Merge remote-tracking branch 'origin/patches-2.0'

test/regress_ssl.c

@@ -129,6 +129,7 @@ end:
 	return NULL;
 }
 
+static int disable_tls_11_and_12 = 0;
 static SSL_CTX *the_ssl_ctx = NULL;
 
 static SSL_CTX *
@@ -136,7 +137,18 @@ get_ssl_ctx(void)
 {
 	if (the_ssl_ctx)
 		return the_ssl_ctx;
-	return (the_ssl_ctx = SSL_CTX_new(SSLv23_method()));
+	the_ssl_ctx = SSL_CTX_new(SSLv23_method());
+	if (!the_ssl_ctx)
+		return NULL;
+	if (disable_tls_11_and_12) {
+#ifdef SSL_OP_NO_TLSv1_2
+		SSL_CTX_set_options(the_ssl_ctx, SSL_OP_NO_TLSv1_2);
+#endif
+#ifdef SSL_OP_NO_TLSv1_1
+		SSL_CTX_set_options(the_ssl_ctx, SSL_OP_NO_TLSv1_1);
+#endif
+	}
+	return the_ssl_ctx;
 }
 
 static void
@@ -146,6 +158,9 @@ init_ssl(void)
 	ERR_load_crypto_strings();
 	SSL_load_error_strings();
 	OpenSSL_add_all_algorithms();
+	if (SSLeay() != OPENSSL_VERSION_NUMBER) {
+		TT_DECLARE("WARN", ("Version mismatch for openssl: compiled with %lx but running with %lx", OPENSSL_VERSION_NUMBER, SSLeay()));
+	}
 }
 
 /* ====================
@@ -280,6 +295,16 @@ regress_bufferevent_openssl(void *arg)
 
 	init_ssl();
 
+	if (strstr((char*)data->setup_data, "renegotiate")) {
+		if (SSLeay() >= 0x10001000 &&
+		    SSLeay() <  0x1000104f) {
+			/* 1.0.1 up to 1.0.1c has a bug where TLS1.1 and 1.2
+			 * can't renegotiate with themselves. Disable. */
+			disable_tls_11_and_12 = 1;
+		}
+		renegotiate_at = 600;
+	}
+
 	ssl1 = SSL_new(get_ssl_ctx());
 	ssl2 = SSL_new(get_ssl_ctx());
 
@@ -289,9 +314,6 @@ regress_bufferevent_openssl(void *arg)
 	if (! start_open)
 		flags |= BEV_OPT_CLOSE_ON_FREE;
 
-	if (strstr((char*)data->setup_data, "renegotiate"))
-		renegotiate_at = 600;
-
 	if (!filter) {
 		tt_assert(strstr((char*)data->setup_data, "socketpair"));
 		fd_pair = data->pair;