Check-in [4aedc3e201]
Overview
Comment:Fixed check for SSL_set_tlsext_host_name and added support for forcing options that were manually specified
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | tls-1-7
Files: files | file ages | folders
SHA1: 4aedc3e20115c4287c0496bd527872218b1eb010
User & Date: rkeene on 2016-12-07 16:20:16
Other Links: branch diff | manifest | tags
Context
2016-12-07
16:20
Updated from latest remote tcl.m4 check-in: 7231dd89c8 user: rkeene tags: tls-1-7
16:20
Fixed check for SSL_set_tlsext_host_name and added support for forcing options that were manually specified check-in: 4aedc3e201 user: rkeene tags: tls-1-7
15:34
More specific check for non-BIO failures check-in: e10ce6579d user: rkeene tags: tls-1-7
Changes

Modified aclocal/tcltls_openssl.m4 from [488956d001] to [0c6bf71444].























1
2
3
4
5
6
7
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+







dnl $1 = Name of variable
dnl $2 = Name of function to check for
dnl $3 = Name of protocol
dnl $4 = Name of CPP macro to define
AC_DEFUN([TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER], [
	dnl Determine if particular SSL version is enabled
	if test "[$]$1" = "true" -o "[$]$1" = "force"; then
		AC_CHECK_FUNC($2,, [
			if test "[$]$1" = "force"; then
				AC_MSG_ERROR([Unable to enable $3])
			fi

			$1='false'
		])
	fi

	if test "[$]$1" = "false" -o "[$]$1" = "force_off"; then
		AC_DEFINE($4, [1], [Define this to disable $3 in OpenSSL support])
	fi

])

AC_DEFUN([TCLTLS_SSL_OPENSSL], [
	openssldir=''
	AC_ARG_WITH([ssl-dir],
		AS_HELP_STRING(
			[--with-ssl-dir=<dir>],
			[deprecated, use --with-openssl-dir -- currently has the same meaning]
		), [
68
69
70
71
72
73
74
75
76

77
78

79
80
81

82
83
84
85

86
87
88
89

90
91
92
93

94
95
96

97
98
99
100
101
102
103

104
105
106
107

108
109
110
111
112
113
114

115
116
117
118

119
120
121
122
123
124
125

126
127
128
129


130
131



132
133
134


135





136
137
138
139
140
141
142
143
144
145
146
90
91
92
93
94
95
96


97


98



99




100




101


102

103



104







105




106







107




108







109




110
111


112
113
114
115

116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135







-
-
+
-
-
+
-
-
-
+
-
-
-
-
+
-
-
-
-
+
-
-

-
+
-
-
-
+
-
-
-
-
-
-
-
+
-
-
-
-
+
-
-
-
-
-
-
-
+
-
-
-
-
+
-
-
-
-
-
-
-
+
-
-
-
-
+
+
-
-
+
+
+

-

+
+

+
+
+
+
+











		AC_MSG_RESULT([yes])
	], [
		AC_MSG_RESULT([no])
		AC_MSG_ERROR([Unable to compile a basic program using OpenSSL])
	])
	AC_LANG_POP([C])

	dnl Determine if SSLv2 is supported
	if test "$tcltls_ssl_ssl2" = "true"; then
	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_ssl2], [SSLv2_method], [sslv2], [NO_SSL2])
		AC_CHECK_FUNC(SSLv2_method,, [
			tcltls_ssl_ssl2='false'
	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_ssl3], [SSLv3_method], [sslv3], [NO_SSL3])
		])
	fi

	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_0], [TLSv1_method], [tlsv1.0], [NO_TLS1])
	if test "$tcltls_ssl_ssl2" = "false"; then
		AC_DEFINE(NO_SSL2, [1], [Define this to disable SSLv2 in OpenSSL support])
	fi

	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_1], [TLSv1_1_method], [tlsv1.1], [NO_TLS1_1])
	dnl Determine if SSLv3 is supported
	if test "$tcltls_ssl_ssl3" = "true"; then
		AC_CHECK_FUNC(SSLv3_method,, [
			tcltls_ssl_ssl3='false'
	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_2], [TLSv1_2_method], [tlsv1.2], [NO_TLS1_2])
		])
	fi

	if test "$tcltls_ssl_ssl3" = "false"; then
	AC_CACHE_VAL([tcltls_cv_func_tlsext_hostname], [
		AC_DEFINE(NO_SSL3, [1], [Define this to disable SSLv3 in OpenSSL support])
	fi

		AC_LANG_PUSH(C)
	dnl Determine if TLSv1.0 is supported
	if test "$tcltls_ssl_tls1_0" = "true"; then
		AC_CHECK_FUNC(TLSv1_method,, [
			tcltls_ssl_tls1_0='false'
		])
	fi

		AC_MSG_CHECKING([for SSL_set_tlsext_host_name])
	if test "$tcltls_ssl_tls1_0" = "false"; then
		AC_DEFINE(NO_TLS1, [1], [Define this to disable TLSv1.0 in OpenSSL support])
	fi

		AC_LINK_IFELSE([AC_LANG_PROGRAM([
	dnl Determine if TLSv1.1 is supported
	if test "$tcltls_ssl_tls1_1" = "true"; then
		AC_CHECK_FUNC(TLSv1_1_method,, [
			tcltls_ssl_tls1_1='false'
		])
	fi

#include <openssl/ssl.h>
	if test "$tcltls_ssl_tls1_1" = "false"; then
		AC_DEFINE(NO_TLS1_1, [1], [Define this to disable TLSv1.1 in OpenSSL support])
	fi

#if (SSLEAY_VERSION_NUMBER >= 0x0907000L)
	dnl Determine if TLSv1.2 is supported
	if test "$tcltls_ssl_tls1_2" = "true"; then
		AC_CHECK_FUNC(TLSv1_2_method,, [
			tcltls_ssl_tls1_2='false'
		])
	fi

# include <openssl/conf.h>
	if test "$tcltls_ssl_tls1_2" = "false"; then
		AC_DEFINE(NO_TLS1_2, [1], [Define this to disable TLSv1.2 in OpenSSL support])
	fi

#endif
			], [
	AC_CACHE_VAL([tcltls_cv_func_tlsext_hostname], [
		AC_CHECK_FUNC(SSL_set_tlsext_host_name, [
  (void)SSL_set_tlsext_host_name((void *) 0, (void *) 0);
			])], [
			AC_MSG_RESULT([yes])
			tcltls_cv_func_tlsext_hostname='yes'
		], [
			tcltls_cv_func_tlsext_hostname='no'
		], [
			AC_MSG_RESULT([no])
		])
		AC_LANG_POP([C])

dnl		AC_CHECK_FUNC(SSL_set_tlsext_host_name, [
dnl		], [
dnl		])
	])

	if test "$tcltls_cv_func_tlsext_hostname" = 'no'; then
		AC_DEFINE([OPENSSL_NO_TLSEXT], [1], [Define this if your OpenSSL does not support the TLS Extension for SNI])
	fi

	dnl Restore compile-altering variables
	LIBS="${SAVE_LIBS}"
	CFLAGS="${SAVE_CFLAGS}"
	CPPFLAGS="${SAVE_CPPFLAGS}"
])

Modified configure.in from [ae6ebb71ab] to [03168d0f5d].

59
60
61
62
63
64
65
66

67
68
69
70
71
72
73
74

75
76
77
78
79
80
81
82

83
84
85
86
87
88
89
90

91
92
93
94
95
96
97
98

99
100
101
102
103
104
105
59
60
61
62
63
64
65

66
67
68
69
70
71
72
73

74
75
76
77
78
79
80
81

82
83
84
85
86
87
88
89

90
91
92
93
94
95
96
97

98
99
100
101
102
103
104
105







-
+







-
+







-
+







-
+







-
+







AC_SUBST(GEN_DH_PARAMS_ARGS)

dnl Allow the user to manually disable protocols
dnl ## SSLv2: Disabled by default
tcltls_ssl_ssl2='false'
AC_ARG_ENABLE([sslv2], AS_HELP_STRING([--enable-sslv2], [enable SSLv2 protocol]), [
	if test "$enableval" = "yes"; then
		tcltls_ssl_ssl2='true'
		tcltls_ssl_ssl2='force'
	fi
])

dnl ## SSLv3: Disabled by default
tcltls_ssl_ssl3='false'
AC_ARG_ENABLE([sslv3], AS_HELP_STRING([--enable-sslv3], [enable SSLv3 protocol]), [
	if test "$enableval" = "yes"; then
		tcltls_ssl_ssl3='true'
		tcltls_ssl_ssl3='force'
	fi
])

dnl ## TLSv1.0: Enabled by default
tcltls_ssl_tls1_0='true'
AC_ARG_ENABLE([tlsv1.0], AS_HELP_STRING([--disable-tlsv1.0], [disable TLSv1.0 protocol]), [
	if test "$enableval" = "no"; then
		tcltls_ssl_tls1_0='false'
		tcltls_ssl_tls1_0='force_off'
	fi
])

dnl ## TLSv1.1: Enabled by default
tcltls_ssl_tls1_1='true'
AC_ARG_ENABLE([tlsv1.1], AS_HELP_STRING([--disable-tlsv1.1], [disable TLSv1.1 protocol]), [
	if test "$enableval" = "no"; then
		tcltls_ssl_tls1_1='false'
		tcltls_ssl_tls1_1='force_off'
	fi
])

dnl ## TLSv1.1: Enabled by default
tcltls_ssl_tls1_2='true'
AC_ARG_ENABLE([tlsv1.2], AS_HELP_STRING([--disable-tlsv1.2], [disable TLSv1.2 protocol]), [
	if test "$enableval" = "no"; then
		tcltls_ssl_tls1_2='false'
		tcltls_ssl_tls1_2='force_off'
	fi
])

dnl Enable support for a debugging build
tcltls_debug='false'
AC_ARG_ENABLE([debug], AS_HELP_STRING([--enable-debug], [enable debugging parameters]), [
	if test "$enableval" = "yes"; then