Merge pull request #276 from dougnazar/ssl

SSL cleanups (with a few BSD odds & ends)

.gitignore

@@ -15,7 +15,9 @@ package/solaris/Makefile
 sample-config/nrpe.cfg
 src/Makefile
 src/check_nrpe
+src/generate_dh_params
 src/nrpe
+src/*.o
 autom4te.cache/
 nbproject/
 .settings/

configure

@@ -624,12 +624,14 @@ ac_includes_default="\
 #endif"
 
 ac_subst_vars='PERL
+SSL_DH_HEADER_MAKE
 sslbin
 PKG_CONFIG
+SSL_OBJS
+SSL_DH_HEADER
 SSL_LIB_DIR
 SSL_INC_PREFIX
 SSL_HDR
-SSL_INC_DIR
 SSL_TYPE
 HAVE_SSL
 EGREP
@@ -763,6 +765,7 @@ with_need_dh
 with_ssl
 with_ssl_inc
 with_ssl_lib
+enable_auto_dh
 with_kerberos_inc
 with_log_facility
 with_nrpe_user
@@ -1404,6 +1407,8 @@ Optional Features:
                           'make install' process.
   --disable-tcpd          disables support for tcpd even if present
   --disable-ssl           disables native SSL support [default=check]
+  --disable-auto-dh       disables using builtin DH parameters (if available)
+                          and generates custom parameters
   --enable-command-args   allows clients to specify command arguments. ***
                           THIS IS A SECURITY RISK! *** Read the SECURITY file
                           before using this option!
@@ -1799,7 +1804,7 @@ else
 /* end confdefs.h.  */
 $4
 int
-main ()
+main (void)
 {
 if (sizeof ($2))
 	 return 0;
@@ -1812,7 +1817,7 @@ if ac_fn_c_try_compile "$LINENO"; then :
 /* end confdefs.h.  */
 $4
 int
-main ()
+main (void)
 {
 if (sizeof (($2)))
 	    return 0;
@@ -1850,7 +1855,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 $4
 int
-main ()
+main (void)
 {
 static int test_array [1 - 2 * !(($2) >= 0)];
 test_array [0] = 0;
@@ -1867,7 +1872,7 @@ if ac_fn_c_try_compile "$LINENO"; then :
 /* end confdefs.h.  */
 $4
 int
-main ()
+main (void)
 {
 static int test_array [1 - 2 * !(($2) <= $ac_mid)];
 test_array [0] = 0;
@@ -1894,7 +1899,7 @@ else
 /* end confdefs.h.  */
 $4
 int
-main ()
+main (void)
 {
 static int test_array [1 - 2 * !(($2) < 0)];
 test_array [0] = 0;
@@ -1911,7 +1916,7 @@ if ac_fn_c_try_compile "$LINENO"; then :
 /* end confdefs.h.  */
 $4
 int
-main ()
+main (void)
 {
 static int test_array [1 - 2 * !(($2) >= $ac_mid)];
 test_array [0] = 0;
@@ -1946,7 +1951,7 @@ while test "x$ac_lo" != "x$ac_hi"; do
 /* end confdefs.h.  */
 $4
 int
-main ()
+main (void)
 {
 static int test_array [1 - 2 * !(($2) <= $ac_mid)];
 test_array [0] = 0;
@@ -1971,12 +1976,12 @@ esac
     cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 $4
-static long int longval () { return $2; }
-static unsigned long int ulongval () { return $2; }
+static long int longval (void) { return $2; }
+static unsigned long int ulongval (void) { return $2; }
 #include <stdio.h>
 #include <stdlib.h>
 int
-main ()
+main (void)
 {
 
   FILE *f = fopen ("conftest.val", "w");
@@ -2083,7 +2088,7 @@ else
 #define $2 innocuous_$2
 
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $2 (); below.
+    which can conflict with char $2 (void); below.
     Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
     <limits.h> exists even on freestanding compilers.  */
 
@@ -2101,7 +2106,7 @@ else
 #ifdef __cplusplus
 extern "C"
 #endif
-char $2 ();
+char $2 (void);
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
@@ -2110,7 +2115,7 @@ choke me
 #endif
 
 int
-main ()
+main (void)
 {
 return $2 ();
   ;
@@ -5324,7 +5329,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 int
-main ()
+main (void)
 {
 
   ;
@@ -5464,7 +5469,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <stdio.h>
 int
-main ()
+main (void)
 {
 FILE *f = fopen ("conftest.out", "w");
  return ferror (f) || fclose (f) != 0;
@@ -5528,7 +5533,7 @@ else
 /* end confdefs.h.  */
 
 int
-main ()
+main (void)
 {
 
   ;
@@ -5579,7 +5584,7 @@ else
 /* end confdefs.h.  */
 
 int
-main ()
+main (void)
 {
 #ifndef __GNUC__
        choke me
@@ -5620,7 +5625,7 @@ else
 /* end confdefs.h.  */
 
 int
-main ()
+main (void)
 {
 
   ;
@@ -5635,7 +5640,7 @@ else
 /* end confdefs.h.  */
 
 int
-main ()
+main (void)
 {
 
   ;
@@ -5651,7 +5656,7 @@ else
 /* end confdefs.h.  */
 
 int
-main ()
+main (void)
 {
 
   ;
@@ -5700,9 +5705,7 @@ struct stat;
 /* Most of the following tests are stolen from RCS 5.7's src/conf.sh.  */
 struct buf { int x; };
 FILE * (*rcsopen) (struct buf *, struct stat *, int);
-static char *e (p, i)
-     char **p;
-     int i;
+static char *e (char **p, int i)
 {
   return p[i];
 }
@@ -5737,7 +5740,7 @@ int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, i
 int argc;
 char **argv;
 int
-main ()
+main (void)
 {
 return f (e, argv, 0) != argv[0]  ||  f (e, argv, 1) != argv[1];
   ;
@@ -6095,7 +6098,7 @@ else
 #include <float.h>
 
 int
-main ()
+main (void)
 {
 
   ;
@@ -6165,7 +6168,7 @@ else
 
 #define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
 int
-main ()
+main (void)
 {
   int i;
   for (i = 0; i < 256; i++)
@@ -6206,7 +6209,7 @@ else
 #include <time.h>
 
 int
-main ()
+main (void)
 {
 if ((struct tm *) 0)
 return 0;
@@ -6246,7 +6249,7 @@ else
 #endif
 
 int
-main ()
+main (void)
 {
   int s;
   wait (&s);
@@ -6361,7 +6364,7 @@ else
 /* end confdefs.h.  */
 
 int
-main ()
+main (void)
 {
 
 #ifndef __cplusplus
@@ -6444,7 +6447,7 @@ else
 #include <time.h>
 
 int
-main ()
+main (void)
 {
 struct tm tm;
 				     int *p = &tm.tm_sec;
@@ -6512,7 +6515,7 @@ else
 #include <signal.h>
 
 int
-main ()
+main (void)
 {
 return *(signal (0, 0)) (0) == 1;
   ;
@@ -6581,7 +6584,7 @@ $ac_includes_default
 #define MAX(x, y) ((x) > (y) ? (x) : (y))
 
 int
-main ()
+main (void)
 {
   gid_t gidset[NGID];
   int i, n;
@@ -6845,7 +6848,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 #include <stdarg.h>
 va_list ap1,ap2;
 int
-main ()
+main (void)
 {
 va_copy(ap1,ap2);
   ;
@@ -6878,7 +6881,7 @@ else
 #include <stdarg.h>
 	va_list ap1,ap2;
 int
-main ()
+main (void)
 {
 __va_copy(ap1,ap2);
   ;
@@ -7011,9 +7014,9 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 #ifdef __cplusplus
 extern "C"
 #endif
-char getopt_long ();
+char getopt_long (void);
 int
-main ()
+main (void)
 {
 return getopt_long ();
   ;
@@ -7051,7 +7054,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 
 
 int
-main ()
+main (void)
 {
 return main ();
   ;
@@ -7089,9 +7092,9 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 #ifdef __cplusplus
 extern "C"
 #endif
-char socket ();
+char socket (void);
 int
-main ()
+main (void)
 {
 return socket ();
   ;
@@ -7143,7 +7146,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 
 
 int
-main ()
+main (void)
 {
 return main ();
   ;
@@ -7172,7 +7175,7 @@ $as_echo "#define HAVE_LIBWRAP 1" >>confdefs.h
 #include <tcpd.h>
 
 int
-main ()
+main (void)
 {
 int a = rfc931_timeout;
   ;
@@ -7240,7 +7243,7 @@ else
 					int getpeername (int, $arg2 *, $t *);
 
 int
-main ()
+main (void)
 {
 
 					$t len;
@@ -7286,7 +7289,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 #include <sys/socket.h>
 
 int
-main ()
+main (void)
 {
 int a = send(1, (const void *)0, (size_t *) 0, (int *) 0);
   ;
@@ -7344,7 +7347,6 @@ try_pkg_config=1
 ssl_dir=
 ssl_inc_dir=
 ssl_lib_dir=
-SSL_INC_DIR=
 SSL_INC_PREFIX=
 SSL_HDR=
 SSL_LIB_DIR=
@@ -7357,6 +7359,15 @@ SSL_LIB_DIR=
 
 
 
+SSL_DH_HEADER_MAKE_OLD="../include/dh.h:
+	\$(SSLBIN) dhparam -C 2048 | awk '/^-----/ {exit} {print}' > \$@"
+SSL_DH_HEADER_MAKE_NEW="../include/dh.h: generate_dh_params
+	./generate_dh_params > \$@
+
+generate_dh_params: \$(srcdir)/generate_dh_params.c
+	\$(CC) \$(CFLAGS) -o \$@ \$(srcdir)/generate_dh_params.c \$(LDFLAGS)"
+
+
 # gnutls/openssl.h
 # nss_compat_ossl/nss_compat_ossl.h
 
@@ -7380,6 +7391,14 @@ if test "${with_ssl_lib+set}" = set; then :
 fi
 
 
+# Check whether --enable-auto_dh was given.
+if test "${enable_auto_dh+set}" = set; then :
+  enableval=$enable_auto_dh; auto_dh=no
+else
+  auto_dh=yes
+fi
+
+
 if test x$ssl_inc_dir != x -o x$ssl_lib_dir != x; then
 	try_pkg_config=0
 fi
@@ -7475,7 +7494,8 @@ $as_echo "found Kerberos include files in $kerbdir" >&6; }
 	fi
 
 	# First, try using pkg_config
-	if test -n "$ac_tool_prefix"; then
+	if test $try_pkg_config -ne 0 ; then
+		if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
 set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
@@ -7567,6 +7587,7 @@ else
   PKG_CONFIG="$ac_cv_prog_PKG_CONFIG"
 fi
 
+	fi
 	if test x"$PKG_CONFIG" != x -a $try_pkg_config -ne 0 ; then
 		cflags=`$PKG_CONFIG $SSL_TYPE --cflags-only-I 2>/dev/null`
 		if test $? -eq 0; then
@@ -7592,10 +7613,17 @@ $as_echo_n "checking for SSL headers... " >&6; }
 				continue
 			fi
 			ssldir="$dir"
+			sslincdir="$dir"
+			if test -f "$dir/$SSL_INC_PREFIX/$SSL_HDR"; then
+				found_ssl=yes
+				CFLAGS="$CFLAGS -I$dir"
+				ssldir="$dir/.."
+				break
+			fi
 			if test -f "$dir/include/$SSL_INC_PREFIX/$SSL_HDR"; then
 				found_ssl=yes
-				CFLAGS="$CFLAGS -I$dir/include/$SSL_INC_PREFIX -I$ssldir/include"
-				SSL_INC_DIR="$dir/include/$SSL_INC_PREFIX"
+				CFLAGS="$CFLAGS -I$dir/include"
+				sslincdir="$dir/include"
 				break
 			fi
 			if test -f "$dir/include/$SSL_HDR"; then
@@ -7604,21 +7632,13 @@ $as_echo_n "checking for SSL headers... " >&6; }
 					SSL_INC_PREFIX=""
 				fi
 				CFLAGS="$CFLAGS -I$dir/include"
-				SSL_INC_DIR="$dir/include"
+				sslincdir="$dir/include"
 				break
 			fi
 			if test -f "$dir/$SSL_HDR"; then
 				found_ssl=yes
 				SSL_INC_PREFIX=""
 				CFLAGS="$CFLAGS -I$dir"
-				SSL_INC_DIR="$dir"
-				break
-			fi
-			if test -f "$dir/$SSL_INC_PREFIX/$SSL_HDR"; then
-				found_ssl=yes
-				CFLAGS="$CFLAGS -I$dir/$SSL_INC_PREFIX"
-				SSL_INC_DIR="$dir/$SSL_INC_PREFIX"
-				ssldir="$dir/.."
 				break
 			fi
 		done
@@ -7626,8 +7646,8 @@ $as_echo_n "checking for SSL headers... " >&6; }
 		if test x_$found_ssl != x_yes; then
 			as_fn_error $? "Cannot find ssl headers" "$LINENO" 5
 		else
-			{ $as_echo "$as_me:${as_lineno-$LINENO}: result: found in $ssldir" >&5
-$as_echo "found in $ssldir" >&6; }
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: result: found in $sslincdir" >&5
+$as_echo "found in $sslincdir" >&6; }
 
 			# Now try and find SSL libraries
 
@@ -7647,13 +7667,18 @@ $as_echo_n "checking for SSL libraries... " >&6; }
 			elif test "`uname -s`" = "AIX" ; then
 				soext="a"
 			else
-				soext="so"
+				soext="so a"
 			fi
 
 			for dir in $ssl_lib_dirs; do
-				if test -f "$dir/$ssl_lib.$soext"; then
-					found_ssl=yes
-					SSL_LIB_DIR="$dir"
+				for ext in $soext; do
+					if test -f "$dir/$ssl_lib.$ext"; then
+						found_ssl=yes
+						SSL_LIB_DIR="$dir"
+						break
+					fi
+				done
+				if test x_$found_ssl == x_yes; then
 					break
 				fi
 			done
@@ -7664,7 +7689,7 @@ $as_echo_n "checking for SSL libraries... " >&6; }
 				{ $as_echo "$as_me:${as_lineno-$LINENO}: result: found in $SSL_LIB_DIR" >&5
 $as_echo "found in $SSL_LIB_DIR" >&6; }
 
-				LDFLAGS="$LDFLAGS -L$SSL_LIB_DIR";
+				LDFLAGS="$LDFLAGS -L$SSL_LIB_DIR -Wl,-rpath,$SSL_LIB_DIR";
 				LIBS="$LIBS -l`echo $ssl_lib | sed -e 's/^lib//'` -lcrypto";
 
 cat >>confdefs.h <<_ACEOF
@@ -7688,7 +7713,7 @@ $as_echo_n "checking whether compiling and linking against SSL works... " >&6; }
 /* end confdefs.h.  */
 #include <${SSL_INC_PREFIX}${SSL_HDR}>
 int
-main ()
+main (void)
 {
 SSL_new(NULL)
   ;
@@ -7699,6 +7724,7 @@ if ac_fn_c_try_link "$LINENO"; then :
 
 				{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
+				SSL_OBJS="ssl.o"
 
 
 else
@@ -7713,10 +7739,56 @@ rm -f core conftest.err conftest.$ac_objext \
 
 	if test x$found_ssl = xyes -a x$need_dh = xyes; then
 
-		# Find the openssl program
+		cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+				#include <stdio.h>
+				#include <${SSL_INC_PREFIX}${SSL_HDR}>
 
-		if test x$need_dh = xyes; then
-			# Extract the first word of "openssl", so it can be a program name with args.
+int
+main (void)
+{
+
+				#ifdef OPENSSL_VERSION_MAJOR
+					printf("%i %i", OPENSSL_VERSION_MAJOR, OPENSSL_VERSION_MINOR);
+				#else
+					printf("%i %i", (int)((OPENSSL_VERSION_NUMBER >> 28) & 0x0f), (int)((OPENSSL_VERSION_NUMBER >> 20) & 0xff));
+				#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+
+				nagios_ssl_version=$(./conftest$EXEEXT)
+				SSL_MAJOR=$(echo $nagios_ssl_version | cut -d' ' -f1)
+				SSL_MINOR=$(echo $nagios_ssl_version | cut -d' ' -f2)
+
+else
+  as_fn_error $? "Failed to detect OpenSSL version!" "$LINENO" 5
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+
+		if test x$auto_dh = xyes -a $SSL_MAJOR -lt 1 -o \( $SSL_MAJOR -eq 1 -a $SSL_MINOR -lt 1 \); then
+			# auto_dh not available before v1.1.0
+			auto_dh=no
+		fi
+
+		if test x$auto_dh = xyes; then
+			$as_echo "#define AUTO_SSL_DH 1" >>confdefs.h
+
+		fi
+
+
+
+		if test x$need_dh = xyes ; then
+			if test x$auto_dh = xno ; then
+				if test $SSL_MAJOR -lt 3 ; then
+					# Find the openssl program
+					# Only need openssl binary if we're not using auto or using version less than 3.0
+					# Extract the first word of "openssl", so it can be a program name with args.
 set dummy openssl; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
@@ -7729,7 +7801,7 @@ else
   ;;
   *)
   as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $ssl_dir/sbin$PATH_SEPARATOR$ssl_dir/bin$PATH_SEPARATOR$PATH
+for as_dir in ${ssldir}/sbin${PATH_SEPARATOR}${ssldir}/bin${PATH_SEPARATOR}${PATH}
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
@@ -7757,31 +7829,19 @@ $as_echo "no" >&6; }
 fi
 
 
-			$as_echo "#define USE_SSL_DH 1" >>confdefs.h
-
-			# Generate DH parameters
-			if test -f "$sslbin"; then
-				echo ""
-				echo "*** Generating DH Parameters for SSL/TLS ***"
-				# OpenSSL 3 removes dhparam -C
-				# check version and use our own parser if needed
-				nagios_ssl_major_version=`$sslbin version | cut -d' ' -f2 | cut -d. -f1`
-
-				test -d include || mkdir include
-				if test "x$nagios_ssl_major_version" = "x3"; then
 
-cat >>confdefs.h <<_ACEOF
-#define OPENSSL_V3 1
-_ACEOF
+					SSL_DH_HEADER_MAKE=${SSL_DH_HEADER_MAKE_OLD}
 
-					test -d src || mkdir src
-					$CC ${srcdir}/src/print_c_code.c -o src/print_c_code
-					$sslbin dhparam -text 2048 | ./src/print_c_code > include/dh.h
 				else
-					# awk to strip off meta data at bottom of dhparam output
-					$sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
+					SSL_DH_HEADER_MAKE=${SSL_DH_HEADER_MAKE_NEW}
+
 				fi
+
+				SSL_DH_HEADER=../include/dh.h
+
 			fi
+			$as_echo "#define USE_SSL_DH 1" >>confdefs.h
+
 		fi
 	fi
 fi

include/common.h.in

@@ -29,15 +29,12 @@
 #define SSL_TYPE_@SSL_TYPE@
 
 #ifdef HAVE_SSL
-#ifdef OPENSSL_V3
-# define OPENSSL_API_COMPAT 10002
-# define OPENSSL_NO_DEPRECATED
-#endif
 #include <@SSL_INC_PREFIX@@SSL_HDR@>
 # ifdef SSL_TYPE_openssl
 #  include <@SSL_INC_PREFIX@err.h>
 #  include <@SSL_INC_PREFIX@rand.h>
 #  include <@SSL_INC_PREFIX@engine.h>
+#  include <@SSL_INC_PREFIX@evp.h>
 # endif
 #endif
 

include/config.h.in

@@ -97,6 +97,9 @@
 /* Set to 1 to use SSL DH */
 #undef USE_SSL_DH
 
+/* Define to auto configure SSL DH parameters */
+#undef AUTO_SSL_DH
+
 /* stupid stuff for u_int32_t */
 #undef U_INT32_T_IS_USHORT
 #undef U_INT32_T_IS_UINT

include/ssl.h

@@ -0,0 +1,47 @@
+/* SSL/TLS parameters */
+typedef enum _SSL_VER {
+	SSL_Ver_Invalid = 0, SSLv2 = 1, SSLv2_plus, SSLv3, SSLv3_plus,
+	TLSv1, TLSv1_plus, TLSv1_1, TLSv1_1_plus, TLSv1_2, TLSv1_2_plus, TLSv1_3, TLSv1_3_plus
+} SslVer;
+
+typedef enum _CLNT_CERTS {
+	ClntCerts_Unknown = 0, Ask_For_Cert = 1, Require_Cert = 2
+} ClntCerts;
+
+typedef enum _SSL_LOGGING {
+	SSL_NoLogging = 0, SSL_LogStartup = 1, SSL_LogIpAddr = 2,
+	SSL_LogVersion = 4, SSL_LogCipher = 8, SSL_LogIfClientCert = 16,
+	SSL_LogCertDetails = 32
+} SslLogging;
+
+typedef struct _SSL_PARMS {
+	char     *cert_file;
+	char     *cacert_file;
+	char     *privatekey_file;
+	char      cipher_list[MAX_FILENAME_LENGTH];
+	SslVer    ssl_proto_ver;
+	int       allowDH;
+	ClntCerts client_certs;
+	SslLogging log_opts;
+} SslParms;
+
+
+#ifdef HAVE_SSL
+# if (defined(__sun) && defined(SOLARIS_10)) || defined(_AIX) || defined(__hpux)
+extern SSL_METHOD *meth;
+# else
+extern const SSL_METHOD *meth;
+# endif
+extern SSL_CTX  *ctx;
+extern SslParms sslprm;
+#endif
+
+extern int       use_ssl;
+
+
+void ssl_initialize(void);
+void ssl_set_protocol_version(SslVer ssl_proto_ver, unsigned long *ssl_opts);
+void ssl_log_startup(int server);
+int ssl_load_certificates(void);
+int ssl_set_ciphers(void);
+int ssl_verify_callback_common(int preverify_ok, X509_STORE_CTX * ctx, int is_invalid);

macros/ax_nagios_get_ssl

@@ -53,17 +53,27 @@ try_pkg_config=1
 ssl_dir=
 ssl_inc_dir=
 ssl_lib_dir=
-SSL_INC_DIR=
 SSL_INC_PREFIX=
 SSL_HDR=
 SSL_LIB_DIR=
 
 AC_SUBST(HAVE_SSL)
 AC_SUBST(SSL_TYPE)
-AC_SUBST(SSL_INC_DIR)
 AC_SUBST(SSL_HDR)
 AC_SUBST(SSL_INC_PREFIX)
 AC_SUBST(SSL_LIB_DIR)
+AC_SUBST(SSL_DH_HEADER)
+AC_SUBST(SSL_OBJS)
+
+
+dnl Makefile for generating DH parameters, pre 3.0 and post 3.0
+SSL_DH_HEADER_MAKE_OLD="../include/dh.h:
+	\$(SSLBIN) dhparam -C 2048 | awk '/^-----/ {exit} {print}' > \@S|@@"
+SSL_DH_HEADER_MAKE_NEW="../include/dh.h: generate_dh_params
+	./generate_dh_params > \@S|@@
+
+generate_dh_params: \$(srcdir)/generate_dh_params.c
+	\$(CC) \$(CFLAGS) -o \@S|@@ \$(srcdir)/generate_dh_params.c \$(LDFLAGS)"
 
 
 # gnutls/openssl.h
@@ -86,6 +96,11 @@ AC_ARG_WITH([ssl-lib],
 	AS_HELP_STRING([--with-ssl-lib=DIR],[sets location of the SSL libraries]),
 	[ssl_lib_dir=$withval])
 
+AC_ARG_ENABLE([auto_dh],
+	AS_HELP_STRING([--disable-auto-dh],[disables using builtin DH parameters (if available) and generates custom parameters]),
+	auto_dh=no,
+	auto_dh=yes)
+
 if test x$ssl_inc_dir != x -o x$ssl_lib_dir != x; then
 	try_pkg_config=0
 fi
@@ -167,7 +182,9 @@ if test x$SSL_TYPE != xNONE; then
 	fi
 
 	# First, try using pkg_config
-	AC_CHECK_TOOL([PKG_CONFIG], [pkg-config])
+	if test $try_pkg_config -ne 0 ; then
+		AC_CHECK_TOOL([PKG_CONFIG], [pkg-config])
+	fi
 	if test x"$PKG_CONFIG" != x -a $try_pkg_config -ne 0 ; then
 		cflags=`$PKG_CONFIG $SSL_TYPE --cflags-only-I 2>/dev/null`
 		if test $? -eq 0; then
@@ -188,10 +205,17 @@ if test x$SSL_TYPE != xNONE; then
 				continue
 			fi
 			ssldir="$dir"
+			sslincdir="$dir"
+			if test -f "$dir/$SSL_INC_PREFIX/$SSL_HDR"; then
+				found_ssl=yes
+				CFLAGS="$CFLAGS -I$dir"
+				ssldir="$dir/.."
+				break
+			fi
 			if test -f "$dir/include/$SSL_INC_PREFIX/$SSL_HDR"; then
 				found_ssl=yes
-				CFLAGS="$CFLAGS -I$dir/include/$SSL_INC_PREFIX -I$ssldir/include"
-				SSL_INC_DIR="$dir/include/$SSL_INC_PREFIX"
+				CFLAGS="$CFLAGS -I$dir/include"
+				sslincdir="$dir/include"
 				break
 			fi
 			if test -f "$dir/include/$SSL_HDR"; then
@@ -200,21 +224,13 @@ if test x$SSL_TYPE != xNONE; then
 					SSL_INC_PREFIX=""
 				fi
 				CFLAGS="$CFLAGS -I$dir/include"
-				SSL_INC_DIR="$dir/include"
+				sslincdir="$dir/include"
 				break
 			fi
 			if test -f "$dir/$SSL_HDR"; then
 				found_ssl=yes
 				SSL_INC_PREFIX=""
 				CFLAGS="$CFLAGS -I$dir"
-				SSL_INC_DIR="$dir"
-				break
-			fi
-			if test -f "$dir/$SSL_INC_PREFIX/$SSL_HDR"; then
-				found_ssl=yes
-				CFLAGS="$CFLAGS -I$dir/$SSL_INC_PREFIX"
-				SSL_INC_DIR="$dir/$SSL_INC_PREFIX"
-				ssldir="$dir/.."
 				break
 			fi
 		done
@@ -222,7 +238,7 @@ if test x$SSL_TYPE != xNONE; then
 		if test x_$found_ssl != x_yes; then
 			AC_MSG_ERROR(Cannot find ssl headers)
 		else
-			AC_MSG_RESULT(found in $ssldir)
+			AC_MSG_RESULT(found in $sslincdir)
 
 			# Now try and find SSL libraries
 
@@ -241,13 +257,18 @@ if test x$SSL_TYPE != xNONE; then
 			elif test "`uname -s`" = "AIX" ; then
 				soext="a"
 			else
-				soext="so"
+				soext="so a"
 			fi
 
 			for dir in $ssl_lib_dirs; do
-				if test -f "$dir/$ssl_lib.$soext"; then
-					found_ssl=yes
-					SSL_LIB_DIR="$dir"
+				for ext in $soext; do
+					if test -f "$dir/$ssl_lib.$ext"; then
+						found_ssl=yes
+						SSL_LIB_DIR="$dir"
+						break
+					fi
+				done
+				if test x_$found_ssl == x_yes; then
 					break
 				fi
 			done
@@ -257,7 +278,7 @@ if test x$SSL_TYPE != xNONE; then
 			else
 				AC_MSG_RESULT(found in $SSL_LIB_DIR)
 
-				LDFLAGS="$LDFLAGS -L$SSL_LIB_DIR";
+				LDFLAGS="$LDFLAGS -L$SSL_LIB_DIR -Wl,-rpath,$SSL_LIB_DIR";
 				LIBS="$LIBS -l`echo $ssl_lib | sed -e 's/^lib//'` -lcrypto";
 				AC_DEFINE_UNQUOTED(HAVE_SSL,[1],[Have SSL support])
 			fi
@@ -276,6 +297,7 @@ if test x$SSL_TYPE != xNONE; then
 			[AC_LANG_PROGRAM([#include <${SSL_INC_PREFIX}${SSL_HDR}>], [SSL_new(NULL)])],
 			[
 				AC_MSG_RESULT([yes])
+				SSL_OBJS="ssl.o"
 				$1
 			], [
 				AC_MSG_ERROR([no])
@@ -285,30 +307,53 @@ if test x$SSL_TYPE != xNONE; then
 
 	if test x$found_ssl = xyes -a x$need_dh = xyes; then
 
-		# Find the openssl program
+		AC_LINK_IFELSE([dnl
+			AC_LANG_PROGRAM(
+			[
+				#include <stdio.h>
+				#include <${SSL_INC_PREFIX}${SSL_HDR}>
+			],
+			[
+				#ifdef OPENSSL_VERSION_MAJOR
+					printf("%i %i", OPENSSL_VERSION_MAJOR, OPENSSL_VERSION_MINOR);
+				#else
+					printf("%i %i", (int)((OPENSSL_VERSION_NUMBER >> 28) & 0x0f), (int)((OPENSSL_VERSION_NUMBER >> 20) & 0xff));
+				#endif
+				])],
+			[
+				nagios_ssl_version=$(./conftest$EXEEXT)
+				SSL_MAJOR=$(echo $nagios_ssl_version | cut -d' ' -f1)
+				SSL_MINOR=$(echo $nagios_ssl_version | cut -d' ' -f2)
+			],
+			AC_MSG_ERROR(Failed to detect OpenSSL version!))
+
+		if test x$auto_dh = xyes -a $SSL_MAJOR -lt 1 -o \( $SSL_MAJOR -eq 1 -a $SSL_MINOR -lt 1 \); then
+			# auto_dh not available before v1.1.0
+			auto_dh=no
+		fi
 
-		if test x$need_dh = xyes; then
-			AC_PATH_PROG(sslbin,openssl,value-if-not-found,$ssl_dir/sbin$PATH_SEPARATOR$ssl_dir/bin$PATH_SEPARATOR$PATH)
-			AC_DEFINE(USE_SSL_DH)
-			# Generate DH parameters
-			if test -f "$sslbin"; then
-				echo ""
-				echo "*** Generating DH Parameters for SSL/TLS ***"
-				# OpenSSL 3 removes dhparam -C
-				# check version and use our own parser if needed
-				nagios_ssl_major_version=`$sslbin version | cut -d' ' -f2 | cut -d. -f1`
-
-				test -d include || mkdir include
-				if test "x$nagios_ssl_major_version" = "x3"; then
-					AC_DEFINE_UNQUOTED(OPENSSL_V3,[1],[Have OpenSSL v3])
-					test -d src || mkdir src
-					$CC ${srcdir}/src/print_c_code.c -o src/print_c_code
-					$sslbin dhparam -text 2048 | ./src/print_c_code > include/dh.h
+		if test x$auto_dh = xyes; then
+			AC_DEFINE(AUTO_SSL_DH)
+		fi
+
+
+		dnl Do the Makefile rules here to maintain compatibility and not rely on GNU Make
+
+		if test x$need_dh = xyes ; then
+			if test x$auto_dh = xno ; then
+				if test $SSL_MAJOR -lt 3 ; then
+					# Find the openssl program
+					# Only need openssl binary if we're not using auto or using version less than 3.0
+					AC_PATH_PROG(sslbin,openssl,value-if-not-found,${ssldir}/sbin${PATH_SEPARATOR}${ssldir}/bin${PATH_SEPARATOR}${PATH})
+
+					AC_SUBST(SSL_DH_HEADER_MAKE, ${SSL_DH_HEADER_MAKE_OLD})
 				else
-					# awk to strip off meta data at bottom of dhparam output
-					$sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
+					AC_SUBST(SSL_DH_HEADER_MAKE, ${SSL_DH_HEADER_MAKE_NEW})
 				fi
+
+				AC_SUBST(SSL_DH_HEADER,../include/dh.h)
 			fi
+			AC_DEFINE(USE_SSL_DH)
 		fi
 	fi
 fi

src/Makefile.in

@@ -20,8 +20,6 @@ SOCKETLIBS=@SOCKETLIBS@
 LIBWRAPLIBS=@LIBWRAPLIBS@
 OTHERLIBS=@OTHERLIBS@
 
-CP=@CP@
-
 prefix=$(DESTDIR)@prefix@
 exec_prefix=$(DESTDIR)@exec_prefix@
 CFGDIR=$(DESTDIR)@pkgsysconfdir@
@@ -41,14 +39,27 @@ SRC_TMPFILE=@src_tmpfile@
 # Generated automatically from configure script
 SNPRINTF_O=@SNPRINTF_O@
 
+SSLBIN=@sslbin@
+SSL_DH_HEADER=@SSL_DH_HEADER@
+SSL_OBJS=@SSL_OBJS@
+
 
 all: nrpe check_nrpe
 
-nrpe: $(srcdir)/nrpe.c $(srcdir)/utils.c $(srcdir)/acl.c $(SRC_INCLUDE)/nrpe.h $(SRC_INCLUDE)/utils.h $(CFG_INCLUDE)/common.h $(CFG_INCLUDE)/config.h $(SRC_INCLUDE)/acl.h $(SNPRINTF_O)
-	$(CC) $(CFLAGS) -o $@ $(srcdir)/nrpe.c $(srcdir)/utils.c $(srcdir)/acl.c $(LDFLAGS) $(SOCKETLIBS) $(LIBWRAPLIBS) $(SNPRINTF_O) $(OTHERLIBS)
+nrpe: $(srcdir)/nrpe.c utils.o $(srcdir)/acl.c $(SRC_INCLUDE)/nrpe.h $(SRC_INCLUDE)/utils.h $(CFG_INCLUDE)/common.h $(CFG_INCLUDE)/config.h $(SRC_INCLUDE)/acl.h $(SNPRINTF_O) $(SSL_DH_HEADER) $(SSL_OBJS)
+	$(CC) $(CFLAGS) -o $@ $(srcdir)/nrpe.c utils.o $(SSL_OBJS) $(srcdir)/acl.c $(LDFLAGS) $(SOCKETLIBS) $(LIBWRAPLIBS) $(SNPRINTF_O) $(OTHERLIBS)
+
+check_nrpe: $(srcdir)/check_nrpe.c utils.o $(SRC_INCLUDE)/utils.h $(CFG_INCLUDE)/common.h $(CFG_INCLUDE)/config.h $(SSL_OBJS)
+	$(CC) $(CFLAGS) -o $@ $(srcdir)/check_nrpe.c utils.o $(SSL_OBJS) $(LDFLAGS) $(SOCKETLIBS) $(SNPRINTF_O) $(OTHERLIBS)
+
+utils.o: $(srcdir)/utils.c $(SRC_INCLUDE)/utils.h $(CFG_INCLUDE)/common.h $(CFG_INCLUDE)/config.h
+	$(CC) $(CFLAGS) -c -o $@ $(srcdir)/utils.c
+
+ssl.o: $(srcdir)/ssl.c $(SRC_INCLUDE)/ssl.h $(CFG_INCLUDE)/common.h $(CFG_INCLUDE)/config.h
+	$(CC) $(CFLAGS) -c -o $@ $(srcdir)/ssl.c
+
+@SSL_DH_HEADER_MAKE@
 
-check_nrpe: $(srcdir)/check_nrpe.c $(srcdir)/utils.c $(SRC_INCLUDE)/utils.h $(CFG_INCLUDE)/common.h $(CFG_INCLUDE)/config.h
-	$(CC) $(CFLAGS) -o $@ $(srcdir)/check_nrpe.c $(srcdir)/utils.c $(LDFLAGS) $(SOCKETLIBS) $(SNPRINTF_O) $(OTHERLIBS)
 
 install:
 	$(MAKE) install-plugin
@@ -77,7 +88,7 @@ install-uninstall:
 	$(INSTALL) -m 755 ../uninstall $(SBINDIR)/nrpe-uninstall
 
 clean:
-	rm -f core nrpe check_nrpe $(SNPRINTF_O)
+	rm -f core nrpe check_nrpe generate_dh_params utils.o ssl.o $(SNPRINTF_O) $(SSL_DH_HEADER)
 	rm -f *~ */*~
 	rm -rf nrpe.dSYM check_nrpe.dSYM
 

src/acl.c

@@ -32,9 +32,12 @@
  *
  ****************************************************************************/
 
-#include "../include/config.h"
-#include "../include/common.h"
-#include "../include/utils.h"
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+#include "common.h"
+#include "utils.h"
+#include "acl.h"
 
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -49,7 +52,6 @@
 #include <netdb.h>
 #include <stdarg.h>
 
-#include "../include/acl.h"
 
 extern int debug;
 
@@ -464,7 +466,8 @@ int add_domain_to_acl(char *domain) {
                         logit(LOG_ERR,"Can't allocate memory for ACL, malloc error\n");
                         return 0;
                 }
-                strcpy(dns_acl_curr->domain, domain);
+                strncpy(dns_acl_curr->domain, domain, sizeof(dns_acl_curr->domain));
+				dns_acl_curr->domain[sizeof(dns_acl_curr->domain) - 1] = '\0';
                 dns_acl_curr->next = NULL;
 
                 if (dns_acl_head == NULL)

src/check_nrpe.c

@@ -36,9 +36,12 @@
  *
  ****************************************************************************/
 
-#include "config.h"
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
 #include "common.h"
 #include "utils.h"
+#include "ssl.h"
 
 #define DEFAULT_NRPE_COMMAND "_NRPE_CHECK"	/* check version of NRPE daemon */
 
@@ -71,46 +74,15 @@ int force_v3_packet = 0;
 int payload_size = 0;
 extern char *log_file;
 
+
 #ifdef HAVE_SSL
-# if (defined(__sun) && defined(SOLARIS_10)) || defined(_AIX) || defined(__hpux)
-SSL_METHOD *meth;
-# else
-const SSL_METHOD *meth;
-# endif
-SSL_CTX *ctx;
 SSL *ssl;
-int use_ssl = TRUE;
 unsigned long ssl_opts = SSL_OP_ALL;
-#else
-int use_ssl = FALSE;
 #endif
-
-/* SSL/TLS parameters */
-typedef enum _SSL_VER {
-	SSL_Ver_Invalid = 0, SSLv2 = 1, SSLv2_plus, SSLv3, SSLv3_plus,
-	TLSv1, TLSv1_plus, TLSv1_1, TLSv1_1_plus, TLSv1_2, TLSv1_2_plus, TLSv1_3, TLSv1_3_plus
-} SslVer;
-
-typedef enum _CLNT_CERTS { Ask_For_Cert = 1, Require_Cert = 2 } ClntCerts;
-
-typedef enum _SSL_LOGGING {
-	SSL_NoLogging = 0, SSL_LogStartup = 1, SSL_LogIpAddr = 2,
-	SSL_LogVersion = 4, SSL_LogCipher = 8, SSL_LogIfClientCert = 16,
-	SSL_LogCertDetails = 32,
-} SslLogging;
-
-struct _SSL_PARMS {
-	char *cert_file;
-	char *cacert_file;
-	char *privatekey_file;
-	char cipher_list[MAX_FILENAME_LENGTH];
-	SslVer ssl_proto_ver;
-	int allowDH;
-	ClntCerts client_certs;
-	SslLogging log_opts;
-} sslprm = {
-NULL, NULL, NULL, "", SSL_Ver_Invalid, -1, 0, SSL_NoLogging};
 int have_log_opts = FALSE;
+SslParms sslprm = {
+	NULL, NULL, NULL, "", SSL_Ver_Invalid, -1, 0, SSL_NoLogging
+};
 
 int process_arguments(int, char **, int);
 int read_config_file(char *);
@@ -527,7 +499,7 @@ int process_arguments(int argc, char **argv, int from_config_file)
 			if (i <= 0)
 				break;
 
-			strcat(query, "!");
+			strncat(query, "!", i);
 			strncat(query, argv[c], i);
 			query[sizeof(query) - 1] = '\x0';
 		}
@@ -742,8 +714,10 @@ void usage(int result)
 		printf("                              SSLv2     SSL v2 only\n");
 		printf("                              SSLv2+    SSL v2 or above\n");
 #endif
+#if OPENSSL_VERSION_NUMBER < 0x30000000
 		printf("                              SSLv3     SSL v3 only\n");
 		printf("                              SSLv3+    SSL v3 or above \n");
+#endif
 		printf("                              TLSv1     TLS v1 only\n");
 		printf("                              TLSv1+    TLS v1 or above (DEFAULT)\n");
 		printf("                              TLSv1.1   TLS v1.1 only\n");
@@ -797,236 +771,67 @@ void usage(int result)
 void setup_ssl()
 {
 #ifdef HAVE_SSL
-	int vrfy, x;
-
-	if (sslprm.log_opts & SSL_LogStartup) {
-		char *val;
+	int vrfy;
 
-		logit(LOG_INFO, "SSL Certificate File: %s", sslprm.cert_file ? sslprm.cert_file : "None");
-		logit(LOG_INFO, "SSL Private Key File: %s", sslprm.privatekey_file ? sslprm.privatekey_file : "None");
-		logit(LOG_INFO, "SSL CA Certificate File: %s", sslprm.cacert_file ? sslprm.cacert_file : "None");
-		logit(LOG_INFO, "SSL Cipher List: %s", sslprm.cipher_list);
-		logit(LOG_INFO, "SSL Allow ADH: %d", sslprm.allowDH);
-		logit(LOG_INFO, "SSL Log Options: 0x%02x", sslprm.log_opts);
-
-		switch (sslprm.ssl_proto_ver) {
-		case SSLv2:
-			val = "SSLv2";
-			break;
-		case SSLv2_plus:
-			val = "SSLv2 And Above";
-			break;
-		case SSLv3:
-			val = "SSLv3";
-			break;
-		case SSLv3_plus:
-			val = "SSLv3_plus And Above";
-			break;
-		case TLSv1:
-			val = "TLSv1";
-			break;
-		case TLSv1_plus:
-			val = "TLSv1_plus And Above";
-			break;
-		case TLSv1_1:
-			val = "TLSv1_1";
-			break;
-		case TLSv1_1_plus:
-			val = "TLSv1_1_plus And Above";
-			break;
-		case TLSv1_2:
-			val = "TLSv1_2";
-			break;
-		case TLSv1_2_plus:
-			val = "TLSv1_2_plus And Above";
-			break;
-		case TLSv1_3:
-			val = "TLSv1_3";
-			break;
-		case TLSv1_3_plus:
-			val = "TLSv1_3_plus And Above";
-			break;
-		default:
-			val = "INVALID VALUE!";
-			break;
-		}
-		logit(LOG_INFO, "SSL Version: %s", val);
-	}
+	if (sslprm.log_opts & SSL_LogStartup)
+		ssl_log_startup(FALSE);
 
 	/* initialize SSL */
-	if (use_ssl == TRUE) {
-		SSL_load_error_strings();
-		SSL_library_init();
-		ENGINE_load_builtin_engines();
-		RAND_set_rand_engine(NULL);
- 		ENGINE_register_all_complete();
-
-#if OPENSSL_VERSION_NUMBER >= 0x10100000
+	if (use_ssl == FALSE)
+		return;
 
-		meth = TLS_method();
+	ssl_initialize();
 
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+	meth = TLS_client_method();
 #else		/* OPENSSL_VERSION_NUMBER >= 0x10100000 */
-
-		meth = SSLv23_client_method();
-
+	meth = SSLv23_client_method();
 # ifndef OPENSSL_NO_SSL2
-		if (sslprm.ssl_proto_ver == SSLv2)
-			meth = SSLv2_client_method();
+	if (sslprm.ssl_proto_ver == SSLv2)
+		meth = SSLv2_client_method();
 # endif
 # ifndef OPENSSL_NO_SSL3
-		if (sslprm.ssl_proto_ver == SSLv3)
-			meth = SSLv3_client_method();
+	if (sslprm.ssl_proto_ver == SSLv3)
+		meth = SSLv3_client_method();
 # endif
-		if (sslprm.ssl_proto_ver == TLSv1)
-			meth = TLSv1_client_method();
+	if (sslprm.ssl_proto_ver == TLSv1)
+		meth = TLSv1_client_method();
 # ifdef SSL_TXT_TLSV1_1
-		if (sslprm.ssl_proto_ver == TLSv1_1)
-			meth = TLSv1_1_client_method();
+	if (sslprm.ssl_proto_ver == TLSv1_1)
+		meth = TLSv1_1_client_method();
 #  ifdef SSL_TXT_TLSV1_2
-		if (sslprm.ssl_proto_ver == TLSv1_2)
-			meth = TLSv1_2_client_method();
-#  ifdef SSL_TXT_TLSV1_3
-		if (sslprm.ssl_proto_ver == TLSv1_3)
-			meth = TLSv1_3_client_method();
-#  endif	/* ifdef SSL_TXT_TLSV1_3 */
+	if (sslprm.ssl_proto_ver == TLSv1_2)
+		meth = TLSv1_2_client_method();
+#   ifdef SSL_TXT_TLSV1_3
+	if (sslprm.ssl_proto_ver == TLSv1_3)
+		meth = TLSv1_3_client_method();
+#   endif	/* ifdef SSL_TXT_TLSV1_3 */
 #  endif	/* ifdef SSL_TXT_TLSV1_2 */
 # endif	/* ifdef SSL_TXT_TLSV1_1 */
 
 #endif		/* OPENSSL_VERSION_NUMBER >= 0x10100000 */
 
-		if ((ctx = SSL_CTX_new(meth)) == NULL) {
-			printf("CHECK_NRPE: Error - could not create SSL context.\n");
-			exit(timeout_return_code);
-		}
-
-#if OPENSSL_VERSION_NUMBER >= 0x10100000
-
-	SSL_CTX_set_max_proto_version(ctx, 0);
-
-	switch(sslprm.ssl_proto_ver) {
-		case TLSv1_3:
-#if OPENSSL_VERSION_NUMBER >= 0x10101000
-			SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION);
-#endif
-		case TLSv1_3_plus:
-#if OPENSSL_VERSION_NUMBER >= 0x10101000
-			SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION);
-			break;
-#endif
-
-		case TLSv1_2:
-			SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION);
-		case TLSv1_2_plus:
-			SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
-			break;
-
-		case TLSv1_1:
-			SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION);
-		case TLSv1_1_plus:
-			SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
-			break;
-
-		case TLSv1:
-			SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION);
-		case TLSv1_plus:
-			SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
-			break;
-
-		case SSLv3:
-			SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION);
-		case SSLv3_plus:
-			SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
-			break;
+	if ((ctx = SSL_CTX_new(meth)) == NULL) {
+		printf("CHECK_NRPE: Error - could not create SSL context.\n");
+		exit(timeout_return_code);
 	}
 
-#else		/* OPENSSL_VERSION_NUMBER >= 0x10100000 */
-
-		switch(sslprm.ssl_proto_ver) {
-			case SSLv2:
-			case SSLv2_plus:
-				break;
-			case TLSv1_3:
-			case TLSv1_3_plus:
-#ifdef SSL_OP_NO_TLSv1_2
-				ssl_opts |= SSL_OP_NO_TLSv1_2;
-#endif
-			case TLSv1_2:
-			case TLSv1_2_plus:
-				ssl_opts |= SSL_OP_NO_TLSv1_1;
-			case TLSv1_1:
-			case TLSv1_1_plus:
-				ssl_opts |= SSL_OP_NO_TLSv1;
-			case TLSv1:
-			case TLSv1_plus:
-				ssl_opts |= SSL_OP_NO_SSLv3;
-			case SSLv3:
-			case SSLv3_plus:
-				ssl_opts |= SSL_OP_NO_SSLv2;
-				break;
-		}
-
-#endif		/* OPENSSL_VERSION_NUMBER >= 0x10100000 */
-
-		SSL_CTX_set_options(ctx, ssl_opts);
-
-		if (sslprm.cert_file != NULL && sslprm.privatekey_file != NULL) {
-			if (!SSL_CTX_use_certificate_chain_file(ctx, sslprm.cert_file)) {
-				printf("Error: could not use certificate file '%s'.\n", sslprm.cert_file);
-				while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
-					printf("Error: could not use certificate file '%s': %s\n", sslprm.cert_file, ERR_reason_error_string(x));
-				}
-				SSL_CTX_free(ctx);
-				exit(timeout_return_code);
-			}
-			if (!SSL_CTX_use_PrivateKey_file(ctx, sslprm.privatekey_file, SSL_FILETYPE_PEM)) {
-				SSL_CTX_free(ctx);
-				printf("Error: could not use private key file '%s'.\n", sslprm.privatekey_file);
-				while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
-					printf("Error: could not use private key file '%s': %s\n", sslprm.privatekey_file, ERR_reason_error_string(x));
-				}
-				SSL_CTX_free(ctx);
-				exit(timeout_return_code);
-			}
-		}
+	ssl_set_protocol_version(sslprm.ssl_proto_ver, &ssl_opts);
+	SSL_CTX_set_options(ctx, ssl_opts);
 
-		if (sslprm.cacert_file != NULL) {
-			vrfy = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
-			SSL_CTX_set_verify(ctx, vrfy, verify_callback);
-			if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) {
-				printf("Error: could not use CA certificate '%s'.\n", sslprm.cacert_file);
-				while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
-					printf("Error: could not use CA certificate '%s': %s\n", sslprm.privatekey_file, ERR_reason_error_string(x));
-				}
-				SSL_CTX_free(ctx);
-				exit(timeout_return_code);
-			}
-		}
+	if (!ssl_load_certificates()) {
+		SSL_CTX_free(ctx);
+		exit(timeout_return_code);
+	}
 
-		if (!sslprm.allowDH) {
-			if (strlen(sslprm.cipher_list) < sizeof(sslprm.cipher_list) - 6) {
-				strcat(sslprm.cipher_list, ":!ADH");
-				if (sslprm.log_opts & SSL_LogStartup)
-					logit(LOG_INFO, "New SSL Cipher List: %s", sslprm.cipher_list);
-			}
-		} else {
-			/* use anonymous DH ciphers */
-			if (sslprm.allowDH == 2) {
-#if OPENSSL_VERSION_NUMBER >= 0x10100000
-				strncpy(sslprm.cipher_list, "ADH@SECLEVEL=0", MAX_FILENAME_LENGTH - 1);
-#else
-				strncpy(sslprm.cipher_list, "ADH", MAX_FILENAME_LENGTH - 1);
-#endif
-			}
-		}
+	if (sslprm.cacert_file != NULL) {
+		vrfy = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+		SSL_CTX_set_verify(ctx, vrfy, verify_callback);
+	}
 
-		if (SSL_CTX_set_cipher_list(ctx, sslprm.cipher_list) == 0) {
-			printf("Error: Could not set SSL/TLS cipher list: %s\n", sslprm.cipher_list);
-			while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
-				printf("Could not set SSL/TLS cipher list '%s': %s\n", sslprm.cipher_list, ERR_reason_error_string(x));
-			}
-			SSL_CTX_free(ctx);
-			exit(timeout_return_code);
-		}
+	if (!ssl_set_ciphers()) {
+		SSL_CTX_free(ctx);
+		exit(timeout_return_code);
 	}
 #endif
 }
@@ -1053,10 +858,13 @@ void set_sig_handlers()
 
 int connect_to_remote()
 {
+#ifdef HAVE_SSL
+	int rc, ssl_err, ern, x, nerrs = 0;
+#endif
 	struct sockaddr_storage addr;
 	struct in_addr *inaddr;
 	socklen_t addrlen;
-	int result, rc, ssl_err, ern, x, nerrs = 0;
+	int result;
 
 	/* try to connect to the host at the given port number */
 	if ((sd = my_connect(server_name, &hostaddr, server_port, address_family, bind_address, stderr_to_stdout)) < 0)
@@ -1064,7 +872,7 @@ int connect_to_remote()
 
 	result = STATE_OK;
 	addrlen = sizeof(addr);
-	rc = getpeername(sd, (struct sockaddr *)&addr, &addrlen);
+	getpeername(sd, (struct sockaddr *)&addr, &addrlen);
 	if (addr.ss_family == AF_INET) {
 		struct sockaddr_in *addrin = (struct sockaddr_in *)&addr;
 		inaddr = &addrin->sin_addr;
@@ -1095,15 +903,15 @@ int connect_to_remote()
 
 		if (sslprm.log_opts & (SSL_LogCertDetails | SSL_LogIfClientCert)) {
 			rc = 0;
-			while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
-				logit(LOG_ERR, "Error: (ERR_get_error_line_data = %d), Could not complete SSL handshake with %s: %s", x, rem_host, ERR_reason_error_string(x));
+			while ((x = ERR_get_error()) != 0) {
+				logit(LOG_ERR, "Error: (ERR_get_error = 0x%08x), Could not complete SSL handshake with %s: %s", x, rem_host, ERR_reason_error_string(x));
 				++nerrs;
 			}
 			if (nerrs == 0) {
 				logit(LOG_ERR, "Error: (nerrs = 0) Could not complete SSL handshake with %s: rc=%d SSL-error=%d", rem_host, rc, ssl_err);
 			}
 		} else {
-			while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
+			while ((x = ERR_get_error()) != 0) {
 				logit(LOG_ERR, "Error: (!log_opts) Could not complete SSL handshake with %s: %s", rem_host, ERR_reason_error_string(x));
 				++nerrs;
 			}
@@ -1215,10 +1023,10 @@ int send_request()
 		v2_send_packet->crc32_value = htonl(calculated_crc32);
 
 	} else {
-
-		pkt_size = (sizeof(v3_packet) - NRPE_V4_PACKET_SIZE_OFFSET) + strlen(query) + 1;
+		int query_len = strlen(query);
+		pkt_size = (sizeof(v3_packet) - NRPE_V4_PACKET_SIZE_OFFSET) + query_len + 1;
 		if (packet_ver == NRPE_PACKET_VERSION_3) {
-			pkt_size = (sizeof(v3_packet) - NRPE_V3_PACKET_SIZE_OFFSET) + strlen(query) + 1;
+			pkt_size = (sizeof(v3_packet) - NRPE_V3_PACKET_SIZE_OFFSET) + query_len + 1;
 		}
 		if (pkt_size < sizeof(v2_packet)) {
 			pkt_size = sizeof(v2_packet);
@@ -1233,7 +1041,7 @@ int send_request()
 		v3_send_packet->buffer_length = pkt_size - sizeof(v3_packet);
 		v3_send_packet->buffer_length += (packet_ver == NRPE_PACKET_VERSION_4 ? NRPE_V4_PACKET_SIZE_OFFSET : NRPE_V3_PACKET_SIZE_OFFSET);
 		v3_send_packet->buffer_length = htonl(v3_send_packet->buffer_length);
-		strcpy(&v3_send_packet->buffer[0], query);
+		memcpy(&v3_send_packet->buffer[0], query, query_len + 1);
 
 		/* calculate the crc 32 value of the packet */
 		v3_send_packet->crc32_value = 0;
@@ -1244,7 +1052,9 @@ int send_request()
 	/* send the request to the remote */
 	bytes_to_send = pkt_size;
 
+#ifdef HAVE_SSL
 	if (use_ssl == FALSE)
+#endif
 		rc = sendall(sd, (char *)send_pkt, &bytes_to_send);
 #ifdef HAVE_SSL
 	else {
@@ -1411,8 +1221,11 @@ int read_response()
 
 int read_packet(int sock, void *ssl_ptr, v2_packet ** v2_pkt, v3_packet ** v3_pkt)
 {
+#ifdef HAVE_SSL
+	int32_t bytes_read = 0;
+#endif
 	v2_packet	packet;
-	int32_t pkt_size, common_size, tot_bytes, bytes_to_recv, buffer_size, bytes_read = 0;
+	int32_t pkt_size, common_size, tot_bytes, bytes_to_recv, buffer_size;
 	int rc;
 	char *buff_ptr;
 
@@ -1625,30 +1438,7 @@ int read_packet(int sock, void *ssl_ptr, v2_packet ** v2_pkt, v3_packet ** v3_pk
 #ifdef HAVE_SSL
 int verify_callback(int preverify_ok, X509_STORE_CTX * ctx)
 {
-	char name[256], issuer[256];
-	X509 *err_cert;
-	int err;
-	SSL *ssl;
-
-	if (preverify_ok || ((sslprm.log_opts & SSL_LogCertDetails) == 0))
-		return preverify_ok;
-
-	err_cert = X509_STORE_CTX_get_current_cert(ctx);
-	err = X509_STORE_CTX_get_error(ctx);
-
-	/* Get the pointer to the SSL of the current connection */
-	ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
-
-	X509_NAME_oneline(X509_get_subject_name(err_cert), name, 256);
-	X509_NAME_oneline(X509_get_issuer_name(err_cert), issuer, 256);
-
-	if (!preverify_ok && sslprm.client_certs >= Ask_For_Cert
-		&& (sslprm.log_opts & SSL_LogCertDetails)) {
-		
-		logit(LOG_ERR, "SSL Client has an invalid certificate: %s (issuer=%s) err=%d:%s", name, issuer, err, X509_verify_cert_error_string(err));
-	}
-
-	return preverify_ok;
+	return ssl_verify_callback_common(preverify_ok, ctx, !preverify_ok && sslprm.client_certs >= Ask_For_Cert);
 }
 #endif
 

src/generate_dh_params.c

@@ -0,0 +1,162 @@
+/* generate_dh_params.c - Generate DH parameters using OpenSSL 3+ API */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/ssl.h>
+
+static int gendh_cb(EVP_PKEY_CTX *ctx);
+static EVP_PKEY *generate_key(void);
+static int print_bn(EVP_PKEY *res, const char *name);
+
+int main(void)
+{
+	EVP_PKEY *key;
+
+	key = generate_key();
+	if (!key)
+		return 1;
+
+	printf("EVP_PKEY *get_dh2048_key(void)\n{\n");
+
+	if (!print_bn(key, "p"))
+		return 1;
+	if (!print_bn(key, "g"))
+		return 1;
+#if 0
+	printf(
+		"#ifndef OPENSSL_CORE_H\n"
+		"# include <openssl/core.h>\n"
+		"#endif\n"
+		"#ifndef OPENSSL_EVP_H\n"
+		"# include <openssl/evp.h>\n"
+		"#endif\n"
+	);
+#endif
+	printf(
+		"\tEVP_PKEY_CTX *ctx = NULL;\n"
+		"\tEVP_PKEY *key = NULL;\n"
+		"\tOSSL_PARAM params[] = {\n"
+		"\t\tOSSL_PARAM_BN(\"p\", dh2048_p, sizeof(dh2048_p)),\n"
+		"\t\tOSSL_PARAM_BN(\"g\", dh2048_g, sizeof(dh2048_g)),\n"
+		"\t\tOSSL_PARAM_END\n"
+		"\t};\n\n"
+		"\tctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL);\n"
+		"\tif (ctx == NULL)\n"
+		"\t\treturn NULL;\n"
+		"\tif (EVP_PKEY_fromdata_init(ctx))\n"
+		"\t\tEVP_PKEY_fromdata(ctx, &key, EVP_PKEY_KEY_PARAMETERS, params);\n"
+		"\t\n"
+		"\tEVP_PKEY_CTX_free(ctx);\n"
+		"\treturn key;\n"
+		"}\n"
+	);
+
+	return 0;
+}
+
+static EVP_PKEY *generate_key(void)
+{
+	int rc;
+	EVP_PKEY_CTX *ctx;
+	EVP_PKEY *res = NULL;
+
+	ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
+	if (ctx == NULL)
+	{
+		fprintf(stderr, "Failed EVP_PKEY_CTX_new_from_name\n");
+		return NULL;
+	}
+
+	EVP_PKEY_CTX_set_cb(ctx, gendh_cb);
+
+	rc = EVP_PKEY_paramgen_init(ctx);
+	if (rc == 0)
+	{
+		fprintf(stderr, "Failed EVP_PKEY_paramgen_init\n");
+		return NULL;
+	}
+	rc = EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, 2048);
+	if (rc == 0)
+	{
+		fprintf(stderr, "Failed EVP_PKEY_CTX_set_dh_paramgen_prime_len\n");
+		return NULL;
+	}
+	rc = EVP_PKEY_CTX_set_dh_paramgen_generator(ctx, 2);
+	if (rc == 0)
+	{
+		fprintf(stderr, "Failed EVP_PKEY_CTX_set_dh_paramgen_generator\n");
+		return NULL;
+	}
+
+	fprintf(stderr, "*** Generating DH Parameters for SSL/TLS (may take some time) ***:\n");
+	rc = EVP_PKEY_paramgen(ctx, &res);
+	fprintf(stderr, "\n");
+	if (rc == 0)
+	{
+		fprintf(stderr, "Failed EVP_PKEY_paramgen\n");
+		return NULL;
+	}
+
+	EVP_PKEY_CTX_free(ctx);
+	return res;
+}
+
+static int print_bn(EVP_PKEY *res, const char *name)
+{
+	int rc;
+	int i;
+	int size;
+	BIGNUM *bn = NULL;
+	unsigned char buffer[512];
+
+	rc = EVP_PKEY_get_bn_param(res, name, &bn);
+	if (rc == 0)
+	{
+		fprintf(stderr, "Failed EVP_PKEY_get_bn_param\n");
+		return 0;
+	}
+
+	rc = BN_bn2nativepad(bn, buffer, sizeof(buffer));
+	if (rc < 0)
+	{
+		fprintf(stderr, "Failed BN_bn2nativepad\n");
+		return 0;
+	}
+
+	size = BN_num_bytes(bn);
+
+	printf("\tstatic unsigned char dh2048_%s[]={\n\t\t", name);
+
+	for (i = 0; i < size; i += 16)
+	{
+		int j;
+		for (j = 0; j < 16 && i+j < size; j++)
+		{
+			printf("0x%02x", buffer[i+j]);
+			if (i+j < size - 1)
+				putchar(',');
+		}
+
+		if (i+j < size)
+			printf("\n\t\t");
+	}
+	printf("\n\t};\n");
+
+	BN_free(bn);
+	return 1;
+}
+
+static int gendh_cb(EVP_PKEY_CTX *ctx)
+{
+	static const char symbols[] = ".+*\n";
+	int p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
+	if (p)
+	{
+		char c = (p >= 0 && (size_t)p < sizeof(symbols) - 1) ? symbols[p] : '?';
+		fputc(c, stderr);
+		fflush(stderr);
+	}
+	return 1;
+}

src/nrpe.c

@@ -34,15 +34,18 @@
  *
  ****************************************************************************/
 
-#include "config.h"
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
 #include "common.h"
 #include "nrpe.h"
 #include "utils.h"
 #include "acl.h"
+#include "ssl.h"
 
 #ifdef HAVE_SSL
-# ifdef USE_SSL_DH
-#  include "../include/dh.h"
+# if defined(USE_SSL_DH) && !defined(AUTO_SSL_DH)
+#  include "dh.h"
 # endif
 #endif
 
@@ -58,17 +61,6 @@ int       rfc931_timeout=15;
 # endif
 #endif
 
-#ifdef HAVE_SSL
-# if (defined(__sun) && defined(SOLARIS_10)) || defined(_AIX) || defined(__hpux)
-SSL_METHOD *meth;
-# else
-const SSL_METHOD *meth;
-# endif
-SSL_CTX  *ctx;
-int       use_ssl = TRUE;
-#else
-int       use_ssl = FALSE;
-#endif
 
 #define DEFAULT_COMMAND_TIMEOUT			60	/* default timeout for execution of plugins */
 #define MAXFD							64
@@ -122,32 +114,8 @@ int       listen_queue_size = DEFAULT_LISTEN_QUEUE_SIZE;
 char     *nasty_metachars = NULL;
 extern char *log_file;
 
-/* SSL/TLS parameters */
-typedef enum _SSL_VER {
-	SSLv2 = 1, SSLv2_plus, SSLv3, SSLv3_plus, TLSv1,
-	TLSv1_plus, TLSv1_1, TLSv1_1_plus, TLSv1_2, TLSv1_2_plus, TLSv1_3, TLSv1_3_plus
-} SslVer;
-
-typedef enum _CLNT_CERTS {
-	ClntCerts_Unknown = 0, Ask_For_Cert = 1, Require_Cert = 2
-} ClntCerts;
-
-typedef enum _SSL_LOGGING {
-	SSL_NoLogging = 0, SSL_LogStartup = 1, SSL_LogIpAddr = 2,
-	SSL_LogVersion = 4, SSL_LogCipher = 8, SSL_LogIfClientCert = 16,
-	SSL_LogCertDetails = 32
-} SslLogging;
-
-struct _SSL_PARMS {
-	char     *cert_file;
-	char     *cacert_file;
-	char     *privatekey_file;
-	char      cipher_list[MAX_FILENAME_LENGTH];
-	SslVer    ssl_proto_ver;
-	int       allowDH;
-	ClntCerts client_certs;
-	SslLogging log_opts;
-} sslprm = {
+
+SslParms sslprm = {
 #if OPENSSL_VERSION_NUMBER >= 0x10100000
 NULL, NULL, NULL, "ALL:!MD5:@STRENGTH:@SECLEVEL=0", TLSv1_plus, TRUE, 0, SSL_NoLogging
 #else
@@ -185,7 +153,7 @@ int main(int argc, char **argv)
 		buffer[sizeof(buffer) - 1] = '\x0';
 
 		/* get absolute path of current working directory */
-		strcpy(config_file, "");
+		config_file[0] = '\0';
 		if (getcwd(config_file, sizeof(config_file)) == NULL) {
 			printf("ERROR: getcwd(): %s, bailing out...\n", strerror(errno));
 			exit(STATE_CRITICAL);
@@ -262,9 +230,8 @@ int init(void)
 void init_ssl(void)
 {
 #ifdef HAVE_SSL
-	DH            *dh;
 	char          seedfile[FILENAME_MAX];
-	char          errstr[120] = { "" };
+	char          errstr[256] = { "" };
 	int           i, c, x, vrfy;
 	unsigned long ssl_opts = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE;
 
@@ -286,16 +253,9 @@ void init_ssl(void)
 #endif
 
 	if (sslprm.log_opts & SSL_LogStartup)
-		log_ssl_startup();
-
-	/* initialize SSL */
-	SSL_load_error_strings();
-	SSL_library_init();
-	ENGINE_load_builtin_engines();
-	RAND_set_rand_engine(NULL);
- 	ENGINE_register_all_complete();
+		ssl_log_startup(TRUE);
 
-	meth = SSLv23_server_method();
+	ssl_initialize();
 
 	/* use week random seed if necessary */
 	if (allow_weak_random_seed && (RAND_status() == 0)) {
@@ -317,11 +277,9 @@ void init_ssl(void)
 	}
 
 #if OPENSSL_VERSION_NUMBER >= 0x10100000
-
-	meth = TLS_method();
-
+	meth = TLS_server_method();
 #else		/* OPENSSL_VERSION_NUMBER >= 0x10100000 */
-
+	meth = SSLv23_server_method();
 # ifndef OPENSSL_NO_SSL2
 	if (sslprm.ssl_proto_ver == SSLv2)
 		meth = SSLv2_server_method();
@@ -353,120 +311,15 @@ void init_ssl(void)
 			ERR_error_string(x, errstr);
 			logit(LOG_ERR, "Error: could not create SSL context : %s", errstr);
 		}
-		SSL_CTX_free(ctx);
 		exit(STATE_CRITICAL);
 	}
 
-#if OPENSSL_VERSION_NUMBER >= 0x10100000
-
-	SSL_CTX_set_max_proto_version(ctx, 0);
-
-	switch(sslprm.ssl_proto_ver) {
-		case TLSv1_3:
-#if OPENSSL_VERSION_NUMBER >= 0x10101000
-			SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION);
-#endif
-		case TLSv1_3_plus:
-#if OPENSSL_VERSION_NUMBER >= 0x10101000
-			SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION);
-			break;
-#endif
-
-		case TLSv1_2:
-			SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION);
-		case TLSv1_2_plus:
-			SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
-			break;
-
-		case TLSv1_1:
-			SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION);
-		case TLSv1_1_plus:
-			SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
-			break;
-
-		case TLSv1:
-			SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION);
-		case TLSv1_plus:
-			SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
-			break;
-
-		case SSLv3:
-			SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION);
-		case SSLv3_plus:
-			SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
-			break;
-	}
-
-#else		/* OPENSSL_VERSION_NUMBER >= 0x10100000 */
-
-	switch(sslprm.ssl_proto_ver) {
-		case SSLv2:
-		case SSLv2_plus:
-			break;
-		case TLSv1_3:
-		case TLSv1_3_plus:
-#ifdef SSL_OP_NO_TLSv1_2
-			ssl_opts |= SSL_OP_NO_TLSv1_2;
-#endif
-		case TLSv1_2:
-		case TLSv1_2_plus:
-			ssl_opts |= SSL_OP_NO_TLSv1_1;
-		case TLSv1_1:
-		case TLSv1_1_plus:
-			ssl_opts |= SSL_OP_NO_TLSv1;
-		case TLSv1:
-		case TLSv1_plus:
-			ssl_opts |= SSL_OP_NO_SSLv3;
-		case SSLv3:
-		case SSLv3_plus:
-			ssl_opts |= SSL_OP_NO_SSLv2;
-			break;
-	}
-
-#endif		/* OPENSSL_VERSION_NUMBER >= 0x10100000 */
-
+	ssl_set_protocol_version(sslprm.ssl_proto_ver, &ssl_opts);
 	SSL_CTX_set_options(ctx, ssl_opts);
 
-	if (sslprm.cacert_file != NULL) {
-		if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) {
-			while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
-				logit(LOG_ERR, "Error: could not use CA certificate file '%s': %s\n",
-					   sslprm.cacert_file, ERR_reason_error_string(x));
-			}
-			SSL_CTX_free(ctx);
-			logit(LOG_ERR, "Error: could not use CA certificate '%s'", sslprm.cacert_file);
-			exit(STATE_CRITICAL);
-		}
-	}
-
-	if (sslprm.cert_file != NULL) {
-		if (!SSL_CTX_use_certificate_chain_file(ctx, sslprm.cert_file)) {
-			SSL_CTX_free(ctx);
-			while ((x = ERR_get_error()) != 0) {
-				ERR_error_string(x, errstr);
-				logit(LOG_ERR, "Error: could not use certificate file %s : %s",
-					   sslprm.cert_file, errstr);
-			}
-			exit(STATE_CRITICAL);
-		}
-		if (!SSL_CTX_use_PrivateKey_file(ctx, sslprm.privatekey_file, SSL_FILETYPE_PEM)) {
-			while ((x = ERR_get_error()) != 0) {
-				ERR_error_string(x, errstr);
-				logit(LOG_ERR, "Error: could not use private key file '%s' : %s",
-					 sslprm.privatekey_file, errstr);
-			}
-			SSL_CTX_free(ctx);
-			exit(STATE_CRITICAL);
-		}
-		if (!SSL_CTX_check_private_key(ctx)) {
-			while ((x = ERR_get_error()) != 0) {
-				ERR_error_string(x, errstr);
-				logit(LOG_ERR, "Error: could not use certificate/private key pair: %s",
-					 errstr);
-			}
-			SSL_CTX_free(ctx);
-			exit(STATE_CRITICAL);
-		}
+	if (!ssl_load_certificates()) {
+		SSL_CTX_free(ctx);
+		exit(STATE_CRITICAL);
 	}
 
 	if (sslprm.client_certs != 0) {
@@ -483,29 +336,28 @@ void init_ssl(void)
 		SSL_CTX_set_verify(ctx, vrfy, verify_callback);
 	}
 
-	if (!sslprm.allowDH) {
-		if (strlen(sslprm.cipher_list) < sizeof(sslprm.cipher_list) - 6)
-			strcat(sslprm.cipher_list, ":!ADH");
-	} else {
-		/* use anonymous DH ciphers */
-		if (sslprm.allowDH == 2) {
-#if OPENSSL_VERSION_NUMBER >= 0x10100000
-			strncpy(sslprm.cipher_list, "ADH@SECLEVEL=0", MAX_FILENAME_LENGTH - 1);
+#ifdef AUTO_SSL_DH
+	SSL_CTX_set_dh_auto(ctx, 1);
 #else
-			strncpy(sslprm.cipher_list, "ADH", MAX_FILENAME_LENGTH - 1);
-#endif
+# ifdef USE_SSL_DH
+	{
+#  if OPENSSL_VERSION_NUMBER >= 0x30000000
+		EVP_PKEY *pkey = get_dh2048_key();
+		if (pkey) {
+				if (!SSL_CTX_set0_tmp_dh_pkey(ctx, pkey))
+					EVP_PKEY_free(pkey);
 		}
-
-#ifdef USE_SSL_DH
-		dh = get_dh2048();
+#  else
+		DH *dh = get_dh2048();
 		SSL_CTX_set_tmp_dh(ctx, dh);
 		DH_free(dh);
-#endif
+#  endif
 	}
+# endif
+#endif
 
-	if (SSL_CTX_set_cipher_list(ctx, sslprm.cipher_list) == 0) {
+	if (!ssl_set_ciphers()) {
 		SSL_CTX_free(ctx);
-		logit(LOG_ERR, "Error: Could not set SSL/TLS cipher list");
 		exit(STATE_CRITICAL);
 	}
 
@@ -514,67 +366,6 @@ void init_ssl(void)
 #endif
 }
 
-void log_ssl_startup(void)
-{
-#ifdef HAVE_SSL
-	char     *vers;
-
-	logit(LOG_INFO, "SSL Certificate File: %s", sslprm.cert_file ? sslprm.cert_file : "None");
-	logit(LOG_INFO, "SSL Private Key File: %s",
-		   sslprm.privatekey_file ? sslprm.privatekey_file : "None");
-	logit(LOG_INFO, "SSL CA Certificate File: %s",
-		   sslprm.cacert_file ? sslprm.cacert_file : "None");
-	logit(LOG_INFO, "SSL Cipher List: %s", sslprm.cipher_list);
-	logit(LOG_INFO, "SSL Allow ADH: %d", sslprm.allowDH == 0);
-	logit(LOG_INFO, "SSL Client Certs: %s",
-		   sslprm.client_certs == 0 ? "Don't Ask" : (sslprm.client_certs ==
-													 1 ? "Accept" : "Require"));
-	logit(LOG_INFO, "SSL Log Options: 0x%02x", sslprm.log_opts);
-	switch (sslprm.ssl_proto_ver) {
-	case SSLv2:
-		vers = "SSLv2";
-		break;
-	case SSLv2_plus:
-		vers = "SSLv2 And Above";
-		break;
-	case SSLv3:
-		vers = "SSLv3";
-		break;
-	case SSLv3_plus:
-		vers = "SSLv3 And Above";
-		break;
-	case TLSv1:
-		vers = "TLSv1";
-		break;
-	case TLSv1_plus:
-		vers = "TLSv1 And Above";
-		break;
-	case TLSv1_1:
-		vers = "TLSv1_1";
-		break;
-	case TLSv1_1_plus:
-		vers = "TLSv1_1 And Above";
-		break;
-	case TLSv1_2:
-		vers = "TLSv1_2";
-		break;
-	case TLSv1_2_plus:
-		vers = "TLSv1_2 And Above";
-		break;
-	case TLSv1_3:
-		vers = "TLSv1_3";
-		break;
-	case TLSv1_3_plus:
-		vers = "TLSv1_3 And Above";
-		break;
-	default:
-		vers = "INVALID VALUE!";
-		break;
-	}
-	logit(LOG_INFO, "SSL Version: %s", vers);
-#endif
-}
-
 void usage(int result)
 {
 	if (result != OK) {
@@ -769,29 +560,7 @@ void cleanup(void)
 #ifdef HAVE_SSL
 int verify_callback(int preverify_ok, X509_STORE_CTX * ctx)
 {
-	char      name[256], issuer[256];
-	X509     *err_cert;
-	int       err;
-	SSL      *ssl;
-
-	if (preverify_ok || ((sslprm.log_opts & SSL_LogCertDetails) == 0))
-		return preverify_ok;
-
-	err_cert = X509_STORE_CTX_get_current_cert(ctx);
-	err = X509_STORE_CTX_get_error(ctx);
-
-	/* Get the pointer to the SSL of the current connection */
-	ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
-
-	X509_NAME_oneline(X509_get_subject_name(err_cert), name, 256);
-	X509_NAME_oneline(X509_get_issuer_name(err_cert), issuer, 256);
-
-	if (!preverify_ok && (sslprm.log_opts & SSL_LogCertDetails)) {
-		logit(LOG_ERR, "SSL Client has an invalid certificate: %s (issuer=%s) err=%d:%s",
-			   name, issuer, err, X509_verify_cert_error_string(err));
-	}
-
-	return preverify_ok;
+	return ssl_verify_callback_common(preverify_ok, ctx, !preverify_ok);
 }
 #endif
 
@@ -1693,7 +1462,8 @@ void conn_check_peer(int sock)
 
 		case AF_INET6:
 			/* log info */
-			strcpy(remote_host, ipstr);
+			strncpy(remote_host, ipstr, sizeof(remote_host));
+			remote_host[sizeof(remote_host) - 1] = '\0';
 			if (debug == TRUE || (sslprm.log_opts & SSL_LogIpAddr)) {
 				logit(LOG_DEBUG, "Connection from %s port %d", ipstr, nptr6->sin6_port);
 			}
@@ -1771,8 +1541,11 @@ void handle_connection(int sock)
     		return;
         }
 
-		if (handle_conn_ssl(sock, ssl) != OK)
+		if (handle_conn_ssl(sock, ssl) != OK) {
+			complete_SSL_shutdown(ssl);
+			SSL_free(ssl);
 			return;
+		}
 	}
 #endif
 
@@ -1840,8 +1613,9 @@ void handle_connection(int sock)
 		if (v3_receive_packet)
 			send_buff = strdup(buffer);
 		else {
-			send_buff = calloc(1, sizeof(buffer));
-			strcpy(send_buff, buffer);
+			int size = sizeof(buffer);
+			send_buff = calloc(1, size);
+			strncpy(send_buff, buffer, size);
 		}
 		result = STATE_OK;
 
@@ -1857,8 +1631,9 @@ void handle_connection(int sock)
 			if (v3_receive_packet)
 				send_buff = strdup(buffer);
 			else {
-				send_buff = calloc(1, sizeof(buffer));
-				strcpy(send_buff, buffer);
+				int size = sizeof(buffer);
+				send_buff = calloc(1, size);
+				strncpy(send_buff, buffer, size);
 			}
 			result = STATE_UNKNOWN;
 
@@ -1877,7 +1652,7 @@ void handle_connection(int sock)
 				logit(LOG_DEBUG, "Running command: %s", processed_command);
 
 			/* run the command */
-			strcpy(buffer, "");
+			buffer[0] = '\0';
 			result = my_system(processed_command, command_timeout, &early_timeout, &send_buff);
 
 			if (debug == TRUE)	/* log debug info */
@@ -1886,11 +1661,13 @@ void handle_connection(int sock)
 
 			/* see if the command timed out */
 			if (early_timeout == TRUE) {
-				sprintf(send_buff, "NRPE: Command timed out after %d seconds\n",
+				free(send_buff);
+				asprintf(&send_buff, "NRPE: Command timed out after %d seconds\n",
 						command_timeout);
 				result = STATE_UNKNOWN;
 			} else if (!strcmp(send_buff, "")) {
-				sprintf(send_buff, "NRPE: Unable to read output\n");
+				free(send_buff);
+				asprintf(&send_buff, "NRPE: Unable to read output\n");
 				result = STATE_UNKNOWN;
 			}
 
@@ -1939,10 +1716,10 @@ void handle_connection(int sock)
 		send_packet.crc32_value = htonl(calculated_crc32);
 
 	} else {
-
-		pkt_size = (sizeof(v3_packet) - NRPE_V4_PACKET_SIZE_OFFSET) + strlen(send_buff) + 1;
+		int send_buff_len = strlen(send_buff);
+		pkt_size = (sizeof(v3_packet) - NRPE_V4_PACKET_SIZE_OFFSET) + send_buff_len + 1;
 		if (packet_ver == NRPE_PACKET_VERSION_3) {
-			pkt_size = (sizeof(v3_packet) - NRPE_V3_PACKET_SIZE_OFFSET) + strlen(send_buff) + 1;
+			pkt_size = (sizeof(v3_packet) - NRPE_V3_PACKET_SIZE_OFFSET) + send_buff_len + 1;
 		}
 		v3_send_packet = calloc(1, pkt_size);
 		send_pkt = (char *)v3_send_packet;
@@ -1951,8 +1728,8 @@ void handle_connection(int sock)
 		v3_send_packet->packet_type = htons(RESPONSE_PACKET);
 		v3_send_packet->result_code = htons(result);
 		v3_send_packet->alignment = 0;
-		v3_send_packet->buffer_length = htonl(strlen(send_buff) + 1);
-		strcpy(&v3_send_packet->buffer[0], send_buff);
+		v3_send_packet->buffer_length = htonl(send_buff_len + 1);
+		memcpy(&v3_send_packet->buffer[0], send_buff, send_buff_len + 1);
 
 		/* calculate the crc 32 value of the packet */
 		v3_send_packet->crc32_value = 0;
@@ -2054,9 +1831,9 @@ int handle_conn_ssl(int sock, void *ssl_ptr)
 		if (sslprm.log_opts & (SSL_LogCertDetails | SSL_LogIfClientCert)) {
 			int nerrs = 0;
 			rc = 0;
-			while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
+			while ((x = ERR_get_error()) != 0) {
 				errmsg = ERR_reason_error_string(x);
-				logit(LOG_ERR, "Error: (ERR_get_error_line_data = %d), Could not complete SSL handshake with %s: %s", x, remote_host, errmsg);
+				logit(LOG_ERR, "Error: (ERR_get_error = 0x%08x), Could not complete SSL handshake with %s: %s", x, remote_host, errmsg);
 				
 				if (errmsg && !strcmp(errmsg, "no shared cipher") && (sslprm.cert_file == NULL || sslprm.cacert_file == NULL))
 					logit(LOG_ERR, "Error: This could be because you have not specified certificate or ca-certificate files");
@@ -2065,10 +1842,10 @@ int handle_conn_ssl(int sock, void *ssl_ptr)
 			}
 
 			if (nerrs == 0) {
-				logit(LOG_ERR, "Error: (nerrs = 0) Could not complete SSL handshake with %s: %d", remote_host, SSL_get_error(ssl, rc));
+				logit(LOG_ERR, "Error: (nerrs = 0) Could not complete SSL handshake with %s: 0x%08x", remote_host, SSL_get_error(ssl, rc));
 			}
 		} else {
-			logit(LOG_ERR, "Error: (!log_opts) Could not complete SSL handshake with %s: %d", remote_host, SSL_get_error(ssl, rc));
+			logit(LOG_ERR, "Error: (!log_opts) Could not complete SSL handshake with %s: 0x%08x", remote_host, SSL_get_error(ssl, rc));
 		}
 # ifdef DEBUG
 		errfp = fopen("/tmp/err.log", "a");
@@ -2633,7 +2410,7 @@ int write_pid_file(void)
 
 	/* write new pid file */
 	if ((fd = open(pid_file, O_WRONLY | O_CREAT, 0644)) >= 0) {
-		sprintf(pbuf, "%d\n", (int)getpid());
+		snprintf(pbuf, sizeof(pbuf), "%d\n", (int)getpid());
 
 		if (write(fd, pbuf, strlen(pbuf)) == -1)
 			logit(LOG_ERR, "ERROR: write_pid_file() write(fd, pbuf) failed...");
@@ -2909,7 +2686,7 @@ int process_macros(char *input_buffer, char *output_buffer, int buffer_length)
 	int       arg_index = 0;
 	char     *selected_macro = NULL;
 
-	strcpy(output_buffer, "");
+	output_buffer[0] = '\0';
 
 	in_macro = FALSE;
 

src/ssl.c

@@ -0,0 +1,287 @@
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+#include "common.h"
+#include "ssl.h"
+#include "utils.h"
+
+#ifdef HAVE_SSL
+# if (defined(__sun) && defined(SOLARIS_10)) || defined(_AIX) || defined(__hpux)
+SSL_METHOD *meth;
+# else
+const SSL_METHOD *meth;
+# endif
+SSL_CTX  *ctx;
+int       use_ssl = TRUE;
+#else
+int       use_ssl = FALSE;
+#endif
+
+
+
+void ssl_initialize(void)
+{
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+	/* initialize SSL */
+	SSL_load_error_strings();
+	SSL_library_init();
+	ENGINE_load_builtin_engines();
+	RAND_set_rand_engine(NULL);
+ 	ENGINE_register_all_complete();
+#endif
+}
+
+void ssl_set_protocol_version(SslVer ssl_proto_ver, unsigned long *ssl_opts)
+{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+
+	SSL_CTX_set_max_proto_version(ctx, 0);
+
+	switch(ssl_proto_ver) {
+		case TLSv1_3:
+#if OPENSSL_VERSION_NUMBER >= 0x10101000
+			SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION);
+#endif
+		case TLSv1_3_plus:
+#if OPENSSL_VERSION_NUMBER >= 0x10101000
+			SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION);
+			break;
+#endif
+
+		case TLSv1_2:
+			SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION);
+		case TLSv1_2_plus:
+			SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
+			break;
+
+		case TLSv1_1:
+			SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION);
+		case TLSv1_1_plus:
+			SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
+			break;
+
+		case TLSv1:
+			SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION);
+		case TLSv1_plus:
+			SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
+			break;
+
+		case SSLv3:
+			SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION);
+		case SSLv3_plus:
+			SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
+			break;
+
+		case SSLv2:
+		case SSLv2_plus:
+			/* SSLv2 support dropped */
+			break;
+		case SSL_Ver_Invalid:
+			/* Should never be seen, silence warning */
+			break;
+	}
+
+#else		/* OPENSSL_VERSION_NUMBER >= 0x10100000 */
+
+	switch(sslprm.ssl_proto_ver) {
+		case SSLv2:
+		case SSLv2_plus:
+			break;
+		case TLSv1_3:
+		case TLSv1_3_plus:
+#ifdef SSL_OP_NO_TLSv1_2
+			*ssl_opts |= SSL_OP_NO_TLSv1_2;
+#endif
+		case TLSv1_2:
+		case TLSv1_2_plus:
+#ifdef SSL_OP_NO_TLSv1_1
+			*ssl_opts |= SSL_OP_NO_TLSv1_1;
+#endif
+		case TLSv1_1:
+		case TLSv1_1_plus:
+			*ssl_opts |= SSL_OP_NO_TLSv1;
+		case TLSv1:
+		case TLSv1_plus:
+			*ssl_opts |= SSL_OP_NO_SSLv3;
+		case SSLv3:
+		case SSLv3_plus:
+			*ssl_opts |= SSL_OP_NO_SSLv2;
+			break;
+        case SSL_Ver_Invalid:
+            /* Should never be seen, silence warning */
+            break;
+	}
+#endif		/* OPENSSL_VERSION_NUMBER >= 0x10100000 */
+}
+
+void ssl_log_startup(int server)
+{
+	char     *vers;
+
+	logit(LOG_INFO, "SSL Certificate File: %s", sslprm.cert_file ? sslprm.cert_file : "None");
+	logit(LOG_INFO, "SSL Private Key File: %s", sslprm.privatekey_file ? sslprm.privatekey_file : "None");
+	logit(LOG_INFO, "SSL CA Certificate File: %s", sslprm.cacert_file ? sslprm.cacert_file : "None");
+	logit(LOG_INFO, "SSL Cipher List: %s", sslprm.cipher_list);
+	logit(LOG_INFO, "SSL Allow ADH: %d", sslprm.allowDH);
+    if (server)
+    {
+        logit(LOG_INFO, "SSL Client Certs: %s",
+            sslprm.client_certs == 0 ? "Don't Ask" : 
+                (sslprm.client_certs == 1 ? "Accept" : "Require"));
+    }
+	logit(LOG_INFO, "SSL Log Options: 0x%02x", sslprm.log_opts);
+
+	switch (sslprm.ssl_proto_ver) {
+	case SSLv2:
+		vers = "SSLv2";
+		break;
+	case SSLv2_plus:
+		vers = "SSLv2 And Above";
+		break;
+	case SSLv3:
+		vers = "SSLv3";
+		break;
+	case SSLv3_plus:
+		vers = "SSLv3 And Above";
+		break;
+	case TLSv1:
+		vers = "TLSv1";
+		break;
+	case TLSv1_plus:
+		vers = "TLSv1 And Above";
+		break;
+	case TLSv1_1:
+		vers = "TLSv1_1";
+		break;
+	case TLSv1_1_plus:
+		vers = "TLSv1_1 And Above";
+		break;
+	case TLSv1_2:
+		vers = "TLSv1_2";
+		break;
+	case TLSv1_2_plus:
+		vers = "TLSv1_2 And Above";
+		break;
+	case TLSv1_3:
+		vers = "TLSv1_3";
+		break;
+	case TLSv1_3_plus:
+		vers = "TLSv1_3 And Above";
+		break;
+	default:
+		vers = "INVALID VALUE!";
+		break;
+	}
+	logit(LOG_INFO, "SSL Version: %s", vers);
+}
+
+int ssl_load_certificates(void)
+{
+    int x;
+	char errstr[256] = { "" };
+
+	if (sslprm.cacert_file != NULL) {
+		if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) {
+			logit(LOG_ERR, "Error: Could not use CA certificate '%s'", sslprm.cacert_file);
+			while ((x = ERR_get_error()) != 0) {
+				ERR_error_string(x, errstr);
+				logit(LOG_ERR, "     : %s\n", errstr);
+			}
+            return FALSE;
+		}
+	}
+
+	if (sslprm.cert_file != NULL && sslprm.privatekey_file != NULL) {
+		if (!SSL_CTX_use_certificate_chain_file(ctx, sslprm.cert_file)) {
+			logit(LOG_ERR, "Error: Could not use certificate '%s'", sslprm.cert_file);
+			while ((x = ERR_get_error()) != 0) {
+				ERR_error_string(x, errstr);
+				logit(LOG_ERR, "     : %s\n", errstr);
+			}
+            return FALSE;
+		}
+		if (!SSL_CTX_use_PrivateKey_file(ctx, sslprm.privatekey_file, SSL_FILETYPE_PEM)) {
+            logit(LOG_ERR, "Error: Could not use private key file '%s'", sslprm.privatekey_file);
+			while ((x = ERR_get_error()) != 0) {
+				ERR_error_string(x, errstr);
+				logit(LOG_ERR, "     : %s\n", errstr);
+			}
+            return FALSE;
+		}
+		if (!SSL_CTX_check_private_key(ctx)) {
+            logit(LOG_ERR, "Error: Could not use certificate/private key pair");
+			while ((x = ERR_get_error()) != 0) {
+				ERR_error_string(x, errstr);
+				logit(LOG_ERR, "     : %s\n", errstr);
+			}
+            return FALSE;
+		}
+	}
+
+    return TRUE;
+}
+
+int ssl_set_ciphers(void)
+{
+    int x;
+    int changed = FALSE;
+	char errstr[256] = { "" };
+
+    if (!sslprm.allowDH) {
+        x = strlen(sslprm.cipher_list);
+        if (x < sizeof(sslprm.cipher_list) - 6) {
+            changed = TRUE;
+            strncpy(sslprm.cipher_list + x, ":!ADH", sizeof(sslprm.cipher_list) - x);
+        }
+    } else {
+        /* use anonymous DH ciphers */
+        if (sslprm.allowDH == 2) {
+            changed = TRUE;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+            strncpy(sslprm.cipher_list, "ADH:@SECLEVEL=0", MAX_FILENAME_LENGTH - 1);
+#else
+            strncpy(sslprm.cipher_list, "ADH", MAX_FILENAME_LENGTH - 1);
+#endif
+        }
+    }
+
+    if (changed && sslprm.log_opts & SSL_LogStartup)
+        logit(LOG_INFO, "New SSL Cipher List: %s", sslprm.cipher_list);
+
+    if (SSL_CTX_set_cipher_list(ctx, sslprm.cipher_list) == 0) {
+        logit(LOG_ERR, "Error: Could not set SSL/TLS cipher list: %s\n", sslprm.cipher_list);
+        while ((x = ERR_get_error()) != 0) {
+            ERR_error_string(x, errstr);
+            logit(LOG_ERR, "     : %s\n", errstr);
+        }
+        return FALSE;
+    }
+
+    return TRUE;
+}
+
+int ssl_verify_callback_common(int preverify_ok, X509_STORE_CTX * ctx, int is_invalid)
+{
+	char name[256], issuer[256];
+	X509 *err_cert;
+	int err;
+
+	if (preverify_ok || ((sslprm.log_opts & SSL_LogCertDetails) == 0))
+		return preverify_ok;
+
+	if (is_invalid || sslprm.log_opts & SSL_LogCertDetails) {
+		err_cert = X509_STORE_CTX_get_current_cert(ctx);
+		err = X509_STORE_CTX_get_error(ctx);
+
+		X509_NAME_oneline(X509_get_subject_name(err_cert), name, 256);
+		X509_NAME_oneline(X509_get_issuer_name(err_cert), issuer, 256);
+
+		if (is_invalid) {
+			logit(LOG_ERR, "SSL Client has an invalid certificate: %s (issuer=%s) err=%d:%s", name, issuer, err, X509_verify_cert_error_string(err));
+		} else {
+			logit(LOG_INFO, "SSL Client certificate: %s (issuer=%s)", name, issuer);
+		}
+	}
+
+	return preverify_ok;
+}