shithub: tlsclient

Download patch

ref: 496817c742f8bc9a625c3fb77dd7332e75f89be6
parent: bd1b52eea09d6ae1077bdee09005822cefc16330
author: Jacob Moody <moody@posixcafe.org>
date: Tue Dec 20 04:19:12 EST 2022

workaround for lack of RFC 5746 support

This is required for openSSL 3.0 clients

--- a/cpu.c
+++ b/cpu.c
@@ -49,7 +49,8 @@
 		sysfatal("can't authenticate");
 	memset(pass, 0, strlen(pass));
 
-	SSL_set_fd(ssl_conn, fd);
+	if(SSL_set_fd(ssl_conn, fd) == 0)
+		sysfatal("set fd failed");
 	if(SSL_connect(ssl_conn) < 0)
 		sysfatal("ssl could not connect");
 
@@ -130,9 +131,17 @@
 	SSL_load_error_strings();
 	ssl_ctx = SSL_CTX_new(TLSv1_2_client_method());
 	SSL_CTX_set_psk_client_callback(ssl_ctx, psk_client_cb);
+
+#if OPENSSL_VERSION_MAJOR==3
+	/* 9front support for RFC 5746 is not guranteed but we never do renegotiation anyway... */
+	SSL_CTX_set_options(ssl_ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+#endif
+
 	if(ssl_ctx == nil)
 		sysfatal("could not init openssl");
 	ssl_conn = SSL_new(ssl_ctx);
+	if(ssl_conn == nil)
+		sysfatal("could not init openssl");
 
 	if(*argv && !Rflag){
 		pipe(pin);