Don't use deprecated openssl functions.

lib/net_mosq.c

@@ -458,27 +458,33 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
  }
 
  if(mosq->tls_cafile || mosq->tls_capath || mosq->tls_psk){
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ mosq->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+#else
+ mosq->ssl_ctx = SSL_CTX_new(TLS_client_method());
+#endif
+
+ if(!mosq->ssl_ctx){
+ log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to create TLS context.");
+ COMPAT_CLOSE(mosq->sock);
+ net__print_ssl_error(mosq);
+ return MOSQ_ERR_TLS;
+ }
+
  if(!mosq->tls_version){
- mosq->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+ SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3);
  }else if(!strcmp(mosq->tls_version, "tlsv1.2")){
- mosq->ssl_ctx = SSL_CTX_new(TLSv1_2_client_method());
+ SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1);
  }else if(!strcmp(mosq->tls_version, "tlsv1.1")){
- mosq->ssl_ctx = SSL_CTX_new(TLSv1_1_client_method());
+ SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1);
  }else if(!strcmp(mosq->tls_version, "tlsv1")){
- mosq->ssl_ctx = SSL_CTX_new(TLSv1_client_method());
+ SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_1);
  }else{
  log__printf(mosq, MOSQ_LOG_ERR, "Error: Protocol %s not supported.", mosq->tls_version);
  COMPAT_CLOSE(mosq->sock);
  return MOSQ_ERR_INVAL;
  }
 
- if(!mosq->ssl_ctx){
- log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to create TLS context.");
- COMPAT_CLOSE(mosq->sock);
- net__print_ssl_error(mosq);
- return MOSQ_ERR_TLS;
- }
-
  /* Disable compression */
  SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_COMPRESSION);
 

lib/tls_mosq.c

@@ -135,14 +135,22 @@ int mosquitto__verify_certificate_hostname(X509 *cert, const char *hostname)
  for(i=0; i<sk_GENERAL_NAME_num(san); i++){
  nval = sk_GENERAL_NAME_value(san, i);
  if(nval->type == GEN_DNS){
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
  data = ASN1_STRING_data(nval->d.dNSName);
+#else
+ data = ASN1_STRING_get0_data(nval->d.dNSName);
+#endif
  if(data && !mosquitto__cmp_hostname_wildcard((char *)data, hostname)){
  sk_GENERAL_NAME_pop_free(san, GENERAL_NAME_free);
  return 1;
  }
  have_san_dns = true;
  }else if(nval->type == GEN_IPADD){
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
  data = ASN1_STRING_data(nval->d.iPAddress);
+#else
+ data = ASN1_STRING_get0_data(nval->d.iPAddress);
+#endif
  if(nval->d.iPAddress->length == 4 && ipv4_ok){
  if(!memcmp(ipv4_addr, data, 4)){
  sk_GENERAL_NAME_pop_free(san, GENERAL_NAME_free);

src/mosquitto.c

@@ -18,7 +18,7 @@ and the Eclipse Distribution License is available at
 
 #ifndef WIN32
 /* For initgroups() */
-# define _BSD_SOURCE
+# define _DEFAULT_SOURCE
 # include <unistd.h>
 # include <grp.h>
 # include <assert.h>

src/mosquitto_passwd.c

@@ -15,7 +15,7 @@ and the Eclipse Distribution License is available at
 */
 
 #define _POSIX_C_SOURCE 200809L
-#define _BSD_SOURCE
+#define _DEFAULT_SOURCE
 
 #include <errno.h>
 #include <openssl/evp.h>

src/net.c

@@ -263,35 +263,39 @@ static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned
 #ifdef WITH_TLS
 static int mosquitto__tls_server_ctx(struct mosquitto__listener *listener)
 {
- int ssl_options = 0;
  char buf[256];
  int rc;
 
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ listener->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+#else
+ listener->ssl_ctx = SSL_CTX_new(TLS_client_method());
+#endif
+
+ if(!listener->ssl_ctx){
+ log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to create TLS context.");
+ return 1;
+ }
+
  if(listener->tls_version == NULL){
- listener->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
+ SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3);
  }else if(!strcmp(listener->tls_version, "tlsv1.2")){
- listener->ssl_ctx = SSL_CTX_new(TLSv1_2_server_method());
+ SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1);
  }else if(!strcmp(listener->tls_version, "tlsv1.1")){
- listener->ssl_ctx = SSL_CTX_new(TLSv1_1_server_method());
+ SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1);
  }else if(!strcmp(listener->tls_version, "tlsv1")){
- listener->ssl_ctx = SSL_CTX_new(TLSv1_server_method());
- }
- if(!listener->ssl_ctx){
- log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to create TLS context.");
- return 1;
+ SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_1);
  }
 
- /* Don't accept SSLv2 or SSLv3 */
- ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
 #ifdef SSL_OP_NO_COMPRESSION
  /* Disable compression */
- ssl_options |= SSL_OP_NO_COMPRESSION;
+ SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_COMPRESSION);
 #endif
 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
  /* Server chooses cipher */
- ssl_options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+ SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
 #endif
- SSL_CTX_set_options(listener->ssl_ctx, ssl_options);
 
 #ifdef SSL_MODE_RELEASE_BUFFERS
  /* Use even less memory per SSL connection. */

src/signals.c

@@ -18,8 +18,6 @@ and the Eclipse Distribution License is available at
 #include "config.h"
 
 #ifndef WIN32
-/* For initgroups() */
-# define _BSD_SOURCE
 # include <unistd.h>
 # include <grp.h>
 # include <assert.h>