ref: 496817c742f8bc9a625c3fb77dd7332e75f89be6
parent: bd1b52eea09d6ae1077bdee09005822cefc16330
author: Jacob Moody <[email protected]>
date: Tue Dec 20 04:19:12 EST 2022
workaround for lack of RFC 5746 support This is required for openSSL 3.0 clients
--- a/cpu.c
+++ b/cpu.c
@@ -49,7 +49,8 @@
sysfatal("can't authenticate");
memset(pass, 0, strlen(pass));
- SSL_set_fd(ssl_conn, fd);
+ if(SSL_set_fd(ssl_conn, fd) == 0)
+ sysfatal("set fd failed");
if(SSL_connect(ssl_conn) < 0)
sysfatal("ssl could not connect");
@@ -130,9 +131,17 @@
SSL_load_error_strings();
ssl_ctx = SSL_CTX_new(TLSv1_2_client_method());
SSL_CTX_set_psk_client_callback(ssl_ctx, psk_client_cb);
+
+#if OPENSSL_VERSION_MAJOR==3
+ /* 9front support for RFC 5746 is not guranteed but we never do renegotiation anyway... */
+ SSL_CTX_set_options(ssl_ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+#endif
+
if(ssl_ctx == nil)
sysfatal("could not init openssl");
ssl_conn = SSL_new(ssl_ctx);
+ if(ssl_conn == nil)
+ sysfatal("could not init openssl");
if(*argv && !Rflag){
pipe(pin);