[ruby/openssl] ssl: use SSL_CTX_load_verify_{file,dir}() if available

SSL_CTX_load_verify_locations() is deprecated in OpenSSL 3.0 and replaced with those two separate functions. Use them if they exist. https://github.com/ruby/openssl/commit/5375a55ffc
2020-02-22 05:47:58 +09:00 · 2020-02-22 05:47:58 +09:00 · d5aa3fcae6
commit d5aa3fcae6
parent 19ef7082ba
2 changed files with 8 additions and 0 deletions
--- a/ext/openssl/extconf.rb
+++ b/ext/openssl/extconf.rb
@ -174,6 +174,7 @@ have_func("EVP_PKEY_check")
 have_func("SSL_set0_tmp_dh_pkey")
 have_func("ERR_get_error_all")
 have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h")
+have_func("SSL_CTX_load_verify_file")

 Logging::message "=== Checking done. ===\n"

--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@ -828,10 +828,17 @@ ossl_sslctx_setup(VALUE self)
    ca_file = NIL_P(val) ? NULL : StringValueCStr(val);
    val = rb_attr_get(self, id_i_ca_path);
    ca_path = NIL_P(val) ? NULL : StringValueCStr(val);
+#ifdef HAVE_SSL_CTX_LOAD_VERIFY_FILE
+    if (ca_file && !SSL_CTX_load_verify_file(ctx, ca_file))
+        ossl_raise(eSSLError, "SSL_CTX_load_verify_file");
+    if (ca_path && !SSL_CTX_load_verify_dir(ctx, ca_path))
+        ossl_raise(eSSLError, "SSL_CTX_load_verify_dir");
+#else
    if(ca_file || ca_path){
 	if (!SSL_CTX_load_verify_locations(ctx, ca_file, ca_path))
 	    rb_warning("can't set verify locations");
    }
+#endif

    val = rb_attr_get(self, id_i_verify_mode);
    verify_mode = NIL_P(val) ? SSL_VERIFY_NONE : NUM2INT(val);