Browse code
OpenSSL: check for the SSL reason, not the full error
OpenSSL 1.1 changed the SSLv3 API and removed many SSL_L_SSL3_*
constants. Moreover, new code might use different function
code for the same error.
Thus, we extract the error reason from the error code before
we compare it instead of trying to rebuild an error code
that might not be correct.
The new version is compatible with OpenSSL 1.0.x as well as
with older versions (starting at 0.9.8).
Signed-off-by: Emmanuel Deloget <logout@free.fr>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <0e0d4a67192b563cd07d3f06685f85e34c304142.1487368114.git.logout@free.fr>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14087.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Emmanuel Deloget authored on 2017/02/18 07:00:53Showing 1 changed files
| ... | ... |
@@ -193,8 +193,7 @@ crypto_print_openssl_errors(const unsigned int flags) |
| 193 | 193 |
while ((err = ERR_get_error())) |
| 194 | 194 |
{
|
| 195 | 195 |
/* Be more clear about frequently occurring "no shared cipher" error */ |
| 196 |
- if (err == ERR_PACK(ERR_LIB_SSL,SSL_F_SSL3_GET_CLIENT_HELLO, |
|
| 197 |
- SSL_R_NO_SHARED_CIPHER)) |
|
| 196 |
+ if (ERR_GET_REASON(err) == SSL_R_NO_SHARED_CIPHER) |
|
| 198 | 197 |
{
|
| 199 | 198 |
msg(D_CRYPT_ERRORS, "TLS error: The server has no TLS ciphersuites " |
| 200 | 199 |
"in common with the client. Your --tls-cipher setting might be " |