diff options
| -rwxr-xr-x | configure.ac | 25 | ||||
| -rw-r--r-- | lib/md4.c | 4 | ||||
| -rw-r--r-- | lib/vtls/openssl.c | 29 |
3 files changed, 58 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac index 973394bce..31fc8ffb7 100755 --- a/configure.ac +++ b/configure.ac @@ -1873,6 +1873,31 @@ if test -z "$ssl_backends" -o "x$OPT_SSL" != xno && ],[ AC_MSG_RESULT([no]) ]) + + AC_MSG_CHECKING([for OpenSSL >= v3]) + AC_COMPILE_IFELSE([ + AC_LANG_PROGRAM([[ +#include <openssl/opensslv.h> + ]],[[ + #if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) + return 0; + #else + #error older than 3 + #endif + ]]) + ],[ + AC_MSG_RESULT([yes]) + AC_DEFINE_UNQUOTED(HAVE_OPENSSL3, 1, + [Define to 1 if using OpenSSL 3 or later.]) + dnl OpenSSLv3 marks the DES functions deprecated but we have no + dnl replacements (yet) so tell the compiler to not warn for them + dnl + dnl Ask OpenSSL to suppress the warnings. + CPPFLAGS="$CPPFLAGS -DOPENSSL_SUPPRESS_DEPRECATED" + ssl_msg="OpenSSL v3+" + ],[ + AC_MSG_RESULT([no]) + ]) fi if test "$OPENSSL_ENABLED" = "1"; then @@ -29,6 +29,10 @@ #ifdef USE_OPENSSL #include <openssl/opensslconf.h> +#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) +/* OpenSSL 3.0.0 marks the MD4 functions as deprecated */ +#define OPENSSL_NO_MD4 +#endif #endif /* USE_OPENSSL */ #ifdef USE_MBEDTLS diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index ece655133..14bfe3562 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -2719,6 +2719,33 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) } #endif +#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) + /* OpenSSL 3.0.0 has deprecated SSL_CTX_load_verify_locations */ + if(ssl_cafile) { + if(!SSL_CTX_load_verify_file(backend->ctx, ssl_cafile)) { + if(verifypeer) { + /* Fail if we insist on successfully verifying the server. */ + failf(data, "error setting certificate file: %s", ssl_cafile); + return CURLE_SSL_CACERT_BADFILE; + } + /* Continue with a warning if no certificate verification is required. */ + infof(data, "error setting certificate file, continuing anyway\n"); + } + infof(data, " CAfile: %s\n", ssl_cafile); + } + if(ssl_capath) { + if(!SSL_CTX_load_verify_dir(backend->ctx, ssl_capath)) { + if(verifypeer) { + /* Fail if we insist on successfully verifying the server. */ + failf(data, "error setting certificate path: %s", ssl_capath); + return CURLE_SSL_CACERT_BADFILE; + } + /* Continue with a warning if no certificate verification is required. */ + infof(data, "error setting certificate path, continuing anyway\n"); + } + infof(data, " CApath: %s\n", ssl_capath); + } +#else if(ssl_cafile || ssl_capath) { /* tell SSL where to find CA certificates that are used to verify the servers certificate. */ @@ -2746,6 +2773,8 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) ssl_cafile ? ssl_cafile : "none", ssl_capath ? ssl_capath : "none"); } +#endif + #ifdef CURL_CA_FALLBACK else if(verifypeer) { /* verifying the peer without any CA certificates won't |