diff options
| author | Matthias Andree <matthias.andree@gmx.de> | 2021-11-20 14:47:44 +0100 |
|---|---|---|
| committer | Matthias Andree <matthias.andree@gmx.de> | 2021-11-20 16:28:41 +0100 |
| commit | 781d5a820df9aec9b6dbfe86fa1e7ef1f5112b47 (patch) | |
| tree | cb32c820c8c004c6e9dd400618fd1f8b68ca09da /socket.c | |
| parent | 8fcffe46b231ddcc0305a36bf7f9aaf27c7e1a50 (diff) | |
| download | fetchmail-781d5a820df9aec9b6dbfe86fa1e7ef1f5112b47.tar.gz fetchmail-781d5a820df9aec9b6dbfe86fa1e7ef1f5112b47.tar.bz2 fetchmail-781d5a820df9aec9b6dbfe86fa1e7ef1f5112b47.zip | |
Fix X509_V_FLAG_TRUSTED_FIRST OpenSSL 1.0.2 workaround
The original comparison contained a typo,
0x1000200fL == (ver & 0xfffff000L) and could never match.
Fix, and also match at compile time to not even reference
this flag on other OpenSSL versions.
Diffstat (limited to 'socket.c')
| -rw-r--r-- | socket.c | 11 |
1 files changed, 6 insertions, 5 deletions
@@ -1225,16 +1225,17 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck ERR_print_errors_fp(stderr); } +#if (OPENSSL_VERSION_NUMBER & 0xfffff000L) == 0x10002000 +#pragma message "enabling OpenSSL 1.0.2 X509_V_FLAG_TRUSTED_FIRST flag setter" /* OpenSSL 1.0.2 and 1.0.2 only: * work around Let's Encrypt Cross-Signing Certificate Expiry, * https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ * Workaround #2 */ - /* OpenSSL 1.x.x: 0xMNNFFPPSL: major minor fix patch status - * OpenSSL 3.0.0: 0xMNN00PPSL: synthesized */ + /* OpenSSL 1.x.y: 0xMNNFFPPSL: major minor fix patch status + * OpenSSL 3.0.z: 0xMNN00PPSL: synthesized */ /* 0xMNNFFPPsL 0xMNNFFPPsL */ - if (0x1000200fL == (ver & 0xfffff000L)) { - X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_TRUSTED_FIRST); - } + X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_TRUSTED_FIRST); +#endif /* param is a pointer to internal OpenSSL data, must not be freed, * and just goes out of scope */ |