git: 4e160c6197f7 - main - libfetch: Check for failure to create SSL context

Sat, 07 Feb 2026 06:25:03 -0800 

The branch main has been updated by des:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=4e160c6197f75fda3d5d5997ce893087058cf718

commit 4e160c6197f75fda3d5d5997ce893087058cf718
Author:     Dag-Erling Smørgrav <[email protected]>
AuthorDate: 2026-02-07 14:24:40 +0000
Commit:     Dag-Erling Smørgrav <[email protected]>
CommitDate: 2026-02-07 14:24:40 +0000

    libfetch: Check for failure to create SSL context
    
    * Drop the ssl_meth member, there is no reason to hang on to it.
    
    * Replace deprecated SSLv23_client_method() with TLS_client_method().
    
    * Check the return value from SSL_CTX_new().
    
    MFC after:      1 week
    PR:             292903
    Reviewed by:    markj
    Differential Revision:  https://reviews.freebsd.org/D55098
---
 lib/libfetch/common.c | 10 +++++++---
 lib/libfetch/common.h |  1 -
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/lib/libfetch/common.c b/lib/libfetch/common.c
index 9b36a9e61a75..ec010909218b 100644
--- a/lib/libfetch/common.c
+++ b/lib/libfetch/common.c
@@ -1182,8 +1182,11 @@ fetch_ssl(conn_t *conn, const struct url *URL, int 
verbose)
        X509_NAME *name;
        char *str;
 
-       conn->ssl_meth = SSLv23_client_method();
-       conn->ssl_ctx = SSL_CTX_new(conn->ssl_meth);
+       if ((conn->ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL) {
+               fprintf(stderr, "SSL context creation failed\n");
+               ERR_print_errors_fp(stderr);
+               return (-1);
+       }
        SSL_CTX_set_mode(conn->ssl_ctx, SSL_MODE_AUTO_RETRY);
 
        fetch_ssl_setup_transport_layer(conn->ssl_ctx, verbose);
@@ -1194,7 +1197,8 @@ fetch_ssl(conn_t *conn, const struct url *URL, int 
verbose)
 
        conn->ssl = SSL_new(conn->ssl_ctx);
        if (conn->ssl == NULL) {
-               fprintf(stderr, "SSL context creation failed\n");
+               fprintf(stderr, "SSL connection creation failed\n");
+               ERR_print_errors_fp(stderr);
                return (-1);
        }
        SSL_set_fd(conn->ssl, conn->sd);
diff --git a/lib/libfetch/common.h b/lib/libfetch/common.h
index 7396c8a68ab6..06089aae5451 100644
--- a/lib/libfetch/common.h
+++ b/lib/libfetch/common.h
@@ -56,7 +56,6 @@ struct fetchconn {
        SSL             *ssl;           /* SSL handle */
        SSL_CTX         *ssl_ctx;       /* SSL context */
        X509            *ssl_cert;      /* server certificate */
-       const SSL_METHOD *ssl_meth;     /* SSL method */
 #endif
        int              ref;           /* reference count */
 };

Reply via email to