The 16 branch doesn't have the call to ASN1_UTCTIME_cmp_time_t() and compiles
cleanly. This looks like it is in code related to 3270 communication.
No, it has nothing to do with 3270. This is for the ssl_check_exp
capability of TN5250. I added that capability in order to allow me to
check for an SSL certificate that's going to expire in the future. For
example, I can specify a number of seconds that corresponds to 1 week if I
want to know that my iSeries server's certificate will expire 1 week from
now.
I use that so that I won't forget to renew the iSeries certificate before
everyone gets locked out of the system :)
Scott, do you know what I can do to get this to compile? Is
ASN1_UTCTIME_cmp_time_t() a function in newer versions of openssl? Can we
test for this in configure?
What version of OpenSSL do you have?
You should be able to comment out both "if" blocks. There's one for
checking the client certificate, and one for checking the server
certificate. They look like this:
if (ASN1_UTCTIME_cmp_time_t(X509_get_notAfter(server_cert), tnow)
== -1 ) {
if (extra_time > 1) {
printf("SSL error: server certificate will be
expired\n");
TN5250_LOG(("SSL: server certificate will be
expired\n"));
} else {
printf("SSL error: server certificate has expired\n");
TN5250_LOG(("SSL: server certificate has expired\n"));
}
return -1;
}
Just put an "#if 0" before the block, and an "#endif" after it, and you
should be able to make it compile without any problems. (Please verify
that) it won't check to make sure the certificates haven't expired
anymore, but I guess it's better that it works :)
Once you've verified that this solves your problem, add a configure check
for that function, and use a real #ifdef so that configure will disable
that code if needed.
btw - I tried compiling with --without-ssl and it compiles the ssl code
anyway. Shouldn't this turn off any ssl code?
Hmmm.. I know that if you don't specify anything, it tries to figure out
if OpenSSL is available or not and tries to use it based on whether it
exists.
But, theoretically, specifying --without-ssl should force it to turn SSL
off. Maybe that functionality is broken, though.
I don't really have time to .... well, I don't really have time to breathe
-- but I also don't have time to look a this now. Maybe you can figure it
out?
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact
[javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.