[ovs-dev] [PATCH v2] stream-ssl: Define SSL_OP_NO_SSL_MASK for OpenSSL versions that lack it.
Timothy Redaelli
tredaelli at redhat.com
Tue Aug 7 09:04:05 UTC 2018
On Mon, 6 Aug 2018 15:39:44 -0700
Ben Pfaff <blp at ovn.org> wrote:
> 10 of the travis builds are failing such as
> TESTSUITE=1 KERNEL=3.16.54 for gcc and clang.
>
> Fixes: ab16d2c2871b ("stream-ssl: Don't enable new TLS versions by
> default") CC: Timothy Redaelli <tredaelli at redhat.com>
> Signed-off-by: Darrell Ball <dlu998 at gmail.com>
> Signed-off-by: Ben Pfaff <blp at ovn.org>
> ---
> v1->v2: Add SSL_OP_NO_SSLv2 (thanks Han!).
>
> lib/stream-ssl.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
> index f3d623c035f8..fed71801b823 100644
> --- a/lib/stream-ssl.c
> +++ b/lib/stream-ssl.c
> @@ -1188,6 +1188,12 @@ stream_ssl_set_protocols(const char *arg)
> }
>
> /* Start with all the flags off and turn them on as requested. */
> +#ifndef SSL_OP_NO_SSL_MASK
> + /* For old OpenSSL without this macro, this is the correct
> value. */ +#define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2 |
> SSL_OP_NO_SSLv3 | \
> + SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | \
> + SSL_OP_NO_TLSv1_2)
> +#endif
> long protocol_flags = SSL_OP_NO_SSL_MASK;
>
> char *s = xstrdup(arg);
I'm sorry for this, I tested my patch with OpenSSL 1.0.2k (RHEL7) and
OpenSSL 1.1.0h (Fedora 28).
I checked right now and some distributions (for example Ubuntu 14.04)
uses 1.0.1, that doesn't have SSL_OP_NO_SSL_MASK (introduced in 1.0.2,
6 years ago [1]).
Reviewed-by: Timothy Redaelli <tredaelli at redhat.com>
[1]
https://github.com/openssl/openssl/commit/49ef33fa3463d6b6001009024c9aed09f814cb7c#diff-4b59eddb1c722b1dc3d17b5f64149e12R620
More information about the dev
mailing list