OpenSSL 1.1 doesn't have ssl-v23-method any more. Closes cl-plus-ssl#34.

In cooperation with Philipp Marek, https://github.com/phmarek.
svspire · Dec 5, 2019 · 20559ac · 20559ac
1 parent 48dbf82
commit 20559ac
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 9 deletions.
diff --git a/index.html b/index.html
@@ -100,7 +100,7 @@ <h3>Download</h3>
 
     <h3>API</h3>
     <p>
-      <div class="def">Function CL+SSL:ENSURE-INITIALIZED (&amp;key (method 'ssl-v23-method) (rand-seed nil))</div>
+      <div class="def">Function CL+SSL:ENSURE-INITIALIZED (&amp;key method (rand-seed nil))</div>
       In most cases you <strong>do not</strong> need to call this function, because it is called
       automatically. The only reason to call it explicitly is to supply the <tt>rand-seed</tt> parameter.
       In this case do it before calling any other functions.
@@ -124,7 +124,7 @@ <h3>API</h3>
       usually returns predictable values.
     </p>
     <p>
-      <pre class="def" style="font-family:normal;">Function CL+SSL:MAKE-CONTEXT (&amp;key (method (ssl-v23-method))
+      <pre class="def" style="font-family:normal;">Function CL+SSL:MAKE-CONTEXT (&amp;key method)
                                                                                (disabled-protocols)
                                                                                (options (list +SSL-OP-ALL+))
                                                                                (session-cache-mode +ssl-sess-cache-server+)
@@ -150,7 +150,7 @@ <h3>API</h3>
       Keyword arguments:
     </p>
     <p>
-      <tt>method</tt>. Specifies which supported SSL/TLS to use. Defaults to ssl-v23-method
+      <tt>method</tt>. Specifies which supported SSL/TLS to use. If not specified then TLS_method is used on OpenSSL versions supporing it (on legacy versions SSLv23_method is used).
     </p>
     <p>
       <tt>disabled-protocols</tt>. List of +SSL-OP-NO-* constants. Denotes disabled SSL/TLS versions.

diff --git a/src/context.lisp b/src/context.lisp
@@ -96,7 +96,7 @@
                                 (unless disabled-protocols
                                   (setf disabled-protocols
                                         (list +SSL-OP-NO-SSLv2+ +SSL-OP-NO-SSLv3+)))
-                                (ssl-v23-method))))))
+                                (funcall (default-ssl-method)))))))
     (when (cffi:null-pointer-p ctx)
       (error 'ssl-error-initialize :reason "Can't create new SSL CTX" :queue (read-ssl-error-queue)))
     (handler-bind ((error (lambda (_)

diff --git a/src/ffi.lisp b/src/ffi.lisp
@@ -218,6 +218,9 @@ Note: the _really_ old formats (<= 0.9.4) are not supported."
     ssl-method)
 (define-ssl-function ("TLSv1_2_method" ssl-TLSv1-2-method)
     ssl-method)
+;; @since 1.1.0
+(define-ssl-function ("TLS_method" tls-method)
+    ssl-method)
 
 (define-ssl-function ("SSL_CTX_new" ssl-ctx-new)
     ssl-ctx
@@ -787,7 +790,12 @@ will use this value.")
 Use the (MAKE-SSL-CLIENT-STREAM .. :VERIFY ?) to enable/disable verification.
 MAKE-CONTEXT also allows to enab/disable verification.")
 
-(defun initialize (&key (method 'ssl-v23-method) rand-seed)
+(defun default-ssl-method ()
+  (if (openssl-is-at-least 1 1)
+      'tls-method
+      'ssl-v23-method))
+
+(defun initialize (&key method rand-seed)
   (setf *locks* (loop
        repeat (crypto-num-locks)
        collect (bt:make-lock)))
@@ -799,7 +807,7 @@ MAKE-CONTEXT also allows to enab/disable verification.")
   (when rand-seed
     (init-prng rand-seed))
   (setf *ssl-check-verify-p* :unspecified)
-  (setf *ssl-global-method* (funcall method))
+  (setf *ssl-global-method* (funcall (or method (default-ssl-method))))
   (setf *ssl-global-context* (ssl-ctx-new *ssl-global-method*))
   (unless (eql 1 (ssl-ctx-set-default-verify-paths *ssl-global-context*))
     (error "ssl-ctx-set-default-verify-paths failed."))
@@ -809,7 +817,7 @@ MAKE-CONTEXT also allows to enab/disable verification.")
   (ssl-ctx-set-tmp-rsa-callback *ssl-global-context*
                                 (cffi:callback tmp-rsa-callback)))
 
-(defun ensure-initialized (&key (method 'ssl-v23-method) (rand-seed nil))
+(defun ensure-initialized (&key method (rand-seed nil))
   "In most cases you do *not* need to call this function, because it
 is called automatically by all other functions. The only reason to
 call it explicitly is to supply the RAND-SEED parameter. In this case

diff --git a/src/streams.lisp b/src/streams.lisp
@@ -382,7 +382,7 @@ Change this variable if you want the previous behaviour.")
 
 ;; fixme: free the context when errors happen in this function
 (defun make-ssl-client-stream
-    (socket &key certificate key password (method 'ssl-v23-method) external-format
+    (socket &key certificate key password method external-format
               close-callback (unwrap-stream-p t)
               (cipher-list *default-cipher-list*)
               (verify (if (ssl-check-verify-p)
@@ -424,7 +424,7 @@ hostname verification if verification is enabled by VERIFY."
 
 ;; fixme: free the context when errors happen in this function
 (defun make-ssl-server-stream
-    (socket &key certificate key password (method 'ssl-v23-method) external-format
+    (socket &key certificate key password method external-format
                  close-callback (unwrap-stream-p t)
                  (cipher-list *default-cipher-list*))
   "Returns an SSL stream for the server socket descriptor SOCKET.