 1);
-#endif
-
     if (strlen(reds->config->ssl_parameters.dh_key_file) > 0) {
         if (load_dh_params(reds->ctx, reds->config->ssl_parameters.dh_key_file) < 0) {
             return -1;
@@ -2894,11 +2883,6 @@ static int reds_init_ssl(RedsState *reds)
         }
     }
 
-#ifndef SSL_OP_NO_COMPRESSION
-    STACK *cmp_stack = SSL_COMP_get_compression_methods();
-    sk_zero(cmp_stack);
-#endif
-
     return 0;
 }
 
-- 
2.14.3

_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel







