@@ -744,7 +744,7 @@ PKG_CHECK_MODULES(

 PKG_CHECK_MODULES(

 	[OPENSSL_CRYPTO],

-	[libcrypto >= 0.9.6],

+	[libcrypto >= 0.9.8],

 	[have_openssl_crypto="yes"],

 	[AC_CHECK_LIB(

 		[crypto],

@@ -758,7 +758,7 @@ PKG_CHECK_MODULES(

 PKG_CHECK_MODULES(

 	[OPENSSL_SSL],

-	[libssl >= 0.9.6],

+	[libssl >= 0.9.8],

 	[have_openssl_ssl="yes"],

 	[AC_CHECK_LIB(

 		[ssl],

@@ -57,33 +57,6 @@

 #warning Some OpenSSL HMAC message digests now support key lengths greater than MAX_HMAC_KEY_LENGTH -- consider increasing MAX_HMAC_KEY_LENGTH

 #endif

-/*

- *

- * Workarounds for incompatibilites between OpenSSL libraries.

- * Right now we accept OpenSSL libraries from 0.9.5 to 0.9.7.

- *

- */

-

-#if SSLEAY_VERSION_NUMBER < 0x00907000L

-

-/* Workaround: EVP_CIPHER_mode is defined wrong in OpenSSL 0.9.6 but is fixed in 0.9.7 */

-#undef EVP_CIPHER_mode

-#define EVP_CIPHER_mode(e)                (((e)->flags) & EVP_CIPH_MODE)

-

-#define DES_cblock                        des_cblock

-#define DES_is_weak_key                   des_is_weak_key

-#define DES_check_key_parity              des_check_key_parity

-#define DES_set_odd_parity                des_set_odd_parity

-

-#define HMAC_CTX_init(ctx)                CLEAR (*ctx)

-#define HMAC_Init_ex(ctx,sec,len,md,impl) HMAC_Init(ctx, sec, len, md)

-#define HMAC_CTX_cleanup(ctx)             HMAC_cleanup(ctx)

-#define EVP_MD_CTX_cleanup(md)            CLEAR (*md)

-

-#define INFO_CALLBACK_SSL_CONST

-

-#endif

-

 static inline int

 EVP_CipherInit_ov (EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, uint8_t *key, uint8_t *iv, int enc)

 {

@@ -567,12 +567,7 @@ static const char usage_message[] =

   "                  root certificate.\n"

 #ifndef ENABLE_CRYPTO_POLARSSL

   "--capath dir    : A directory of trusted certificates (CAs"

-#if OPENSSL_VERSION_NUMBER >= 0x00907000L

   " and CRLs).\n"

-#else /* OPENSSL_VERSION_NUMBER >= 0x00907000L */

-  ").\n"

-  "                  WARNING: no support of CRL available with this version.\n"

-#endif /* OPENSSL_VERSION_NUMBER >= 0x00907000L */

 #endif /* ENABLE_CRYPTO_POLARSSL */

   "--dh file       : File containing Diffie Hellman parameters\n"

   "                  in .pem format (for --tls-server only).\n"

@@ -635,7 +630,6 @@ static const char usage_message[] =

   "--x509-track x  : Save peer X509 attribute x in environment for use by\n"

   "                  plugins and management interface.\n"

 #endif

-#if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL

   "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"

   "                  explicit key usage, you can specify more than one value.\n"

   "                  value should be given in hex format.\n"

@@ -645,7 +639,6 @@ static const char usage_message[] =

   "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"

   "                  key usage and extended key usage based on RFC3280 TLS rules.\n"

   "                  t = 'client' | 'server'.\n"

-#endif				/* OPENSSL_VERSION_NUMBER || ENABLE_CRYPTO_POLARSSL */

 #endif				/* ENABLE_SSL */

 #ifdef ENABLE_PKCS11

   "\n"

@@ -6780,7 +6773,6 @@ add_option (struct options *options,

 	  goto err;

 	}

     }

-#if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL

   else if (streq (p[0], "remote-cert-ku"))

     {

       int j;

@@ -6818,7 +6810,6 @@ add_option (struct options *options,

 	  goto err;

 	}

     }

-#endif	/* OPENSSL_VERSION_NUMBER */

   else if (streq (p[0], "tls-timeout") && p[1])

     {

       VERIFY_PERMISSION (OPT_P_TLS_PARMS);

@@ -848,11 +848,7 @@ tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file,

         msg(M_WARN, "WARNING: experimental option --capath %s", ca_path);

       else

         msg(M_SSLERR, "Cannot add lookup at --capath %s", ca_path);

-#if OPENSSL_VERSION_NUMBER >= 0x00907000L

       X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);

-#else

-      msg(M_WARN, "WARNING: this version of OpenSSL cannot handle CRL files in capath");

-#endif

     }

 }

@@ -337,8 +337,6 @@ verify_peer_cert(const struct tls_options *opt, openvpn_x509_cert_t *peer_cert,

 	}

     }

-#if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL

-

   /* verify certificate ku */

   if (opt->remote_cert_ku[0] != 0)

     {

@@ -367,8 +365,6 @@ verify_peer_cert(const struct tls_options *opt, openvpn_x509_cert_t *peer_cert,

 	}

     }

-#endif /* OPENSSL_VERSION_NUMBER */

-

   /* verify X509 name or username against --verify-x509-[user]name */

   if (opt->verify_x509_type != VERIFY_X509_NONE)

     {

@@ -189,8 +189,6 @@ void x509_setenv_track (const struct x509_track *xt, struct env_set *es,

  */

 result_t x509_verify_ns_cert_type(const openvpn_x509_cert_t *cert, const int usage);

-#if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL

-

 /*

  * Verify X.509 key usage extension field.

  *

@@ -219,8 +217,6 @@ result_t x509_verify_cert_ku (openvpn_x509_cert_t *x509, const unsigned * const

  */

 result_t x509_verify_cert_eku (openvpn_x509_cert_t *x509, const char * const expected_oid);

-#endif

-

 /*

  * Store the given certificate in pem format in a temporary file in tmp_dir

  *

@@ -459,8 +459,6 @@ x509_verify_ns_cert_type(const openvpn_x509_cert_t *peer_cert, const int usage)

   return FAILURE;

 }

-#if OPENSSL_VERSION_NUMBER >= 0x00907000L

-

 result_t

 x509_verify_cert_ku (X509 *x509, const unsigned * const expected_ku,

     int expected_len)

@@ -566,8 +564,6 @@ x509_write_pem(FILE *peercert_file, X509 *peercert)

   return SUCCESS;

 }

-#endif /* OPENSSL_VERSION_NUMBER */

-

 /*

  * check peer cert against CRL

  */