Fix const-correctness warnings in OpenSSL's SSLi_init().

[umurmur.git] / src / ssli_openssl.c

diff --git a/src/ssli_openssl.c b/src/ssli_openssl.c
index 2dd55ef8839bfe334c717c896305416543b4608f..c35e1f82b4ef64338c7e4b6267d8b08a3463635c 100644 (file)
--- a/src/ssli_openssl.c
+++ b/src/ssli_openssl.c
@@ -49,7 +49,7 @@ static RSA *rsa;
 static SSL_CTX *context;
 static EVP_PKEY *pkey;
 
-static char const * ciphers = "EECDH+AESGCM:AES256-SHA:AES128-SHA";
+static char const * ciphers = "EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES+TLSv1.2:EECDH+AES:AESGCM:AES:!aNULL:!DHE:!kECDH";
 
 static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx);
 
@@ -67,32 +67,6 @@ static int SSL_add_ext(X509 * crt, int nid, char *value) {
        return 1;
 }
 
-static X509 *SSL_readcert(char *certfile)
-{
-       FILE *fp;
-       X509 *x509;
-
-       /* open the certificate file */
-       fp = fopen(certfile, "r");
-       if (fp == NULL) {
-               Log_warn("Unable to open the X509 file %s for reading.", certfile);
-               return NULL;
-       }
-
-       /* allocate memory for the cert structure */
-       x509 = X509_new();
-
-       if (PEM_read_X509(fp, &x509, NULL, NULL) == 0) {
-               /* error reading the x509 information - check the error stack */
-               Log_warn("Error trying to read X509 info.");
-               fclose(fp);
-               X509_free(x509);
-               return NULL;
-       }
-       fclose(fp);
-       return x509;
-}
-
 static RSA *SSL_readprivatekey(char *keyfile)
 {
        FILE *fp;
@@ -214,15 +188,18 @@ void SSLi_init(void)
        SSL *ssl;
        int i, offset = 0, cipherstringlen = 0;
        STACK_OF(SSL_CIPHER) *cipherlist = NULL, *cipherlist_new = NULL;
-       SSL_CIPHER *cipher;
-       char *cipherstring;
+       const SSL_CIPHER *cipher;
+       char *cipherstring = NULL;
 
        SSL_library_init();
        OpenSSL_add_all_algorithms();
        SSL_load_error_strings();
        ERR_load_crypto_strings();
 
-       context = SSL_CTX_new(TLSv1_2_server_method());
+       context = SSL_CTX_new(SSLv23_server_method());
+       SSL_CTX_set_options(context, SSL_OP_NO_SSLv2);
+       SSL_CTX_set_options(context, SSL_OP_NO_SSLv3);
+       SSL_CTX_set_options(context, SSL_OP_CIPHER_SERVER_PREFERENCE);
        if (context == NULL)
        {
                ERR_print_errors_fp(stderr);
@@ -268,7 +245,7 @@ void SSLi_init(void)
        if (cipherlist_new)
                sk_SSL_CIPHER_free(cipherlist_new);
 
-       if (strlen(cipherstring) == 0)
+       if (!cipherstring || !*cipherstring)
                Log_fatal("No suitable ciphers found!");
 
        if (SSL_CTX_set_cipher_list(context, cipherstring) == 0)
@@ -408,7 +385,7 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
      * it for something special
      */
     if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) {
-           X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256);
+           X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, 256);
            Log_warn("issuer= %s", buf);
     }
     return 1;