[Spice-commits] 2 commits - configure.ac server/reds.c server/red-worker.c

Christophe Fergau teuf at kemper.freedesktop.org
Fri Dec 8 14:23:05 UTC 2017


 configure.ac        |    2 +-
 server/red-worker.c |    1 -
 server/reds.c       |   22 +++-------------------
 3 files changed, 4 insertions(+), 21 deletions(-)

New commits:
commit 7ff434b104ab3418d85c081c9515be5230c74c50
Author: Christophe Fergeau <cfergeau at redhat.com>
Date:   Thu Dec 7 17:47:27 2017 +0100

    ssl: Drop support for older OpenSSL versions
    
    SSL_OP_NO_COMPRESSION was introduced in OpenSSL_0_9_8k, which is no
    longer supported. This commit raises the minimum OpenSSL version to
    1.0.0, which is also out of support.
    
    Signed-off-by: Christophe Fergeau <cfergeau at redhat.com>
    Acked-by: Frediano Ziglio <fziglio at redhat.com>

diff --git a/configure.ac b/configure.ac
index 3401dba8..62d1a020 100644
--- a/configure.ac
+++ b/configure.ac
@@ -186,7 +186,7 @@ if test "x$enable_celt051" = "xyes"; then
                       AS_VAR_APPEND([SPICE_REQUIRES], [" celt051 >= $CELT051_REQUIRED"]))
 fi
 
-PKG_CHECK_MODULES(SSL, openssl)
+PKG_CHECK_MODULES(SSL, openssl >= 1.0.0)
 AC_SUBST(SSL_CFLAGS)
 AC_SUBST(SSL_LIBS)
 AS_VAR_APPEND([SPICE_REQUIRES], [" openssl"])
diff --git a/server/reds.c b/server/reds.c
index f5b9ffd2..325af5e8 100644
--- a/server/reds.c
+++ b/server/reds.c
@@ -2819,15 +2819,12 @@ static gpointer openssl_global_init(gpointer arg)
 static int reds_init_ssl(RedsState *reds)
 {
     static GOnce openssl_once = G_ONCE_INIT;
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
     const SSL_METHOD *ssl_method;
-#else
-    SSL_METHOD *ssl_method;
-#endif
     int return_code;
-    /* When some other SSL/TLS version becomes obsolete, add it to this
+    /* Limit connection to TLSv1 only.
+     * When some other SSL/TLS version becomes obsolete, add it to this
      * variable. */
-    long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+    long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
 
     /* Global system initialization*/
     g_once(&openssl_once, openssl_global_init, NULL);
@@ -2841,10 +2838,6 @@ static int reds_init_ssl(RedsState *reds)
         return -1;
     }
 
-    /* Limit connection to TLSv1 only */
-#ifdef SSL_OP_NO_COMPRESSION
-    ssl_options |= SSL_OP_NO_COMPRESSION;
-#endif
     SSL_CTX_set_options(reds->ctx, ssl_options);
 
     /* Load our keys and certificates*/
@@ -2877,10 +2870,6 @@ static int reds_init_ssl(RedsState *reds)
         return -1;
     }
 
-#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
-    SSL_CTX_set_verify_depth(reds->ctx, 1);
-#endif
-
     if (strlen(reds->config->ssl_parameters.dh_key_file) > 0) {
         if (load_dh_params(reds->ctx, reds->config->ssl_parameters.dh_key_file) < 0) {
             return -1;
@@ -2894,11 +2883,6 @@ static int reds_init_ssl(RedsState *reds)
         }
     }
 
-#ifndef SSL_OP_NO_COMPRESSION
-    STACK *cmp_stack = SSL_COMP_get_compression_methods();
-    sk_zero(cmp_stack);
-#endif
-
     return 0;
 }
 
commit dd8e205aaf6673b027f60d60188cc575d98e52b1
Author: Christophe Fergeau <cfergeau at redhat.com>
Date:   Thu Dec 7 17:18:34 2017 +0100

    worker: Remove unneeded include
    
    Nothing seems to be using openssl in red-worker.c
    
    Signed-off-by: Christophe Fergeau <cfergeau at redhat.com>
    Acked-by: Frediano Ziglio <fziglio at redhat.com>

diff --git a/server/red-worker.c b/server/red-worker.c
index 08bfdae2..21622b1e 100644
--- a/server/red-worker.c
+++ b/server/red-worker.c
@@ -28,7 +28,6 @@
 #include <unistd.h>
 #include <poll.h>
 #include <pthread.h>
-#include <openssl/ssl.h>
 #include <inttypes.h>
 #include <glib.h>
 


More information about the Spice-commits mailing list