On 17/03/2014 14:29, Gert Doering wrote:
Hi,
On Sun, Mar 16, 2014 at 06:49:36PM -0600, James Yonan wrote:
However, even with the above code, stateless session resumption
is still possible unless explicitly disabled with the
SSL_OP_NO_TICKET flag. This patch does this.
This actually raises an interesting question. My OpenSolaris buildslave
fails compilation with
gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../src/compat -g -O2 -MT
ssl_openssl.o -MD -MP -MF .deps/ssl_openssl.Tpo -c -o ssl_openssl.o
ssl_openssl.c
ssl_openssl.c: In function `tls_ctx_set_options':
ssl_openssl.c:183: error: `SSL_OP_NO_TICKET' undeclared (first use in this
function)
... while "configure" doesn't flag an error about the OpenSSL version
installed (0.9.8a-fips). This is not ideal, if we know we're going to
fail at compile time due to missing functionality, we should tell the
user earlier.
Right now, if I read configure.ac correct, we require 0.9.6 or later (and
check this only if pkg-config is available) - but obviously, SSL_OP_NO_TICKET
was added later on.
Fix 1: only use SSL_OP_NO_TICKET if available
Fix 2: require a more recent OpenSSL version
I would think an #ifdef should be fine.
James
