From 2da05bc52aee75b6f4943b121c0183e4566d27c8 Mon Sep 17 00:00:00 2001 From: Emmanuel Hocdet Date: Mon, 1 Oct 2018 18:41:36 +0200 Subject: [PATCH 1/2] MINOR: ssl: cleanup old openssl API call For generate-certificates, X509V3_EXT_conf is used but it's an old API call: X509V3_EXT_nconf must be preferred. Openssl compatibility is ok because it's inside #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME, introduce 5 years after X509V3_EXT_nconf. --- src/ssl_sock.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 57469e8d4..4ced5688f 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1669,6 +1669,7 @@ ssl_sock_do_create_cert(const char *servername, struct bind_conf *bind_conf, SSL X509 *newcrt = NULL; EVP_PKEY *pkey = NULL; SSL *tmp_ssl = NULL; + CONF *ctmp = NULL; X509_NAME *name; const EVP_MD *digest; X509V3_CTX ctx; @@ -1726,11 +1727,12 @@ ssl_sock_do_create_cert(const char *servername, struct bind_conf *bind_conf, SSL X509_NAME_free(name); /* Add x509v3 extensions as specified */ + ctmp = NCONF_new(NULL); X509V3_set_ctx(&ctx, cacert, newcrt, NULL, NULL, 0); for (i = 0; i < X509V3_EXT_SIZE; i++) { X509_EXTENSION *ext; - if (!(ext = X509V3_EXT_conf(NULL, &ctx, x509v3_ext_names[i], x509v3_ext_values[i]))) + if (!(ext = X509V3_EXT_nconf(ctmp, &ctx, x509v3_ext_names[i], x509v3_ext_values[i]))) goto mkcert_error; if (!X509_add_ext(newcrt, ext, -1)) { X509_EXTENSION_free(ext); @@ -1798,6 +1800,7 @@ ssl_sock_do_create_cert(const char *servername, struct bind_conf *bind_conf, SSL return ssl_ctx; mkcert_error: + if (ctmp) NCONF_free(ctmp); if (tmp_ssl) SSL_free(tmp_ssl); if (ssl_ctx) SSL_CTX_free(ssl_ctx); if (newcrt) X509_free(newcrt); -- 2.11.0