>
> SSL_OP_NO_COMPRESSION was introduced in OpenSSL_0_9_8k, which is no
> longer supported. This commit raises the minimum OpenSSL version to
> 1.0.0, which is also out of support.
>
> Signed-off-by: Christophe Fergeau <cfergeau@xxxxxxxxxx>
> ---
> configure.ac | 2 +-
> server/reds.c | 22 +++-------------------
> 2 files changed, 4 insertions(+), 20 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index 3401dba83..62d1a0209 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -186,7 +186,7 @@ if test "x$enable_celt051" = "xyes"; then
> AS_VAR_APPEND([SPICE_REQUIRES], [" celt051 >=
> $CELT051_REQUIRED"]))
> fi
>
> -PKG_CHECK_MODULES(SSL, openssl)
> +PKG_CHECK_MODULES(SSL, openssl >= 1.0.0)
> AC_SUBST(SSL_CFLAGS)
> AC_SUBST(SSL_LIBS)
> AS_VAR_APPEND([SPICE_REQUIRES], [" openssl"])
> diff --git a/server/reds.c b/server/reds.c
> index f5b9ffd28..325af5e8b 100644
> --- a/server/reds.c
> +++ b/server/reds.c
> @@ -2819,15 +2819,12 @@ static gpointer openssl_global_init(gpointer arg)
> static int reds_init_ssl(RedsState *reds)
> {
> static GOnce openssl_once = G_ONCE_INIT;
> -#if OPENSSL_VERSION_NUMBER >= 0x10000000L
> const SSL_METHOD *ssl_method;
> -#else
> - SSL_METHOD *ssl_method;
> -#endif
> int return_code;
> - /* When some other SSL/TLS version becomes obsolete, add it to this
> + /* Limit connection to TLSv1 only.
> + * When some other SSL/TLS version becomes obsolete, add it to this
> * variable. */
> - long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
> + long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
> SSL_OP_NO_COMPRESSION;
>
> /* Global system initialization*/
> g_once(&openssl_once, openssl_global_init, NULL);
> @@ -2841,10 +2838,6 @@ static int reds_init_ssl(RedsState *reds)
> return -1;
> }
>
> - /* Limit connection to TLSv1 only */
> -#ifdef SSL_OP_NO_COMPRESSION
> - ssl_options |= SSL_OP_NO_COMPRESSION;
> -#endif
Not sure the comment was really related to the compression option but
before the variable is fine too.
> SSL_CTX_set_options(reds->ctx, ssl_options);
>
> /* Load our keys and certificates*/
> @@ -2877,10 +2870,6 @@ static int reds_init_ssl(RedsState *reds)
> return -1;
> }
>
> -#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
> - SSL_CTX_set_verify_depth(reds->ctx, 1);
> -#endif
> -
> if (strlen(reds->config->ssl_parameters.dh_key_file) > 0) {
> if (load_dh_params(reds->ctx,
> reds->config->ssl_parameters.dh_key_file) < 0) {
> return -1;
> @@ -2894,11 +2883,6 @@ static int reds_init_ssl(RedsState *reds)
> }
> }
>
> -#ifndef SSL_OP_NO_COMPRESSION
> - STACK *cmp_stack = SSL_COMP_get_compression_methods();
> - sk_zero(cmp_stack);
> -#endif
> -
> return 0;
> }
>
Acked-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
Frediano
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel