On Sunday, 10 January 2016, 15:15:49 CET, Arne Schwabe wrote: > On 10.01.2016 14:44, Niels Ole Salscheider wrote: > > Signed-off-by: Niels Ole Salscheider <niels_...@salscheider-online.de> > > --- > > > > src/openvpn/ssl_openssl.c | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c > > index d2f40e7..e390f4d 100644 > > --- a/src/openvpn/ssl_openssl.c > > +++ b/src/openvpn/ssl_openssl.c > > @@ -358,7 +358,7 @@ tls_ctx_check_cert_time (const struct tls_root_ctx > > *ctx)> > > ASSERT (ctx); > > > > -#if OPENSSL_VERSION_NUMBER >= 0x10002000L > > +#if OPENSSL_VERSION_NUMBER >= 0x10002000L && > > !defined(LIBRESSL_VERSION_NUMBER)> > > /* OpenSSL 1.0.2 and up */ > > cert = SSL_CTX_get0_certificate (ctx->ctx); > > > > #else > > > > @@ -393,7 +393,7 @@ tls_ctx_check_cert_time (const struct tls_root_ctx > > *ctx)> > > } > > > > cleanup: > > -#if OPENSSL_VERSION_NUMBER < 0x10002000L > > +#if OPENSSL_VERSION_NUMBER < 0x10002000L || > > defined(LIBRESSL_VERSION_NUMBER)> > > SSL_free (ssl); > > > > #endif > > > > return; > > LibreSSL is like: We are OpenSSL 1.0.2 but have a different API?! That > sounds like a LibreSSL bug.
LibreSSL just returns its version number in OPENSSL_VERSION_NUMBER (which is currently higher than OpenSSL's one). Since they removed some old stuff they cannot offer a superset of OpenSSL's API anyway and thus it is not clear how to choose the "right" value (according to your reasoning) for OPENSSL_VERSION_NUMBER. I guess we have no choice but to handle this ourselves (or to leave it broken for LibreSSL). Ole > Arne
