tls: updated tls version selection for libssl 1.1.0 api

- fixes compile warnings for deprecated TLSXY_method() functions

src/modules/tls/tls_domain.c

@@ -987,6 +987,9 @@ static int fix_domain(tls_domain_t* d, tls_domain_t* def)
 	}
 	memset(d->ctx, 0, sizeof(SSL_CTX*) * procs_no);
 	for(i = 0; i < procs_no; i++) {
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+		/* libssl < 1.1.0 */
 		if(d->method>TLS_USE_TLSvRANGE) {
 			d->ctx[i] = SSL_CTX_new(SSLv23_method());
 		} else {
@@ -999,6 +1002,30 @@ static int fix_domain(tls_domain_t* d, tls_domain_t* def)
 		if(d->method>TLS_USE_TLSvRANGE) {
 			SSL_CTX_set_options(d->ctx[i], (long)ssl_methods[d->method - 1]);
 		}
+#else
+		/* libssl >= 1.1.0 */
+		d->ctx[i] = SSL_CTX_new(sr_tls_methods[d->method - 1].TLSMethod);
+		if (d->ctx[i] == NULL) {
+			ERR("%s: Cannot create SSL context\n", tls_domain_str(d));
+			return -1;
+		}
+		if(d->method>TLS_USE_TLSvRANGE) {
+			if(sr_tls_methods[d->method - 1].TLSMethodMin) {
+				SSL_CTX_set_min_proto_version(d->ctx[i],
+						sr_tls_methods[d->method - 1].TLSMethodMin);
+			}
+		} else {
+			if(sr_tls_methods[d->method - 1].TLSMethodMin) {
+				SSL_CTX_set_min_proto_version(d->ctx[i],
+						sr_tls_methods[d->method - 1].TLSMethodMin);
+			}
+			if(sr_tls_methods[d->method - 1].TLSMethodMax) {
+				SSL_CTX_set_max_proto_version(d->ctx[i],
+						sr_tls_methods[d->method - 1].TLSMethodMax);
+			}
+		}
+#endif
+
 #ifndef OPENSSL_NO_TLSEXT
 		/*
 		* check server domains for server_name extension and register

src/modules/tls/tls_domain.h

@@ -73,7 +73,7 @@ enum tls_method {
 	TLS_USE_TLSvRANGE,    /* placeholder - TLSvX ranges must be after it */
 	TLS_USE_TLSv1_PLUS,   /* TLSv1.0 or greater */
 	TLS_USE_TLSv1_1_PLUS, /* TLSv1.1 or greater */
-	TLS_USE_TLSv1_2_PLUS, /* TLSv1.1 or greater */
+	TLS_USE_TLSv1_2_PLUS, /* TLSv1.2 or greater */
 	TLS_METHOD_MAX
 };
 

src/modules/tls/tls_init.c

@@ -119,7 +119,11 @@ to compile on the  _target_ system)"
 int openssl_kssl_malloc_bug=0; /* is openssl bug #1467 present ? */
 #endif
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 const SSL_METHOD* ssl_methods[TLS_METHOD_MAX];
+#else
+sr_tls_methods_t sr_tls_methods[TLS_METHOD_MAX];
+#endif
 
 #ifdef NO_TLS_MALLOC_DBG
 #undef TLS_MALLOC_DBG /* extra malloc debug info from openssl */
@@ -352,6 +356,8 @@ error:
  */
 static void init_ssl_methods(void)
 {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	/* libssl < 1.1.0 */
 	memset(ssl_methods, 0, sizeof(ssl_methods));
 
 	/* any SSL/TLS version */
@@ -400,6 +406,69 @@ static void init_ssl_methods(void)
 #if OPENSSL_VERSION_NUMBER >= 0x1000105fL
 	ssl_methods[TLS_USE_TLSv1_2_PLUS - 1] = (void*)TLS_OP_TLSv1_2_PLUS;
 #endif
+
+#else
+	/* openssl 1.1.0+ */
+	memset(sr_tls_methods, 0, sizeof(sr_tls_methods));
+
+	/* any SSL/TLS version */
+	sr_tls_methods[TLS_USE_SSLv23_cli - 1].TLSMethod = TLS_client_method();
+	sr_tls_methods[TLS_USE_SSLv23_srv - 1].TLSMethod = TLS_server_method();
+	sr_tls_methods[TLS_USE_SSLv23 - 1].TLSMethod = TLS_method();
+
+#ifndef OPENSSL_NO_SSL3_METHOD
+	sr_tls_methods[TLS_USE_SSLv3_cli - 1].TLSMethod = TLS_client_method();
+	sr_tls_methods[TLS_USE_SSLv3_cli - 1].TLSMethodMin = SSL3_VERSION;
+	sr_tls_methods[TLS_USE_SSLv3_cli - 1].TLSMethodMax = SSL3_VERSION;
+	sr_tls_methods[TLS_USE_SSLv3_srv - 1].TLSMethod = TLS_server_method();
+	sr_tls_methods[TLS_USE_SSLv3_srv - 1].TLSMethodMin = SSL3_VERSION;
+	sr_tls_methods[TLS_USE_SSLv3_srv - 1].TLSMethodMax = SSL3_VERSION;
+	sr_tls_methods[TLS_USE_SSLv3 - 1].TLSMethod = TLS_method();
+	sr_tls_methods[TLS_USE_SSLv3 - 1].TLSMethodMin = SSL3_VERSION;
+	sr_tls_methods[TLS_USE_SSLv3 - 1].TLSMethodMax = SSL3_VERSION;
+#endif
+
+	sr_tls_methods[TLS_USE_TLSv1_cli - 1].TLSMethod = TLS_client_method();
+	sr_tls_methods[TLS_USE_TLSv1_cli - 1].TLSMethodMin = TLS1_VERSION;
+	sr_tls_methods[TLS_USE_TLSv1_cli - 1].TLSMethodMax = TLS1_VERSION;
+	sr_tls_methods[TLS_USE_TLSv1_srv - 1].TLSMethod = TLS_server_method();
+	sr_tls_methods[TLS_USE_TLSv1_srv - 1].TLSMethodMin = TLS1_VERSION;
+	sr_tls_methods[TLS_USE_TLSv1_srv - 1].TLSMethodMax = TLS1_VERSION;
+	sr_tls_methods[TLS_USE_TLSv1 - 1].TLSMethod = TLS_method();
+	sr_tls_methods[TLS_USE_TLSv1 - 1].TLSMethodMin = TLS1_VERSION;
+	sr_tls_methods[TLS_USE_TLSv1 - 1].TLSMethodMax = TLS1_VERSION;
+
+	sr_tls_methods[TLS_USE_TLSv1_1_cli - 1].TLSMethod = TLS_client_method();
+	sr_tls_methods[TLS_USE_TLSv1_1_cli - 1].TLSMethodMin = TLS1_1_VERSION;
+	sr_tls_methods[TLS_USE_TLSv1_1_cli - 1].TLSMethodMax = TLS1_1_VERSION;
+	sr_tls_methods[TLS_USE_TLSv1_1_srv - 1].TLSMethod = TLS_server_method();
+	sr_tls_methods[TLS_USE_TLSv1_1_srv - 1].TLSMethodMin = TLS1_1_VERSION;
+	sr_tls_methods[TLS_USE_TLSv1_1_srv - 1].TLSMethodMax = TLS1_1_VERSION;
+	sr_tls_methods[TLS_USE_TLSv1_1 - 1].TLSMethod = TLS_method();
+	sr_tls_methods[TLS_USE_TLSv1_1 - 1].TLSMethodMin = TLS1_1_VERSION;
+	sr_tls_methods[TLS_USE_TLSv1_1 - 1].TLSMethodMax = TLS1_1_VERSION;
+
+	sr_tls_methods[TLS_USE_TLSv1_2_cli - 1].TLSMethod = TLS_client_method();
+	sr_tls_methods[TLS_USE_TLSv1_2_cli - 1].TLSMethodMin = TLS1_2_VERSION;
+	sr_tls_methods[TLS_USE_TLSv1_2_cli - 1].TLSMethodMax = TLS1_2_VERSION;
+	sr_tls_methods[TLS_USE_TLSv1_2_srv - 1].TLSMethod = TLS_server_method();
+	sr_tls_methods[TLS_USE_TLSv1_2_srv - 1].TLSMethodMin = TLS1_2_VERSION;
+	sr_tls_methods[TLS_USE_TLSv1_2_srv - 1].TLSMethodMax = TLS1_2_VERSION;
+	sr_tls_methods[TLS_USE_TLSv1_2 - 1].TLSMethod = TLS_method();
+	sr_tls_methods[TLS_USE_TLSv1_2 - 1].TLSMethodMin = TLS1_2_VERSION;
+	sr_tls_methods[TLS_USE_TLSv1_2 - 1].TLSMethodMax = TLS1_2_VERSION;
+
+	/* ranges of TLS versions (require a minimum TLS version) */
+	sr_tls_methods[TLS_USE_TLSv1_PLUS - 1].TLSMethod = TLS_method();
+	sr_tls_methods[TLS_USE_TLSv1_PLUS - 1].TLSMethodMin = TLS1_VERSION;
+
+	sr_tls_methods[TLS_USE_TLSv1_1_PLUS - 1].TLSMethod = TLS_method();
+	sr_tls_methods[TLS_USE_TLSv1_1_PLUS - 1].TLSMethodMin = TLS1_1_VERSION;
+
+	sr_tls_methods[TLS_USE_TLSv1_2_PLUS - 1].TLSMethod = TLS_method();
+	sr_tls_methods[TLS_USE_TLSv1_2_PLUS - 1].TLSMethodMin = TLS1_2_VERSION;
+
+#endif
 }
 
 

src/modules/tls/tls_init.h

@@ -38,15 +38,23 @@
 #endif /* OPENSSL_VERION < 1.0 */
 #ifndef OPENSSL_NO_KRB5
 /* enable workarround for openssl kerberos wrong malloc bug
- * (kssl code uses libc malloc/free/calloc instead of OPENSSL_malloc & 
+ * (kssl code uses libc malloc/free/calloc instead of OPENSSL_malloc &
  * friends)*/
 #define TLS_KSSL_WORKARROUND
 extern int openssl_kssl_malloc_bug; /* is openssl bug #1467 present ? */
 #endif
 
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 extern const SSL_METHOD* ssl_methods[];
-
+#else
+typedef struct sr_tls_methods_s {
+	const SSL_METHOD* TLSMethod;
+	int TLSMethodMin;
+	int TLSMethodMax;
+} sr_tls_methods_t;
+extern sr_tls_methods_t sr_tls_methods[];
+#endif
 
 /*
  * just once, pre-initialize the tls subsystem