From dde86e585fe6882c1e61ab04a19d536512d6b6b2 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Tue, 21 Jan 2020 13:27:40 -0700 Subject: [PATCH] Add support for building on OpenSSL 1.0.2. This adds compatibility defines for some OpenSSL 1.1.x functions. --- aclocal.m4 | 9 +- autogen.sh | 2 +- config.h.in | 15 +++ configure | 231 +++++++++++++++++++++++++++++++-- configure.ac | 17 ++- include/sudo_compat.h | 18 +++ logsrvd/logsrvd.c | 5 + logsrvd/sendlog.c | 11 ++ plugins/sudoers/iolog_client.c | 12 ++ 9 files changed, 303 insertions(+), 17 deletions(-) diff --git a/aclocal.m4 b/aclocal.m4 index c7d1f87ca..0d7d16551 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -1,6 +1,6 @@ -# generated automatically by aclocal 1.15.1 -*- Autoconf -*- +# generated automatically by aclocal 1.16.1 -*- Autoconf -*- -# Copyright (C) 1996-2017 Free Software Foundation, Inc. +# Copyright (C) 1996-2018 Free Software Foundation, Inc. # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -12,7 +12,7 @@ # PARTICULAR PURPOSE. m4_ifndef([AC_CONFIG_MACRO_DIRS], [m4_defun([_AM_CONFIG_MACRO_DIRS], [])m4_defun([AC_CONFIG_MACRO_DIRS], [_AM_CONFIG_MACRO_DIRS($@)])]) -# Copyright (C) 1999-2017 Free Software Foundation, Inc. +# Copyright (C) 1999-2018 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -45,7 +45,6 @@ AC_DEFUN([AM_PATH_PYTHON], [ dnl Find a Python interpreter. Python versions prior to 2.0 are not dnl supported. (2.0 was released on October 16, 2000). - dnl FIXME: Remove the need to hard-code Python versions here. m4_define_default([_AM_PYTHON_INTERPRETER_LIST], [python python2 python3 dnl python3.9 python3.8 python3.7 python3.6 python3.5 python3.4 python3.3 dnl @@ -251,7 +250,7 @@ for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[[i]] sys.exit(sys.hexversion < minverhex)" AS_IF([AM_RUN_LOG([$1 -c "$prog"])], [$3], [$4])]) -# Copyright (C) 2001-2017 Free Software Foundation, Inc. +# Copyright (C) 2001-2018 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff --git a/autogen.sh b/autogen.sh index 890eac764..0037c6005 100755 --- a/autogen.sh +++ b/autogen.sh @@ -4,7 +4,7 @@ # If the user hasn't chosen one themselves, we do here. if [ "`/usr/bin/uname 2>&1`" = "OpenBSD" ]; then if [ X"$AUTOMAKE_VERSION" = X"" ]; then - AUTOMAKE_VERSION=1.15; export AUTOMAKE_VERSION + AUTOMAKE_VERSION=1.16; export AUTOMAKE_VERSION fi if [ X"$AUTOCONF_VERSION" = X"" ]; then AUTOCONF_VERSION=2.69; export AUTOCONF_VERSION diff --git a/config.h.in b/config.h.in index 412f9b8bd..0d3b74183 100644 --- a/config.h.in +++ b/config.h.in @@ -57,6 +57,9 @@ /* Define to 1 if you have the `arc4random_uniform' function. */ #undef HAVE_ARC4RANDOM_UNIFORM +/* Define to 1 if you have the `ASN1_STRING_get0_data' function. */ +#undef HAVE_ASN1_STRING_GET0_DATA + /* Define to 1 if you have the `asprintf' function. */ #undef HAVE_ASPRINTF @@ -724,6 +727,9 @@ /* Define to 1 if you have the `SSL_CTX_set_ciphersuites' function. */ #undef HAVE_SSL_CTX_SET_CIPHERSUITES +/* Define to 1 if you have the `SSL_CTX_set_min_proto_version' function. */ +#undef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION + /* Define to 1 to enable SSSD support. */ #undef HAVE_SSSD @@ -873,6 +879,12 @@ /* Define to 1 if you have the header file. */ #undef HAVE_SYS_TYPES_H +/* Define to 1 if you have the `TLS_client_method' function. */ +#undef HAVE_TLS_CLIENT_METHOD + +/* Define to 1 if you have the `TLS_server_method' function. */ +#undef HAVE_TLS_SERVER_METHOD + /* Define to 1 if you have the `ttyslot' function. */ #undef HAVE_TTYSLOT @@ -918,6 +930,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_WORDEXP_H +/* Define to 1 if you have the `X509_STORE_CTX_get0_cert' function. */ +#undef HAVE_X509_STORE_CTX_GET0_CERT + /* Define to 1 if you have the header file. */ #undef HAVE_ZLIB_H diff --git a/configure b/configure index 5d6e0f579..212d7eaa3 100755 --- a/configure +++ b/configure @@ -21985,13 +21985,96 @@ _ACEOF fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_CTX_set_ciphersuites in -lssl" >&5 -$as_echo_n "checking for SSL_CTX_set_ciphersuites in -lssl... " >&6; } -if ${ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto+:} false; then : +if test "${enable_openssl-no}" != no; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for X509_STORE_CTX_get0_cert in -lcrypto" >&5 +$as_echo_n "checking for X509_STORE_CTX_get0_cert in -lcrypto... " >&6; } +if ${ac_cv_lib_crypto_X509_STORE_CTX_get0_cert+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS -LIBS="-lssl crypto $LIBS" +LIBS="-lcrypto $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char X509_STORE_CTX_get0_cert (); +int +main () +{ +return X509_STORE_CTX_get0_cert (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_crypto_X509_STORE_CTX_get0_cert=yes +else + ac_cv_lib_crypto_X509_STORE_CTX_get0_cert=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_X509_STORE_CTX_get0_cert" >&5 +$as_echo "$ac_cv_lib_crypto_X509_STORE_CTX_get0_cert" >&6; } +if test "x$ac_cv_lib_crypto_X509_STORE_CTX_get0_cert" = xyes; then : + $as_echo "#define HAVE_X509_STORE_CTX_GET0_CERT 1" >>confdefs.h + +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ASN1_STRING_get0_data in -lcrypto" >&5 +$as_echo_n "checking for ASN1_STRING_get0_data in -lcrypto... " >&6; } +if ${ac_cv_lib_crypto_ASN1_STRING_get0_data+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lcrypto $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char ASN1_STRING_get0_data (); +int +main () +{ +return ASN1_STRING_get0_data (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_crypto_ASN1_STRING_get0_data=yes +else + ac_cv_lib_crypto_ASN1_STRING_get0_data=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_ASN1_STRING_get0_data" >&5 +$as_echo "$ac_cv_lib_crypto_ASN1_STRING_get0_data" >&6; } +if test "x$ac_cv_lib_crypto_ASN1_STRING_get0_data" = xyes; then : + $as_echo "#define HAVE_ASN1_STRING_GET0_DATA 1" >>confdefs.h + +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_CTX_set_ciphersuites in -lssl" >&5 +$as_echo_n "checking for SSL_CTX_set_ciphersuites in -lssl... " >&6; } +if ${ac_cv_lib_ssl_SSL_CTX_set_ciphersuites_lcrypto+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lssl -lcrypto $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ @@ -22011,21 +22094,145 @@ return SSL_CTX_set_ciphersuites (); } _ACEOF if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto=yes + ac_cv_lib_ssl_SSL_CTX_set_ciphersuites_lcrypto=yes else - ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto=no + ac_cv_lib_ssl_SSL_CTX_set_ciphersuites_lcrypto=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto" >&5 -$as_echo "$ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto" >&6; } -if test "x$ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto" = xyes; then : +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_SSL_CTX_set_ciphersuites_lcrypto" >&5 +$as_echo "$ac_cv_lib_ssl_SSL_CTX_set_ciphersuites_lcrypto" >&6; } +if test "x$ac_cv_lib_ssl_SSL_CTX_set_ciphersuites_lcrypto" = xyes; then : $as_echo "#define HAVE_SSL_CTX_SET_CIPHERSUITES 1" >>confdefs.h fi + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_CTX_set_min_proto_version in -lssl" >&5 +$as_echo_n "checking for SSL_CTX_set_min_proto_version in -lssl... " >&6; } +if ${ac_cv_lib_ssl_SSL_CTX_set_min_proto_version_lcrypto+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lssl -lcrypto $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char SSL_CTX_set_min_proto_version (); +int +main () +{ +return SSL_CTX_set_min_proto_version (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_ssl_SSL_CTX_set_min_proto_version_lcrypto=yes +else + ac_cv_lib_ssl_SSL_CTX_set_min_proto_version_lcrypto=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_SSL_CTX_set_min_proto_version_lcrypto" >&5 +$as_echo "$ac_cv_lib_ssl_SSL_CTX_set_min_proto_version_lcrypto" >&6; } +if test "x$ac_cv_lib_ssl_SSL_CTX_set_min_proto_version_lcrypto" = xyes; then : + $as_echo "#define HAVE_SSL_CTX_SET_MIN_PROTO_VERSION 1" >>confdefs.h + +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for TLS_client_method in -lssl" >&5 +$as_echo_n "checking for TLS_client_method in -lssl... " >&6; } +if ${ac_cv_lib_ssl_TLS_client_method_lcrypto+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lssl -lcrypto $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char TLS_client_method (); +int +main () +{ +return TLS_client_method (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_ssl_TLS_client_method_lcrypto=yes +else + ac_cv_lib_ssl_TLS_client_method_lcrypto=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_TLS_client_method_lcrypto" >&5 +$as_echo "$ac_cv_lib_ssl_TLS_client_method_lcrypto" >&6; } +if test "x$ac_cv_lib_ssl_TLS_client_method_lcrypto" = xyes; then : + $as_echo "#define HAVE_TLS_CLIENT_METHOD 1" >>confdefs.h + +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for TLS_server_method in -lssl" >&5 +$as_echo_n "checking for TLS_server_method in -lssl... " >&6; } +if ${ac_cv_lib_ssl_TLS_server_method_lcrypto+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lssl -lcrypto $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char TLS_server_method (); +int +main () +{ +return TLS_server_method (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_ssl_TLS_server_method_lcrypto=yes +else + ac_cv_lib_ssl_TLS_server_method_lcrypto=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_TLS_server_method_lcrypto" >&5 +$as_echo "$ac_cv_lib_ssl_TLS_server_method_lcrypto" >&6; } +if test "x$ac_cv_lib_ssl_TLS_server_method_lcrypto" = xyes; then : + $as_echo "#define HAVE_TLS_SERVER_METHOD 1" >>confdefs.h + +fi + +fi OLIBS="$LIBS" LIBS="${LIBS} ${NET_LIBS}" ac_fn_c_check_func "$LINENO" "socket" "ac_cv_func_socket" @@ -29995,6 +30202,12 @@ fi + + + + + + diff --git a/configure.ac b/configure.ac index 7f85b5cc5..a2bd1eb66 100644 --- a/configure.ac +++ b/configure.ac @@ -2955,9 +2955,16 @@ AC_INCLUDES_DEFAULT #include <$ac_header_dirent> ]) dnl -dnl Check for SSL_CTX_set_ciphersuites supported by OpenSSL 1.1 and higher +dnl Check for functions only present in OpenSSL 1.1 and above dnl -AC_CHECK_LIB(ssl, SSL_CTX_set_ciphersuites, [AC_DEFINE(HAVE_SSL_CTX_SET_CIPHERSUITES)], [], [crypto]) +if test "${enable_openssl-no}" != no; then + AC_CHECK_LIB(crypto, X509_STORE_CTX_get0_cert, [AC_DEFINE(HAVE_X509_STORE_CTX_GET0_CERT)]) + AC_CHECK_LIB(crypto, ASN1_STRING_get0_data, [AC_DEFINE(HAVE_ASN1_STRING_GET0_DATA)]) + AC_CHECK_LIB(ssl, SSL_CTX_set_ciphersuites, [AC_DEFINE(HAVE_SSL_CTX_SET_CIPHERSUITES)], [], [-lcrypto]) + AC_CHECK_LIB(ssl, SSL_CTX_set_min_proto_version, [AC_DEFINE(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION)], [], [-lcrypto]) + AC_CHECK_LIB(ssl, TLS_client_method, [AC_DEFINE(HAVE_TLS_CLIENT_METHOD)], [], [-lcrypto]) + AC_CHECK_LIB(ssl, TLS_server_method, [AC_DEFINE(HAVE_TLS_SERVER_METHOD)], [], [-lcrypto]) +fi dnl dnl If socket(2) not in libc, check -lsocket and -linet dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols @@ -4736,7 +4743,13 @@ AH_TEMPLATE(HAVE_KINFO_PROC2_NETBSD, [Define to 1 if your system has a NetBSD-st AH_TEMPLATE(HAVE_KINFO_PROC_OPENBSD, [Define to 1 if your system has an OpenBSD-style kinfo_proc struct.]) AH_TEMPLATE(HAVE_OPENSSL, [Define to 1 if you are using OpenSSL's TLS and sha2 functions.]) AH_TEMPLATE(HAVE_GCRYPT, [Define to 1 if you are using gcrypt's sha2 functions.]) +AH_TEMPLATE(HAVE_X509_STORE_CTX_GET0_CERT, [Define to 1 if you have the `X509_STORE_CTX_get0_cert' function.]) +AH_TEMPLATE(HAVE_ASN1_STRING_GET0_DATA, [Define to 1 if you have the `ASN1_STRING_get0_data' function.]) AH_TEMPLATE(HAVE_SSL_CTX_SET_CIPHERSUITES, [Define to 1 if you have the `SSL_CTX_set_ciphersuites' function.]) +AH_TEMPLATE(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION, [Define to 1 if you have the `SSL_CTX_set_min_proto_version' function.]) +AH_TEMPLATE(HAVE_TLS_CLIENT_METHOD, [Define to 1 if you have the `TLS_client_method' function.]) +AH_TEMPLATE(HAVE_TLS_SERVER_METHOD, [Define to 1 if you have the `TLS_server_method' function.]) + dnl dnl Bits to copy verbatim into config.h.in dnl diff --git a/include/sudo_compat.h b/include/sudo_compat.h index 70a1aa5fd..db90640df 100644 --- a/include/sudo_compat.h +++ b/include/sudo_compat.h @@ -390,6 +390,24 @@ int getdomainname(char *, size_t); # endif #endif /* __hpux && !__LP64__ */ +/* + * Compatibility defines for OpenSSL 1.0.2 (not needed for 1.1.x) + */ +#if defined(HAVE_OPENSSL) +# ifndef HAVE_X509_STORE_CTX_GET0_CERT +# define X509_STORE_CTX_get0_cert(x) ((x)->cert) +# endif +# ifndef HAVE_ASN1_STRING_GET0_DATA +# define ASN1_STRING_get0_data(x) ASN1_STRING_data(x) +# endif +# ifndef HAVE_TLS_CLIENT_METHOD +# define TLS_client_method() SSLv23_client_method() +# endif +# ifndef HAVE_TLS_SERVER_METHOD +# define TLS_server_method() SSLv23_server_method() +# endif +#endif /* HAVE_OPENSSL */ + /* * Functions "missing" from libc. * All libc replacements are prefixed with "sudo_" to avoid namespace issues. diff --git a/logsrvd/logsrvd.c b/logsrvd/logsrvd.c index 06d4a13e7..d88f3c9b1 100644 --- a/logsrvd/logsrvd.c +++ b/logsrvd/logsrvd.c @@ -1205,12 +1205,17 @@ init_tls_server_context(void) } /* audit server supports TLS ver1.2 or higher */ +#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION if (!SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION)) { sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, "unable to restrict min. protocol version: %s", ERR_error_string(ERR_get_error(), NULL)); goto bad; } +#else + SSL_CTX_set_options(ctx, + SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1); +#endif goto good; diff --git a/logsrvd/sendlog.c b/logsrvd/sendlog.c index afbf6ad84..d9d5111bb 100644 --- a/logsrvd/sendlog.c +++ b/logsrvd/sendlog.c @@ -145,6 +145,17 @@ init_tls_client_context(const char *ca_bundle_file, const char *cert_file, const ERR_error_string(ERR_get_error(), NULL)); goto bad; } +#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION + if (!SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION)) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unable to restrict min. protocol version: %s", + ERR_error_string(ERR_get_error(), NULL)); + goto bad; + } +#else + SSL_CTX_set_options(ctx, + SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1); +#endif if (cert_file) { if (!SSL_CTX_use_certificate_chain_file(ctx, cert_file)) { diff --git a/plugins/sudoers/iolog_client.c b/plugins/sudoers/iolog_client.c index 5cd341f08..e1b77d447 100644 --- a/plugins/sudoers/iolog_client.c +++ b/plugins/sudoers/iolog_client.c @@ -286,6 +286,18 @@ tls_init(struct client_closure *closure, bool peer_auth) ERR_error_string(ERR_get_error(), NULL)); goto bad; } +#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION + if (!SSL_CTX_set_min_proto_version(closure->ssl_ctx, TLS1_2_VERSION)) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unable to restrict min. protocol version: %s", + ERR_error_string(ERR_get_error(), NULL)); + goto bad; + } +#else + SSL_CTX_set_options(closure->ssl_ctx, + SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1); +#endif + /* sets the location of the CA bundle file for verification purposes */ if (SSL_CTX_load_verify_locations(closure->ssl_ctx, closure->log_details->ca_bundle, NULL) <= 0) {