On Wed, Jul 17, 2013 at 02:29:02AM +0600, Denis Fateyev wrote: > Hello there, >
Hello, > Several week ago, I wrote about some issues with building `opensmtpd` on > RHEL5, and since I thought that I could meet these issues only on RHEL5 > systems, I suggested not to do anything with them and let it go. But now, I > face the same issue on some old systems which I have to use, and I'm a bit > tired of patching them all the time ;-) Eventually, I think it would better > to have compatibility for all cases "out of box". > agreed > With using `autoconf`, the patch gets even smaller than it was before, and > solves issues for old platforms keeping all the functions for modern ones > unchanged. > comments inline > -------------- < cut here > -------------- > --- a/smtpd/ssl.c 2013-07-15 21:14:05.000000000 +0600 > +++ b/smtpd/ssl.c 2013-07-17 00:16:57.000000000 +0600 > @@ -229,7 +229,11 @@ > SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); > SSL_CTX_set_timeout(ctx, SSL_SESSION_TIMEOUT); > SSL_CTX_set_options(ctx, > +#ifdef SSL_OP_NO_TICKET > SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_TICKET); > +#else > + SSL_OP_ALL | SSL_OP_NO_SSLv2); > +#endif > SSL_CTX_set_options(ctx, > SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); > I would rather see that fixed in config.h with SSL_OP_NO_TICKET defined to an empty value to avoid ifdef's in the code base. > --- a/contrib/lib/libc/asr/asr_debug.c 2013-07-15 21:14:05.000000000 > +0600 > +++ b/contrib/lib/libc/asr/asr_debug.c 2013-07-17 00:26:40.000000000 > +0600 > @@ -286,8 +286,12 @@ > PRINTOPT(RES_STAYOPEN, "STAYOPEN"); > PRINTOPT(RES_DNSRCH, "DNSRCH"); > PRINTOPT(RES_NOALIASES, "NOALIASES"); > +#ifdef RES_USE_EDNS0 > PRINTOPT(RES_USE_EDNS0, "USE_EDNS0"); > +#endif > +#ifdef RES_USE_DNSSEC > PRINTOPT(RES_USE_DNSSEC, "USE_DNSSEC"); > +#endif > if (o) > fprintf(f, " 0x%08x", o); > fprintf(f, "\n"); eric ? > --- a/regress/bin/ssl.c 2013-07-15 21:14:05.000000000 +0600 > +++ b/regress/bin/ssl.c 2013-07-17 00:24:16.000000000 +0600 > @@ -126,7 +126,11 @@ > SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); > SSL_CTX_set_timeout(ctx, 30); > SSL_CTX_set_options(ctx, > +#ifdef SSL_OP_NO_TICKET > SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_TICKET); > +#else > + SSL_OP_ALL | SSL_OP_NO_SSLv2); > +#endif > SSL_CTX_set_options(ctx, > SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); > same as above > -------------- < cut here > -------------- > > 1) There are only SSL_OP_NO_TICKET, RES_USE_EDNS0 and RES_USE_DNSSEC > options presence checks. If they are declared (in modern OSes, by default) > they are used, otherwise they are omitted. > > 2) SSL_OP_NO_TICKET was introduced in openssl-0.9.9, and thus isn't > supported on RHEL5 and such platforms. I've tested TLS and SSL local > connections on RHEL5, and they work fine. Although I haven't tested > outgoing TLS connections yet, but I doubt they would fail. > I'm ok with that, what I'm not happy with is adding ifdef's to the code when not absolutely necessary :-) > 3) RES_USE_EDNS0 and RES_USE_DNSSEC options are missed in old GLIBC. They > prescript to use DNSSEC for security reasons, but their using or dismissing > won't break the program's core functionality. > eric ? -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this email because you are subscribed to the "[email protected]" list To unsubscribe, send mail with subject: [[email protected]] unregister
