rel 4

[packages/cherokee.git] / openssl.patch

commit 219b03891818f015317d60135e46307974794a82
Author: Stefan de Konink <stefan@konink.de>
Date:   Fri Oct 17 19:20:36 2014 +0200

    Disable SSLv3 by default.
    
    http://googleonlinesecurity.blogspot.nl/2014/10/this-poodle-bites-exploiting-ssl-30.html

diff --git a/admin/PageAdvanced.py b/admin/PageAdvanced.py
index 9d6a1420..21a9d0c9 100644
--- a/admin/PageAdvanced.py
+++ b/admin/PageAdvanced.py
@@ -96,7 +96,7 @@ NOTE_DH2048       = N_('Path to a Diffie Hellman (DH) parameters PEM file: 2048
 NOTE_DH4096       = N_('Path to a Diffie Hellman (DH) parameters PEM file: 4096 bits.')
 NOTE_TLS_TIMEOUT  = N_('Timeout for the TLS/SSL handshake. Default: 15 seconds.')
 NOTE_TLS_SSLv2    = N_('Allow clients to use SSL version 2 - Beware: it is vulnerable. (Default: No)')
-NOTE_TLS_SSLv3    = N_('Allow clients to use SSL version 3 (Default: Yes)')
+NOTE_TLS_SSLv3    = N_('Allow clients to use SSL version 3 - Beware: it is vulnerable. (Default: No)')
 NOTE_TLS_TLSv1    = N_('Allow clients to use TLS version 1 (Default: Yes)')
 NOTE_TLS_TLSv1_1  = N_('Allow clients to use TLS version 1.1 (Default: Yes)')
 NOTE_TLS_TLSv1_2  = N_('Allow clients to use TLS version 1.2 (Default: Yes)')
@@ -181,7 +181,7 @@ class TLSWidget (CTK.Container):
 
         table = CTK.PropsAuto(URL_APPLY)
         table.Add (_('SSL version 2'),            CTK.CheckCfgText('server!tls!protocol!SSLv2',  False, _("Allow")), _(NOTE_TLS_SSLv2))
-        table.Add (_('SSL version 3'),            CTK.CheckCfgText('server!tls!protocol!SSLv3',   True, _("Allow")), _(NOTE_TLS_SSLv3))
+        table.Add (_('SSL version 3'),            CTK.CheckCfgText('server!tls!protocol!SSLv3',  False, _("Allow")), _(NOTE_TLS_SSLv3))
         table.Add (_('TLS version 1'),            CTK.CheckCfgText('server!tls!protocol!TLSv1',   True, _("Allow")), _(NOTE_TLS_TLSv1))
         table.Add (_('TLS version 1.1'),          CTK.CheckCfgText('server!tls!protocol!TLSv1_1', True, _("Allow")), _(NOTE_TLS_TLSv1_1))
         table.Add (_('TLS version 1.2'),          CTK.CheckCfgText('server!tls!protocol!TLSv1_2', True, _("Allow")), _(NOTE_TLS_TLSv1_2))
diff --git a/cherokee/cryptor.c b/cherokee/cryptor.c
index 640b5379..4ae92fdd 100644
--- a/cherokee/cryptor.c
+++ b/cherokee/cryptor.c
@@ -49,7 +49,7 @@ cherokee_cryptor_init_base (cherokee_cryptor_t      *cryp,
         */
        cryp->timeout_handshake = TIMEOUT_DEFAULT;
        cryp->allow_SSLv2       = false;
-       cryp->allow_SSLv3       = true;
+       cryp->allow_SSLv3       = false;
        cryp->allow_TLSv1       = true;
        cryp->allow_TLSv1_1     = true;
        cryp->allow_TLSv1_2     = true;

commit 5bdd6dd6a5fa41ee11474e4f722a7a03806d1be6
Author: Ilya <ilya.veselov@gmail.com>
Date:   Wed Dec 10 12:59:19 2014 +0500

    Update ciphers configuration
    
    In accordance to Mozilla's [Forward Secrecy recommendation](https://wiki.mozilla.org/Security/Server_Side_TLS#Forward_Secrecy)  (Intermediate compatibility).
    
    This will also disable RC4 ciphers to mitigate POODLE in TLS attack.

diff --git a/cherokee/cryptor.h b/cherokee/cryptor.h
index ed1f8ee0..1adfa97e 100644
--- a/cherokee/cryptor.h
+++ b/cherokee/cryptor.h
@@ -35,7 +35,7 @@
 
 CHEROKEE_BEGIN_DECLS
 
-#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA"
+#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
 
 /* Callback function prototipes
  */

commit c6ac753005a2857c4af2f489b674c7449e04e64c
Merge: 219b0389 5bdd6dd6
Author: Stefan de Konink <stefan@konink.de>
Date:   Wed Dec 10 12:01:16 2014 +0100

    Merge pull request #1168 from 13xforever/patch-1
    
    Update ciphers configuration

commit 4600b2e70df54044d301b77354979409e9413294
Author: Stefan de Konink <stefan@konink.de>
Date:   Wed Dec 10 12:10:24 2014 +0100

    Revert "Update ciphers configuration"

diff --git a/cherokee/cryptor.h b/cherokee/cryptor.h
index 1adfa97e..ed1f8ee0 100644
--- a/cherokee/cryptor.h
+++ b/cherokee/cryptor.h
@@ -35,7 +35,7 @@
 
 CHEROKEE_BEGIN_DECLS
 
-#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
+#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA"
 
 /* Callback function prototipes
  */

commit a02d96fe5960c5e906ad4952dfc36d5dc6eb4849
Merge: c6ac7530 4600b2e7
Author: Stefan de Konink <stefan@konink.de>
Date:   Wed Dec 10 12:10:49 2014 +0100

    Merge pull request #1169 from cherokee/revert-1168-patch-1
    
    Revert "Update ciphers configuration"

commit a917d76ed9b4272478ca973084ec1037a950c443
Author: Stefan de Konink <stefan@konink.de>
Date:   Wed Dec 10 13:35:45 2014 +0100

    Reapply previous patch from commit 5bdd6dd6a5fa41ee11474e4f722a7a03806d1be6 by @13xforever
    
    In accordance to Mozilla's [Forward Secrecy
    recommendation](https://wiki.mozilla.org/Security/Server_Side_TLS#Forward_Secrecy)
    (Intermediate compatibility).
    
    This will also disable RC4 ciphers to mitigate POODLE in TLS attack.
    
    In addition: we loose the ability to do server side BEAST mitigation.
    See the discussion at: https://github.com/cherokee/webserver/pull/1168

diff --git a/cherokee/cryptor.h b/cherokee/cryptor.h
index ed1f8ee0..1adfa97e 100644
--- a/cherokee/cryptor.h
+++ b/cherokee/cryptor.h
@@ -35,7 +35,7 @@
 
 CHEROKEE_BEGIN_DECLS
 
-#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA"
+#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
 
 /* Callback function prototipes
  */

commit 57b04ec506cde04794775e769d5485800427373e
Author: Stefan de Konink <stefan@konink.de>
Date:   Mon May 8 13:20:32 2017 +0200

    OpenSSL 1.1 uses the Secure Renegotiation Extension

diff --git a/cherokee/cryptor_libssl.c b/cherokee/cryptor_libssl.c
index 74af1cb5..5f430b73 100644
--- a/cherokee/cryptor_libssl.c
+++ b/cherokee/cryptor_libssl.c
@@ -790,11 +790,13 @@ _socket_init_tls (cherokee_cryptor_socket_libssl_t *cryp,
        }
 #endif
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
        /* Disable Ciphers renegotiation (CVE-2009-3555)
         */
        if (cryp->session->s3) {
                cryp->session->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
        }
+#endif
 
        return ret_ok;
 }

commit 07ab26e6683f5166f7cd7785fe714338e3ad369f
Author: Stefan de Konink <stefan@konink.de>
Date:   Mon May 8 13:49:56 2017 +0200

    Second attempt to update to OpenSSL 1.1.
    
    To test if Cherokee now is able to compile on both installations.

diff --git a/cherokee/cryptor_libssl.c b/cherokee/cryptor_libssl.c
index 5f430b73..1a4c452a 100644
--- a/cherokee/cryptor_libssl.c
+++ b/cherokee/cryptor_libssl.c
@@ -238,13 +238,13 @@ cherokee_cryptor_libssl_find_vserver (SSL *ssl,
        /* SSL_set_SSL_CTX() only change certificates. We need to
         * changes more options by hand.
         */
-       SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx));
+       SSL_set_options(ssl, SSL_CTX_get_options(ctx));
 
        if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
            (SSL_num_renegotiations(ssl) == 0)) {
 
-               SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
-                              SSL_CTX_get_verify_callback(ssl->ctx));
+               SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ctx),
+                              SSL_CTX_get_verify_callback(ctx));
        }
 
        return ret_ok;
@@ -1332,10 +1332,15 @@ PLUGIN_INIT_NAME(libssl) (cherokee_plugin_loader_t *loader)
 
        /* Init OpenSSL
         */
-       OPENSSL_config (NULL);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+       OPENSSL_config(NULL);
        SSL_library_init();
        SSL_load_error_strings();
        OpenSSL_add_all_algorithms();
+#else
+       OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS | OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
+       OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
+#endif
 
        /* Ensure PRNG has been seeded with enough data
         */
diff --git a/cherokee/cryptor_libssl_dh_1024.c b/cherokee/cryptor_libssl_dh_1024.c
index 7f7702d5..0512baf5 100644
--- a/cherokee/cryptor_libssl_dh_1024.c
+++ b/cherokee/cryptor_libssl_dh_1024.c
@@ -4,7 +4,7 @@
 #endif
 static DH *get_dh1024()
 {
-       static unsigned char dh1024_p[]={
+       static unsigned char dhp_1024[]={
                0x85,0x08,0xFF,0x6C,0xC1,0x0C,0x23,0x55,0xC5,0xF8,0x3D,0x47,
                0x6F,0x23,0x36,0xDA,0x98,0xF3,0xE4,0x56,0xCD,0xA0,0xF3,0x02,
                0x18,0xB0,0xCB,0xD2,0x92,0x4B,0xDC,0x76,0x2B,0x24,0x2B,0x20,
@@ -17,16 +17,21 @@ static DH *get_dh1024()
                0xF4,0xB8,0xB7,0x5B,0xEF,0x7E,0x06,0x43,0x2A,0x8E,0x33,0x69,
                0x71,0x65,0x35,0xBF,0xCB,0xCD,0xB0,0x5B,
        };
-       static unsigned char dh1024_g[]={
+       static unsigned char dhg_1024[]={
                0x02,
        };
        DH *dh;
+       BIGNUM *dhp_bn, *dhg_bn;
 
        if ((dh=DH_new()) == NULL) return(NULL);
-       dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
-       dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
-       if ((dh->p == NULL) || (dh->g == NULL)) {
-               DH_free(dh); return(NULL);
+       dhp_bn = BN_bin2bn(dhp_1024, sizeof (dhp_1024), NULL);
+       dhg_bn = BN_bin2bn(dhg_1024, sizeof (dhg_1024), NULL);
+       if (dhp_bn == NULL || dhg_bn == NULL ||
+               !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
+               DH_free(dh);
+               BN_free(dhp_bn);
+               BN_free(dhg_bn);
+               return(NULL);
        }
        return(dh);
 }
diff --git a/cherokee/cryptor_libssl_dh_2048.c b/cherokee/cryptor_libssl_dh_2048.c
index 392361ec..463ba35a 100644
--- a/cherokee/cryptor_libssl_dh_2048.c
+++ b/cherokee/cryptor_libssl_dh_2048.c
@@ -4,7 +4,7 @@
 #endif
 static DH *get_dh2048()
 {
-       static unsigned char dh2048_p[]={
+       static unsigned char dhp_2048[]={
                0xC8,0xF1,0xD4,0x48,0xB6,0x11,0x5B,0x2B,0x9E,0x3D,0xE4,0x49,
                0x0A,0xC4,0x8A,0x0B,0xFF,0xAC,0x09,0x4F,0x88,0x91,0x08,0xB8,
                0x7D,0x71,0xB7,0x7D,0x87,0x44,0x09,0x70,0x15,0xFF,0x0C,0xAF,
@@ -28,16 +28,21 @@ static DH *get_dh2048()
                0x7C,0x83,0xB9,0x40,0x7A,0x2E,0xA4,0x1D,0x85,0x68,0x69,0x66,
                0xF8,0xAA,0x70,0x6B,
        };
-       static unsigned char dh2048_g[]={
+       static unsigned char dhg_2048[]={
                0x02,
        };
        DH *dh;
+       BIGNUM *dhp_bn, *dhg_bn;
 
        if ((dh=DH_new()) == NULL) return(NULL);
-       dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
-       dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
-       if ((dh->p == NULL) || (dh->g == NULL)) {
-               DH_free(dh); return(NULL);
+       dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL);
+       dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL);
+       if (dhp_bn == NULL || dhg_bn == NULL ||
+               !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
+               DH_free(dh);
+               BN_free(dhp_bn);
+               BN_free(dhg_bn);
+               return(NULL);
        }
        return(dh);
 }
diff --git a/cherokee/cryptor_libssl_dh_4096.c b/cherokee/cryptor_libssl_dh_4096.c
index 94845775..1c329a00 100644
--- a/cherokee/cryptor_libssl_dh_4096.c
+++ b/cherokee/cryptor_libssl_dh_4096.c
@@ -4,7 +4,7 @@
 #endif
 static DH *get_dh4096()
 {
-       static unsigned char dh4096_p[]={
+       static unsigned char dhp_4096[]={
                0xD2,0xB2,0x5E,0x24,0x83,0x8E,0x04,0x17,0x39,0xAB,0x99,0x5A,
                0xAB,0x0C,0x15,0x3C,0x95,0xE0,0xE4,0x48,0x3F,0xE4,0x22,0x48,
                0xCA,0x19,0xCA,0xD0,0x9E,0xA7,0x09,0xD0,0x97,0x0F,0x31,0x49,
@@ -49,16 +49,21 @@ static DH *get_dh4096()
                0xE9,0xD3,0x8C,0x4A,0x7C,0x49,0x36,0x84,0xBF,0xD0,0xE0,0x45,
                0x2C,0x74,0xC9,0x6D,0x09,0xDE,0xA1,0x33,
        };
-       static unsigned char dh4096_g[]={
+       static unsigned char dhg_4096[]={
                0x02,
        };
        DH *dh;
+       BIGNUM *dhp_bn, *dhg_bn;
 
        if ((dh=DH_new()) == NULL) return(NULL);
-       dh->p=BN_bin2bn(dh4096_p,sizeof(dh4096_p),NULL);
-       dh->g=BN_bin2bn(dh4096_g,sizeof(dh4096_g),NULL);
-       if ((dh->p == NULL) || (dh->g == NULL)) {
-               DH_free(dh); return(NULL);
+       dhp_bn = BN_bin2bn(dhp_4096, sizeof (dhp_4096), NULL);
+       dhg_bn = BN_bin2bn(dhg_4096, sizeof (dhg_4096), NULL);
+       if (dhp_bn == NULL || dhg_bn == NULL ||
+               !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
+               DH_free(dh);
+               BN_free(dhp_bn);
+               BN_free(dhg_bn);
+               return(NULL);
        }
        return(dh);
 }
diff --git a/cherokee/cryptor_libssl_dh_512.c b/cherokee/cryptor_libssl_dh_512.c
index bc1d8778..e7f64ed4 100644
--- a/cherokee/cryptor_libssl_dh_512.c
+++ b/cherokee/cryptor_libssl_dh_512.c
@@ -4,7 +4,7 @@
 #endif
 static DH *get_dh512()
 {
-       static unsigned char dh512_p[]={
+       static unsigned char dhp_512[]={
                0xED,0x78,0x7E,0x95,0xB9,0x05,0xD5,0x00,0x38,0xC6,0x6B,0x49,
                0x78,0x22,0x78,0x43,0x8D,0xCC,0xF9,0x83,0x18,0xBB,0x6E,0xFE,
                0xCD,0x90,0xC3,0x84,0xA8,0x5C,0x04,0x84,0xEB,0x85,0x1D,0x5B,
@@ -12,16 +12,21 @@ static DH *get_dh512()
                0xA5,0xA7,0x10,0x7D,0x43,0x1B,0x6F,0xAD,0xA8,0xA1,0xB0,0xD3,
                0xD9,0x23,0xD1,0x83,
        };
-       static unsigned char dh512_g[]={
+       static unsigned char dhg_512[]={
                0x02,
        };
        DH *dh;
+       BIGNUM *dhp_bn, *dhg_bn;
 
        if ((dh=DH_new()) == NULL) return(NULL);
-       dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
-       dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
-       if ((dh->p == NULL) || (dh->g == NULL)) {
-               DH_free(dh); return(NULL);
+       dhp_bn = BN_bin2bn(dhp_512, sizeof (dhp_512), NULL);
+       dhg_bn = BN_bin2bn(dhg_512, sizeof (dhg_512), NULL);
+       if (dhp_bn == NULL || dhg_bn == NULL ||
+               !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
+               DH_free(dh);
+               BN_free(dhp_bn);
+               BN_free(dhg_bn);
+               return(NULL);
        }
        return(dh);
 }

commit d20bf585c0d5f62e39c237575ba89ef0fed10d89
Author: Stefan de Konink <stefan@konink.de>
Date:   Tue May 9 10:55:34 2017 +0200

    Create more compatibility with openssl 1.1.
    
    Remove the NULL checks, as they are already happening in the function below.

diff --git a/cherokee/cryptor_libssl_compat.h b/cherokee/cryptor_libssl_compat.h
new file mode 100644
index 00000000..832a122a
--- /dev/null
+++ b/cherokee/cryptor_libssl_compat.h
@@ -0,0 +1,36 @@
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#include <string.h>
+#include <openssl/engine.h>
+
+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+{
+       /* If the fields p and g in d are NULL, the corresponding input
+        * parameters MUST be non-NULL.  q may remain NULL.
+        */
+
+       if ((dh->p == NULL && p == NULL)
+           || (dh->g == NULL && g == NULL))
+               return 0;
+
+       if (p != NULL) {
+               BN_free(dh->p);
+               dh->p = p;
+       }
+
+       if (q != NULL) {
+               BN_free(dh->q);
+               dh->q = q;
+       }
+
+       if (g != NULL) {
+               BN_free(dh->g);
+               dh->g = g;
+       }
+
+       if (q != NULL) {
+               dh->length = BN_num_bits(q);
+       }
+
+       return 1;
+}
+#endif
diff --git a/cherokee/cryptor_libssl_dh_1024.c b/cherokee/cryptor_libssl_dh_1024.c
index 0512baf5..2a863f4c 100644
--- a/cherokee/cryptor_libssl_dh_1024.c
+++ b/cherokee/cryptor_libssl_dh_1024.c
@@ -2,6 +2,9 @@
 #ifndef HEADER_DH_H
 #include <openssl/dh.h>
 #endif
+
+#include "cryptor_libssl_compat.h"
+
 static DH *get_dh1024()
 {
        static unsigned char dhp_1024[]={
@@ -26,8 +29,7 @@ static DH *get_dh1024()
        if ((dh=DH_new()) == NULL) return(NULL);
        dhp_bn = BN_bin2bn(dhp_1024, sizeof (dhp_1024), NULL);
        dhg_bn = BN_bin2bn(dhg_1024, sizeof (dhg_1024), NULL);
-       if (dhp_bn == NULL || dhg_bn == NULL ||
-               !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
+       if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
                DH_free(dh);
                BN_free(dhp_bn);
                BN_free(dhg_bn);
diff --git a/cherokee/cryptor_libssl_dh_2048.c b/cherokee/cryptor_libssl_dh_2048.c
index 463ba35a..e81e6e3f 100644
--- a/cherokee/cryptor_libssl_dh_2048.c
+++ b/cherokee/cryptor_libssl_dh_2048.c
@@ -2,6 +2,9 @@
 #ifndef HEADER_DH_H
 #include <openssl/dh.h>
 #endif
+
+#include "cryptor_libssl_compat.h"
+
 static DH *get_dh2048()
 {
        static unsigned char dhp_2048[]={
@@ -37,8 +40,7 @@ static DH *get_dh2048()
        if ((dh=DH_new()) == NULL) return(NULL);
        dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL);
        dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL);
-       if (dhp_bn == NULL || dhg_bn == NULL ||
-               !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
+       if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
                DH_free(dh);
                BN_free(dhp_bn);
                BN_free(dhg_bn);
diff --git a/cherokee/cryptor_libssl_dh_4096.c b/cherokee/cryptor_libssl_dh_4096.c
index 1c329a00..b90c599f 100644
--- a/cherokee/cryptor_libssl_dh_4096.c
+++ b/cherokee/cryptor_libssl_dh_4096.c
@@ -2,6 +2,9 @@
 #ifndef HEADER_DH_H
 #include <openssl/dh.h>
 #endif
+
+#include "cryptor_libssl_compat.h"
+
 static DH *get_dh4096()
 {
        static unsigned char dhp_4096[]={
@@ -58,8 +61,7 @@ static DH *get_dh4096()
        if ((dh=DH_new()) == NULL) return(NULL);
        dhp_bn = BN_bin2bn(dhp_4096, sizeof (dhp_4096), NULL);
        dhg_bn = BN_bin2bn(dhg_4096, sizeof (dhg_4096), NULL);
-       if (dhp_bn == NULL || dhg_bn == NULL ||
-               !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
+       if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
                DH_free(dh);
                BN_free(dhp_bn);
                BN_free(dhg_bn);
diff --git a/cherokee/cryptor_libssl_dh_512.c b/cherokee/cryptor_libssl_dh_512.c
index e7f64ed4..93d63d48 100644
--- a/cherokee/cryptor_libssl_dh_512.c
+++ b/cherokee/cryptor_libssl_dh_512.c
@@ -2,6 +2,9 @@
 #ifndef HEADER_DH_H
 #include <openssl/dh.h>
 #endif
+
+#include "cryptor_libssl_compat.h"
+
 static DH *get_dh512()
 {
        static unsigned char dhp_512[]={
@@ -21,8 +24,7 @@ static DH *get_dh512()
        if ((dh=DH_new()) == NULL) return(NULL);
        dhp_bn = BN_bin2bn(dhp_512, sizeof (dhp_512), NULL);
        dhg_bn = BN_bin2bn(dhg_512, sizeof (dhg_512), NULL);
-       if (dhp_bn == NULL || dhg_bn == NULL ||
-               !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
+       if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
                DH_free(dh);
                BN_free(dhp_bn);
                BN_free(dhg_bn);

commit 43e5d17b3bd5fbb926f526f6ee84cf4ae299b8c8
Author: Stefan de Konink <stefan@konink.de>
Date:   Tue May 9 11:41:45 2017 +0200

    Fix for compilation.

diff --git a/cherokee/cryptor_libssl.c b/cherokee/cryptor_libssl.c
index 1a4c452a..fabf9912 100644
--- a/cherokee/cryptor_libssl.c
+++ b/cherokee/cryptor_libssl.c
@@ -53,6 +53,8 @@ static DH *dh_param_1024 = NULL;
 static DH *dh_param_2048 = NULL;
 static DH *dh_param_4096 = NULL;
 
+#include "cryptor_libssl_compat.h"
+
 #include "cryptor_libssl_dh_512.c"
 #include "cryptor_libssl_dh_1024.c"
 #include "cryptor_libssl_dh_2048.c"
diff --git a/cherokee/cryptor_libssl_dh_1024.c b/cherokee/cryptor_libssl_dh_1024.c
index 2a863f4c..74a56c38 100644
--- a/cherokee/cryptor_libssl_dh_1024.c
+++ b/cherokee/cryptor_libssl_dh_1024.c
@@ -3,8 +3,6 @@
 #include <openssl/dh.h>
 #endif
 
-#include "cryptor_libssl_compat.h"
-
 static DH *get_dh1024()
 {
        static unsigned char dhp_1024[]={
diff --git a/cherokee/cryptor_libssl_dh_2048.c b/cherokee/cryptor_libssl_dh_2048.c
index e81e6e3f..dbb481aa 100644
--- a/cherokee/cryptor_libssl_dh_2048.c
+++ b/cherokee/cryptor_libssl_dh_2048.c
@@ -3,8 +3,6 @@
 #include <openssl/dh.h>
 #endif
 
-#include "cryptor_libssl_compat.h"
-
 static DH *get_dh2048()
 {
        static unsigned char dhp_2048[]={
diff --git a/cherokee/cryptor_libssl_dh_4096.c b/cherokee/cryptor_libssl_dh_4096.c
index b90c599f..aeaf3abc 100644
--- a/cherokee/cryptor_libssl_dh_4096.c
+++ b/cherokee/cryptor_libssl_dh_4096.c
@@ -3,8 +3,6 @@
 #include <openssl/dh.h>
 #endif
 
-#include "cryptor_libssl_compat.h"
-
 static DH *get_dh4096()
 {
        static unsigned char dhp_4096[]={
diff --git a/cherokee/cryptor_libssl_dh_512.c b/cherokee/cryptor_libssl_dh_512.c
index 93d63d48..ed776636 100644
--- a/cherokee/cryptor_libssl_dh_512.c
+++ b/cherokee/cryptor_libssl_dh_512.c
@@ -3,8 +3,6 @@
 #include <openssl/dh.h>
 #endif
 
-#include "cryptor_libssl_compat.h"
-
 static DH *get_dh512()
 {
        static unsigned char dhp_512[]={

commit 75f041e2255e6dd0692db2f14611c2647dbe8425
Merge: dad221a9 43e5d17b
Author: Stefan de Konink <stefan@konink.de>
Date:   Mon May 29 07:03:22 2017 +0200

    Merge pull request #1196 from cherokee/openssl-1.1
    
    OpenSSL 1.1 support