[sr-dev] git:master: tls: ifdef to use TLSv1.1 only for openssl/libssl v1.0.0+

Hugh Waite hugh.waite at crocodile-rcs.com
Fri Nov 8 21:22:10 CET 2013 

Hi,

According to http://www.openssl.org/news/changelog.html, Initial TLSv1.1 
support was introduced in the first release of openssl v1.0.1, Initial 
v1.2 support was added at the same time.

I'm using CentOS 6.4 with openssl-devel 1.0.0-27 (which has version 
0x10000003L) and the tls module does not compile (without warnings) and 
fails to run due to undefined v1.1 methods.

Was there a reason for selecting the 05 release of v1.0.1 (i.e. v1.0.1e) 
for TLSv1.2 support? As far as I can see the TLSv1_2_method() is 
available from the first release? Maybe a required bugfix?

Hugh


On 03/11/2013 12:26, Daniel-Constantin Mierla wrote:
> Module: sip-router
> Branch: master
> Commit: 16649609796ec336278b073d86045f72a9dd7886
> URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=16649609796ec336278b073d86045f72a9dd7886
>
> Author: Daniel-Constantin Mierla <miconda at gmail.com>
> Committer: Daniel-Constantin Mierla <miconda at gmail.com>
> Date:   Sun Nov  3 13:23:32 2013 +0100
>
> tls: ifdef to use TLSv1.1 only for openssl/libssl v1.0.0+
>
> ---
>
>   modules/tls/tls_config.c |    9 ++++++++-
>   modules/tls/tls_init.c   |    4 ++++
>   2 files changed, 12 insertions(+), 1 deletions(-)
>
> diff --git a/modules/tls/tls_config.c b/modules/tls/tls_config.c
> index 8742021..4a78e9e 100644
> --- a/modules/tls/tls_config.c
> +++ b/modules/tls/tls_config.c
> @@ -460,10 +460,17 @@ int tls_parse_method(str* method)
>       opt = cfg_lookup_token(methods, method);
>       if (!opt) return -1;
>   
> +#if OPENSSL_VERSION_NUMBER < 0x01000000L
> +	if(opt->val == TLS_USE_TLSv1_1) {
> +		LM_ERR("tls v1.1 not supported by this libssl version: %ld\n",
> +				(long)OPENSSL_VERSION_NUMBER);
> +		return -1;
> +	}
> +#endif
>   #if OPENSSL_VERSION_NUMBER < 0x1000105fL
>   	if(opt->val == TLS_USE_TLSv1_2) {
>   		LM_ERR("tls v1.2 not supported by this libssl version: %ld\n",
> -				OPENSSL_VERSION_NUMBER);
> +				(long)OPENSSL_VERSION_NUMBER);
>   		return -1;
>   	}
>   #endif
> diff --git a/modules/tls/tls_init.c b/modules/tls/tls_init.c
> index 4b55c40..5118f15 100644
> --- a/modules/tls/tls_init.c
> +++ b/modules/tls/tls_init.c
> @@ -341,6 +341,8 @@ int tls_h_init_si(struct socket_info *si)
>    */
>   static void init_ssl_methods(void)
>   {
> +	memset(ssl_methods, 0, sizeof(ssl_methods));
> +
>   #ifndef OPENSSL_NO_SSL2
>   	ssl_methods[TLS_USE_SSLv2_cli - 1] = SSLv2_client_method();
>   	ssl_methods[TLS_USE_SSLv2_srv - 1] = SSLv2_server_method();
> @@ -359,9 +361,11 @@ static void init_ssl_methods(void)
>   	ssl_methods[TLS_USE_SSLv23_srv - 1] = SSLv23_server_method();
>   	ssl_methods[TLS_USE_SSLv23 - 1] = SSLv23_method();
>   
> +#if OPENSSL_VERSION_NUMBER >= 0x01000000L
>   	ssl_methods[TLS_USE_TLSv1_1_cli - 1] = TLSv1_1_client_method();
>   	ssl_methods[TLS_USE_TLSv1_1_srv - 1] = TLSv1_1_server_method();
>   	ssl_methods[TLS_USE_TLSv1_1 - 1] = TLSv1_1_method();
> +#endif
>   
>   #if OPENSSL_VERSION_NUMBER >= 0x1000105fL
>   	ssl_methods[TLS_USE_TLSv1_2_cli - 1] = TLSv1_2_client_method();
>
>
> _______________________________________________
> sr-dev mailing list
> sr-dev at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev


-- 
Hugh Waite
Principal Design Engineer
Crocodile RCS Ltd.

More information about the sr-dev mailing list