Merge pull request #1768 from csoler/v0.6-SSL111Fix

fixed OpenSSL 1.1.1 bug on debian due to security level being set to …
This commit is contained in:
csoler 2020-01-24 23:08:06 +01:00 committed by GitHub
commit 9c65836503
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -422,6 +422,7 @@ int AuthSSLimpl::InitAuth(
// get xPGP certificate.
X509 *x509 = PEM_read_X509(ownfp, NULL, NULL, NULL);
fclose(ownfp);
if (x509 == NULL)
@ -430,8 +431,38 @@ int AuthSSLimpl::InitAuth(
std::cerr << std::endl;
return -1;
}
SSL_CTX_use_certificate(sslctx, x509);
mOwnPublicKey = X509_get_pubkey(x509);
int result = SSL_CTX_use_certificate(sslctx, x509);
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
if(result != 1)
{
// In debian Buster, openssl security level is set to 2 which preclude the use of SHA1, originally used to sign RS certificates.
// As a consequence, on these systems, locations created with RS previously to Jan.2020 will not start unless we revert the
// security level to a value of 1.
int save_sec = SSL_CTX_get_security_level(sslctx);
SSL_CTX_set_security_level(sslctx,1);
result = SSL_CTX_use_certificate(sslctx, x509);
if(result == 1)
{
std::cerr << std::endl;
std::cerr << " Your Retroshare certificate uses low security settings that are incompatible " << std::endl;
std::cerr << "(WW) with current security level " << save_sec << " of the OpenSSL library. Retroshare will still start " << std::endl;
std::cerr << " (with security level set to 1), but you should probably create a new location." << std::endl;
std::cerr << std::endl;
}
}
#endif
if(result != 1)
{
std::cerr << "(EE) Cannot use your Retroshare certificate. Some error occured in SSL_CTX_use_certificate()" << std::endl;
return -1;
}
mOwnPublicKey = X509_get_pubkey(x509);
// get private key
FILE *pkfp = RsDirUtil::rs_fopen(priv_key_file, "rb");