I ran into this as well, but fixed it. The issue for me was my build
environment was for a cross compilation. It had some extra
compiler/linker options that caused the compiler to search the sysroot
path header files before the ones specified by -I<path> statements. The
result was the compiler was using the OpenSSL header files from my tool
chain instead of the ones in the (latest) source. The tool chain had
the previous version installed, so was missing the TLS_MAX_VERSION
definition.
Normally, -I<path> include directives will get searched first, before
any normal system search paths. This will get the correct header files
from the source tree. If you do something like '-nostdinc
-I${SYSROOT}/usr/include -I<path>', then the reverse will happen. Ref
https://gcc.gnu.org/onlinedocs/cpp/Search-Path.html.
Jay
On 10/30/2014 12:40 PM, Philip Bellino wrote:
Hello,
I am running in the following issue when I do a “make depend (after
the “./config shared no-ssl3”):
making depend in ssl...
make[3]: Entering directory '......./openssl-1.0.1j/ssl'
s3_lib.c:3370:4: #error Code needs update for SSLv23_method() support
beyond TLS1_2_VERSION.
d1_lib.c:274:4: #error Code needs update for DTLS_method() support
beyond DTLS1_VERSION.
make[3]: *** [depend] Error 1
In ssl/s3_lib.c, there is a new case statement in openssl-1.0.1j:
case SSL_CTRL_CHECK_PROTO_VERSION:
/* For library-internal use; checks that the current
protocol
* is the highest enabled version (according to
s->ctx->method,
* as version negotiation may have changed s->method). */
if (s->version == s->ctx->method->version)
return 1;
/* Apparently we're using a version-flexible SSL_METHOD
* (not at its highest protocol version). */
if (s->ctx->method->version == SSLv23_method()->version)
{
#if TLS_MAX_VERSION != TLS1_2_VERSION
# error Code needs update for SSLv23_method() support beyond
TLS1_2_VERSION.
#endif
if (!(s->options & SSL_OP_NO_TLSv1_2))
return s->version == TLS1_2_VERSION;
if (!(s->options & SSL_OP_NO_TLSv1_1))
return s->version == TLS1_1_VERSION;
if (!(s->options & SSL_OP_NO_TLSv1))
return s->version == TLS1_VERSION;
if (!(s->options & SSL_OP_NO_SSLv3))
return s->version == SSL3_VERSION;
if (!(s->options & SSL_OP_NO_SSLv2))
return s->version == SSL2_VERSION;
}
return 0; /* Unexpected state; fail closed
------------------------------------------------------------------------------------------------------
A grep -ri TLS_MAX_VERSION *
include/openssl/tls1.h:#define TLS_MAX_VERSION TLS1_2_VERSION
ssl/s23_clnt.c: /* ensure that TLS_MAX_VERSION is up-to-date */
ssl/s23_clnt.c: OPENSSL_assert(s->version <= TLS_MAX_VERSION);
ssl/s3_lib.c:#if TLS_MAX_VERSION != TLS1_2_VERSION
ssl/tls1.h:#define TLS_MAX_VERSION TLS1_2_VERSION
and a grep -ri DTLS_MAX_VERSION *
include/openssl/dtls1.h:#define DTLS_MAX_VERSION DTLS1_VERSION
ssl/dtls1.h:#define DTLS_MAX_VERSION DTLS1_VERSION
ssl/d1_lib.c:#if DTLS_MAX_VERSION != DTLS1_VERSION
ssl/d1_lib.c: return s->version == DTLS_MAX_VERSION;
This leads me to believe that the code should never have the above
error conditions occur, but in fact it is.
Any help would be most appreciated and I apologize if I am missing
something in my analysis.
Thanks,
Phil
*Phil Bellino*
*Principal Software Engineer****| **MRV Communications Inc.*
300 Apollo Drive *| *Chelmsford, MA 01824
Phone: 978-674-6870*| *Fax: 978-674-6799
www.mrv.com
MRV-email
E-Banner
<http://www.mrv.com/landing/mrvs-software-defined-networking-sdn-and-network-function-virtualization-nfv-products-and-architecture>
The contents of this message, together with any attachments, are
intended only for the use of the person(s) to whom they are addressed
and may contain confidential and/or privileged information. If you are
not the intended recipient, immediately advise the sender, delete this
message and any attachments and note that any distribution, or copying
of this message, or any attachment, is prohibited.
