Hello there,
Several week ago, I wrote about some issues with building `opensmtpd` on
RHEL5, and since I thought that I could meet these issues only on RHEL5
systems, I suggested not to do anything with them and let it go. But now, I
face the same issue on some old systems which I have to use, and I'm a bit
tired of patching them all the time ;-) Eventually, I think it would better
to have compatibility for all cases "out of box".
With using `autoconf`, the patch gets even smaller than it was before, and
solves issues for old platforms keeping all the functions for modern ones
unchanged.
-------------- < cut here > --------------
--- a/smtpd/ssl.c 2013-07-15 21:14:05.000000000 +0600
+++ b/smtpd/ssl.c 2013-07-17 00:16:57.000000000 +0600
@@ -229,7 +229,11 @@
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
SSL_CTX_set_timeout(ctx, SSL_SESSION_TIMEOUT);
SSL_CTX_set_options(ctx,
+#ifdef SSL_OP_NO_TICKET
SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_TICKET);
+#else
+ SSL_OP_ALL | SSL_OP_NO_SSLv2);
+#endif
SSL_CTX_set_options(ctx,
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
--- a/contrib/lib/libc/asr/asr_debug.c 2013-07-15 21:14:05.000000000
+0600
+++ b/contrib/lib/libc/asr/asr_debug.c 2013-07-17 00:26:40.000000000
+0600
@@ -286,8 +286,12 @@
PRINTOPT(RES_STAYOPEN, "STAYOPEN");
PRINTOPT(RES_DNSRCH, "DNSRCH");
PRINTOPT(RES_NOALIASES, "NOALIASES");
+#ifdef RES_USE_EDNS0
PRINTOPT(RES_USE_EDNS0, "USE_EDNS0");
+#endif
+#ifdef RES_USE_DNSSEC
PRINTOPT(RES_USE_DNSSEC, "USE_DNSSEC");
+#endif
if (o)
fprintf(f, " 0x%08x", o);
fprintf(f, "\n");
--- a/regress/bin/ssl.c 2013-07-15 21:14:05.000000000 +0600
+++ b/regress/bin/ssl.c 2013-07-17 00:24:16.000000000 +0600
@@ -126,7 +126,11 @@
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
SSL_CTX_set_timeout(ctx, 30);
SSL_CTX_set_options(ctx,
+#ifdef SSL_OP_NO_TICKET
SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_TICKET);
+#else
+ SSL_OP_ALL | SSL_OP_NO_SSLv2);
+#endif
SSL_CTX_set_options(ctx,
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
-------------- < cut here > --------------
1) There are only SSL_OP_NO_TICKET, RES_USE_EDNS0 and RES_USE_DNSSEC
options presence checks. If they are declared (in modern OSes, by default)
they are used, otherwise they are omitted.
2) SSL_OP_NO_TICKET was introduced in openssl-0.9.9, and thus isn't
supported on RHEL5 and such platforms. I've tested TLS and SSL local
connections on RHEL5, and they work fine. Although I haven't tested
outgoing TLS connections yet, but I doubt they would fail.
3) RES_USE_EDNS0 and RES_USE_DNSSEC options are missed in old GLIBC. They
prescript to use DNSSEC for security reasons, but their using or dismissing
won't break the program's core functionality.
---
wbr, Denis.
