From d771b44e538aac30b29189fc5c0f3e0f2b668d93 Mon Sep 17 00:00:00 2001 From: Steve Holme Date: Mon, 9 Feb 2015 20:58:33 +0000 Subject: [PATCH] openssl: Disable OCSP in old versions of OpenSSL Versions of OpenSSL prior to v0.9.8h do not support the necessary functions for OCSP stapling. --- lib/vtls/openssl.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 68ca1fbcd..38cf79a27 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -1323,7 +1323,8 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert) return result; } -#if !defined(HAVE_BORINGSSL) && !defined(OPENSSL_NO_TLSEXT) +#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ + !defined(HAVE_BORINGSSL) static CURLcode verifystatus(struct connectdata *conn, struct ssl_connect_data *connssl) { @@ -2060,7 +2061,8 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) return CURLE_OUT_OF_MEMORY; } -#if !defined(HAVE_BORINGSSL) && !defined(OPENSSL_NO_TLSEXT) +#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ + !defined(HAVE_BORINGSSL) if(data->set.ssl.verifystatus) SSL_set_tlsext_status_type(connssl->handle, TLSEXT_STATUSTYPE_ocsp); #endif @@ -2748,7 +2750,8 @@ static CURLcode servercert(struct connectdata *conn, infof(data, "\t SSL certificate verify ok.\n"); } -#if !defined(HAVE_BORINGSSL) && !defined(OPENSSL_NO_TLSEXT) +#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ + !defined(HAVE_BORINGSSL) if(data->set.ssl.verifystatus) { result = verifystatus(conn, connssl); if(result) { @@ -3202,7 +3205,8 @@ void Curl_ossl_md5sum(unsigned char *tmp, /* input */ bool Curl_ossl_cert_status_request(void) { -#if !defined(HAVE_BORINGSSL) && !defined(OPENSSL_NO_TLSEXT) +#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ + !defined(HAVE_BORINGSSL) return TRUE; #else return FALSE; -- 2.40.0