summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLinus Nordberg <linus@nordberg.se>2010-11-19 12:02:46 +0100
committerLinus Nordberg <linus@nordberg.se>2010-11-19 12:02:46 +0100
commitc8b11e6b62cddbcc24f5c830b51b3fed19031694 (patch)
treef7377969e986c577a3ca100b63890592a79af5a6
parent3f8c5eab9157cd1656bb5e70bd8f994a2618961d (diff)
Improve SSL version identification.
Use a runtime check rather than a compile time check, patch contributed by Faidon Liambotis. Include development and beta versions in the checks (the status nibble).
-rw-r--r--tlscommon.c19
1 files changed, 10 insertions, 9 deletions
diff --git a/tlscommon.c b/tlscommon.c
index d5a35bf..6739f03 100644
--- a/tlscommon.c
+++ b/tlscommon.c
@@ -203,6 +203,7 @@ static int tlsaddcacrl(SSL_CTX *ctx, struct tls *conf) {
static SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) {
SSL_CTX *ctx = NULL;
unsigned long error;
+ long sslversion = SSLeay();
switch (type) {
#ifdef RADPROT_TLS
@@ -227,15 +228,15 @@ static SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) {
debug(DBG_ERR, "tlscreatectx: Error initialising SSL/TLS in TLS context %s", conf->name);
return NULL;
}
-#if OPENSSL_VERSION_NUMBER < 0x0090810f \
- || (OPENSSL_VERSION_NUMBER >= 0x1000000f \
- && OPENSSL_VERSION_NUMBER < 0x1000002f)
- debug(DBG_WARN, "%s: OpenSSL seems to be of a version with a "
- "certain security critical bug (fixed in OpenSSL 0.9.8p and "
- "1.0.0b). Disabling OpenSSL session caching for context %p.",
- __func__, ctx);
- SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
-#endif
+
+ if (sslversion < 0x00908100L ||
+ (sslversion >= 0x10000000L && sslversion < 0x10000020L)) {
+ debug(DBG_WARN, "%s: %s seems to be of a version with a "
+ "certain security critical bug (fixed in OpenSSL 0.9.8p and "
+ "1.0.0b). Disabling OpenSSL session caching for context %p.",
+ __func__, SSLeay_version(SSLEAY_VERSION), ctx);
+ SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
+ }
if (conf->certkeypwd) {
SSL_CTX_set_default_passwd_cb_userdata(ctx, conf->certkeypwd);