aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--socket.c25
1 files changed, 24 insertions, 1 deletions
diff --git a/socket.c b/socket.c
index 4cdd2f89..276c5b43 100644
--- a/socket.c
+++ b/socket.c
@@ -378,6 +378,18 @@ va_dcl {
#include <openssl/x509v3.h>
#include <openssl/rand.h>
+#define fm_MIN_OPENSSL_VER 0x1000100fL
+
+#if OPENSSL_VERSION_NUMBER < fm_MIN_OPENSSL_VER
+#error Your OpenSSL version must be at least 1.0.1 release. Older OpenSSL versions are unsupported.
+#else
+/*
+#define __fm_ossl_ver(x) #x
+#define _fm_ossl_ver(x) __fm_ossl_ver(x)
+#pragma message "Building with OpenSSL headers version " _fm_ossl_ver(OPENSSL_VERSION_NUMBER) ", " OPENSSL_VERSION_TEXT
+*/
+#endif
+
static void report_SSL_errors(FILE *stream)
{
unsigned long err;
@@ -877,13 +889,24 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
struct stat randstat;
int i;
int avoid_ssl_versions = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
- long sslopts = SSL_OP_ALL;
+ long sslopts = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE;
int ssle_connect = 0;
+ long ver;
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_algorithms(); /* see Debian Bug#576430 and manpage */
+ if ((ver = SSLeay()) < OPENSSL_VERSION_NUMBER) {
+ report(stderr, GT_("Loaded OpenSSL library %#lx older than headers %#lx, refusing to work.\n"), (long)ver, (long)(OPENSSL_VERSION_NUMBER));
+ return -1;
+ }
+
+ if (ver > OPENSSL_VERSION_NUMBER && outlevel >= O_VERBOSE) {
+ report(stdout, GT_("Loaded OpenSSL library %#lx newer than headers %#lx, trying to continue.\n"), (long)ver, (long)(OPENSSL_VERSION_NUMBER));
+ return -1;
+ }
+
if (stat("/dev/random", &randstat) &&
stat("/dev/urandom", &randstat)) {
/* Neither /dev/random nor /dev/urandom are present, so add