[Spice-devel] [spice-server 2/2] ssl: Drop support for older OpenSSL versions

Fri Dec 8 14:03:17 UTC 2017

> 
> SSL_OP_NO_COMPRESSION was introduced in OpenSSL_0_9_8k, which is no
> longer supported. This commit raises the minimum OpenSSL version to
> 1.0.0, which is also out of support.
> 
> Signed-off-by: Christophe Fergeau <cfergeau at redhat.com>
> ---
>  configure.ac  |  2 +-
>  server/reds.c | 22 +++-------------------
>  2 files changed, 4 insertions(+), 20 deletions(-)
> 
> diff --git a/configure.ac b/configure.ac
> index 3401dba83..62d1a0209 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -186,7 +186,7 @@ if test "x$enable_celt051" = "xyes"; then
>                        AS_VAR_APPEND([SPICE_REQUIRES], [" celt051 >=
>                        $CELT051_REQUIRED"]))
>  fi
>  
> -PKG_CHECK_MODULES(SSL, openssl)
> +PKG_CHECK_MODULES(SSL, openssl >= 1.0.0)
>  AC_SUBST(SSL_CFLAGS)
>  AC_SUBST(SSL_LIBS)
>  AS_VAR_APPEND([SPICE_REQUIRES], [" openssl"])
> diff --git a/server/reds.c b/server/reds.c
> index f5b9ffd28..325af5e8b 100644
> --- a/server/reds.c
> +++ b/server/reds.c
> @@ -2819,15 +2819,12 @@ static gpointer openssl_global_init(gpointer arg)
>  static int reds_init_ssl(RedsState *reds)
>  {
>      static GOnce openssl_once = G_ONCE_INIT;
> -#if OPENSSL_VERSION_NUMBER >= 0x10000000L
>      const SSL_METHOD *ssl_method;
> -#else
> -    SSL_METHOD *ssl_method;
> -#endif
>      int return_code;
> -    /* When some other SSL/TLS version becomes obsolete, add it to this
> +    /* Limit connection to TLSv1 only.
> +     * When some other SSL/TLS version becomes obsolete, add it to this
>       * variable. */
> -    long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
> +    long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
> SSL_OP_NO_COMPRESSION;
>  
>      /* Global system initialization*/
>      g_once(&openssl_once, openssl_global_init, NULL);
> @@ -2841,10 +2838,6 @@ static int reds_init_ssl(RedsState *reds)
>          return -1;
>      }
>  
> -    /* Limit connection to TLSv1 only */
> -#ifdef SSL_OP_NO_COMPRESSION
> -    ssl_options |= SSL_OP_NO_COMPRESSION;
> -#endif

Not sure the comment was really related to the compression option but
before the variable is fine too.

>      SSL_CTX_set_options(reds->ctx, ssl_options);
>  
>      /* Load our keys and certificates*/
> @@ -2877,10 +2870,6 @@ static int reds_init_ssl(RedsState *reds)
>          return -1;
>      }
>  
> -#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
> -    SSL_CTX_set_verify_depth(reds->ctx, 1);
> -#endif
> -
>      if (strlen(reds->config->ssl_parameters.dh_key_file) > 0) {
>          if (load_dh_params(reds->ctx,
>          reds->config->ssl_parameters.dh_key_file) < 0) {
>              return -1;
> @@ -2894,11 +2883,6 @@ static int reds_init_ssl(RedsState *reds)
>          }
>      }
>  
> -#ifndef SSL_OP_NO_COMPRESSION
> -    STACK *cmp_stack = SSL_COMP_get_compression_methods();
> -    sk_zero(cmp_stack);
> -#endif
> -
>      return 0;
>  }
>  

Acked-by: Frediano Ziglio <fziglio at redhat.com>

Frediano