summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xconfigure.ac25
-rw-r--r--lib/md4.c4
-rw-r--r--lib/vtls/openssl.c29
3 files changed, 58 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index 973394bce..31fc8ffb7 100755
--- a/configure.ac
+++ b/configure.ac
@@ -1873,6 +1873,31 @@ if test -z "$ssl_backends" -o "x$OPT_SSL" != xno &&
],[
AC_MSG_RESULT([no])
])
+
+ AC_MSG_CHECKING([for OpenSSL >= v3])
+ AC_COMPILE_IFELSE([
+ AC_LANG_PROGRAM([[
+#include <openssl/opensslv.h>
+ ]],[[
+ #if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+ return 0;
+ #else
+ #error older than 3
+ #endif
+ ]])
+ ],[
+ AC_MSG_RESULT([yes])
+ AC_DEFINE_UNQUOTED(HAVE_OPENSSL3, 1,
+ [Define to 1 if using OpenSSL 3 or later.])
+ dnl OpenSSLv3 marks the DES functions deprecated but we have no
+ dnl replacements (yet) so tell the compiler to not warn for them
+ dnl
+ dnl Ask OpenSSL to suppress the warnings.
+ CPPFLAGS="$CPPFLAGS -DOPENSSL_SUPPRESS_DEPRECATED"
+ ssl_msg="OpenSSL v3+"
+ ],[
+ AC_MSG_RESULT([no])
+ ])
fi
if test "$OPENSSL_ENABLED" = "1"; then
diff --git a/lib/md4.c b/lib/md4.c
index 4dab6af7a..10e6fc537 100644
--- a/lib/md4.c
+++ b/lib/md4.c
@@ -29,6 +29,10 @@
#ifdef USE_OPENSSL
#include <openssl/opensslconf.h>
+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+/* OpenSSL 3.0.0 marks the MD4 functions as deprecated */
+#define OPENSSL_NO_MD4
+#endif
#endif /* USE_OPENSSL */
#ifdef USE_MBEDTLS
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index ece655133..14bfe3562 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2719,6 +2719,33 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
}
#endif
+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+ /* OpenSSL 3.0.0 has deprecated SSL_CTX_load_verify_locations */
+ if(ssl_cafile) {
+ if(!SSL_CTX_load_verify_file(backend->ctx, ssl_cafile)) {
+ if(verifypeer) {
+ /* Fail if we insist on successfully verifying the server. */
+ failf(data, "error setting certificate file: %s", ssl_cafile);
+ return CURLE_SSL_CACERT_BADFILE;
+ }
+ /* Continue with a warning if no certificate verification is required. */
+ infof(data, "error setting certificate file, continuing anyway\n");
+ }
+ infof(data, " CAfile: %s\n", ssl_cafile);
+ }
+ if(ssl_capath) {
+ if(!SSL_CTX_load_verify_dir(backend->ctx, ssl_capath)) {
+ if(verifypeer) {
+ /* Fail if we insist on successfully verifying the server. */
+ failf(data, "error setting certificate path: %s", ssl_capath);
+ return CURLE_SSL_CACERT_BADFILE;
+ }
+ /* Continue with a warning if no certificate verification is required. */
+ infof(data, "error setting certificate path, continuing anyway\n");
+ }
+ infof(data, " CApath: %s\n", ssl_capath);
+ }
+#else
if(ssl_cafile || ssl_capath) {
/* tell SSL where to find CA certificates that are used to verify
the servers certificate. */
@@ -2746,6 +2773,8 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
ssl_cafile ? ssl_cafile : "none",
ssl_capath ? ssl_capath : "none");
}
+#endif
+
#ifdef CURL_CA_FALLBACK
else if(verifypeer) {
/* verifying the peer without any CA certificates won't