MINOR: ssl: cleanup old openssl API call

For generate-certificates, X509V3_EXT_conf is used but it's an old API call: X509V3_EXT_nconf must be preferred. Openssl compatibility is ok because it's inside #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME, introduce 5 years after X509V3_EXT_nconf.
2025-01-20 20:50:44 +00:00 · 2018-10-01 18:41:36 +02:00 · 2018-10-01 18:41:36 +02:00 · a9b84028e6
commit a9b84028e6
parent d3ff20f0ae
1 changed files with 4 additions and 1 deletions
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -1670,6 +1670,7 @@ ssl_sock_do_create_cert(const char *servername, struct bind_conf *bind_conf, SSL
 	X509         *newcrt  = NULL;
 	EVP_PKEY     *pkey    = NULL;
 	SSL          *tmp_ssl = NULL;
+	CONF         *ctmp    = NULL;
 	X509_NAME    *name;
 	const EVP_MD *digest;
 	X509V3_CTX    ctx;
@ -1727,11 +1728,12 @@ ssl_sock_do_create_cert(const char *servername, struct bind_conf *bind_conf, SSL
 	X509_NAME_free(name);

 	/* Add x509v3 extensions as specified */
+	ctmp = NCONF_new(NULL);
 	X509V3_set_ctx(&ctx, cacert, newcrt, NULL, NULL, 0);
 	for (i = 0; i < X509V3_EXT_SIZE; i++) {
 		X509_EXTENSION *ext;

-		if (!(ext = X509V3_EXT_conf(NULL, &ctx, x509v3_ext_names[i], x509v3_ext_values[i])))
+		if (!(ext = X509V3_EXT_nconf(ctmp, &ctx, x509v3_ext_names[i], x509v3_ext_values[i])))
 			goto mkcert_error;
 		if (!X509_add_ext(newcrt, ext, -1)) {
 			X509_EXTENSION_free(ext);
@ -1799,6 +1801,7 @@ ssl_sock_do_create_cert(const char *servername, struct bind_conf *bind_conf, SSL
 	return ssl_ctx;

 mkcert_error:
+	if (ctmp) NCONF_free(ctmp);
 	if (tmp_ssl) SSL_free(tmp_ssl);
 	if (ssl_ctx) SSL_CTX_free(ssl_ctx);
 	if (newcrt)  X509_free(newcrt);