ruby-changes:69392
From: Kazuki <ko1@a...>
Date: Mon, 25 Oct 2021 00:43:46 +0900 (JST)
Subject: [ruby-changes:69392] d5aa3fcae6 (master): [ruby/openssl] ssl: use SSL_CTX_load_verify_{file, dir}() if available
https://git.ruby-lang.org/ruby.git/commit/?id=d5aa3fcae6 From d5aa3fcae68483b0458fbe9f1b64bd0256f9673c Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi <k@r...> Date: Sat, 22 Feb 2020 05:47:58 +0900 Subject: [ruby/openssl] ssl: use SSL_CTX_load_verify_{file,dir}() if available SSL_CTX_load_verify_locations() is deprecated in OpenSSL 3.0 and replaced with those two separate functions. Use them if they exist. https://github.com/ruby/openssl/commit/5375a55ffc --- ext/openssl/extconf.rb | 1 + ext/openssl/ossl_ssl.c | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index e64fe32f21..e6066d6945 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb @@ -174,6 +174,7 @@ have_func("EVP_PKEY_check") https://github.com/ruby/ruby/blob/trunk/ext/openssl/extconf.rb#L174 have_func("SSL_set0_tmp_dh_pkey") have_func("ERR_get_error_all") have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h") +have_func("SSL_CTX_load_verify_file") Logging::message "=== Checking done. ===\n" diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c index 1de0f98922..5d6c400c2a 100644 --- a/ext/openssl/ossl_ssl.c +++ b/ext/openssl/ossl_ssl.c @@ -828,10 +828,17 @@ ossl_sslctx_setup(VALUE self) https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_ssl.c#L828 ca_file = NIL_P(val) ? NULL : StringValueCStr(val); val = rb_attr_get(self, id_i_ca_path); ca_path = NIL_P(val) ? NULL : StringValueCStr(val); +#ifdef HAVE_SSL_CTX_LOAD_VERIFY_FILE + if (ca_file && !SSL_CTX_load_verify_file(ctx, ca_file)) + ossl_raise(eSSLError, "SSL_CTX_load_verify_file"); + if (ca_path && !SSL_CTX_load_verify_dir(ctx, ca_path)) + ossl_raise(eSSLError, "SSL_CTX_load_verify_dir"); +#else if(ca_file || ca_path){ if (!SSL_CTX_load_verify_locations(ctx, ca_file, ca_path)) rb_warning("can't set verify locations"); } +#endif val = rb_attr_get(self, id_i_verify_mode); verify_mode = NIL_P(val) ? SSL_VERIFY_NONE : NUM2INT(val); -- cgit v1.2.1 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/