Support older openssl.

BonnyAD9 · BonnyAD9 · commit 06a90a773fc1 · 2025-05-29T10:54:06.000+02:00
diff --git a/src/plugins/input/tcp/README.rst b/src/plugins/input/tcp/README.rst
@@ -93,7 +93,8 @@ certificates (certificate authority) is relevant only if the option ``verifyPeer
 
 :``caStore``:
     Path to certificate store with trusted certificates (certificate authorities). Default uses
-    system defaults.
+    system defaults. This is available only when using OpenSSL 3 and newer. When used with older
+    OpenSSL, the plugin will return error.
 
 Notes
 -----
diff --git a/src/plugins/input/tcp/src/Config.cpp b/src/plugins/input/tcp/src/Config.cpp
@@ -18,6 +18,7 @@
 #include <cstring>
 
 #include <libfds.h> // fds_*, FDS_*
+#include <openssl/opensslv.h>
 
 #include <ipfixcol2.h> // ipx_ctx, IPX_CTX_WARNING
 
@@ -199,6 +200,13 @@ void Config::parse_tls(ipx_ctx *ctx, fds_xml_ctx_t *params) {
     use_default_ca = !default_ca_file && ca_file.empty()
         && !default_ca_dir && ca_dir.empty()
         && !default_ca_store && ca_store.empty();
+
+// Supported only from OpenSSL 3.0.0-0 release
+#if OPENSSL_VERSION_NUMBER < 0x03000000f
+    if (default_ca_store || !ca_store.empty()) {
+        throw std::invalid_argument("Certificate store is not supported before openssl 3.");
+    }
+#endif // OPENSSL_VERSION_MAJOR < 0x03000000f
 }
 
 } // namespace tcp_in
diff --git a/src/plugins/input/tcp/src/tls/DecoderFactory.cpp b/src/plugins/input/tcp/src/tls/DecoderFactory.cpp
@@ -73,23 +73,33 @@ static void load_ca(const Config &conf, SslCtx &ctx) {
         return;
     }
 
+    const char *ca_file = nullptr;
+    const char *ca_dir = nullptr;
+
     if (conf.default_ca_file) {
         ctx.set_default_verify_file();
     } else if (!conf.ca_file.empty()) {
-        ctx.load_verify_file(conf.ca_file.c_str());
+        ca_file = conf.ca_file.c_str();
     }
 
     if (conf.default_ca_dir) {
         ctx.set_default_verify_dir();
     } else if (!conf.ca_dir.empty()) {
-        ctx.load_verify_dir(conf.ca_dir.c_str());
+        ca_dir = conf.ca_dir.c_str();
+    }
+
+    if (ca_file != nullptr || ca_dir != nullptr) {
+        ctx.load_verify_locations(ca_file, ca_dir);
     }
 
+// Supported only from OpenSSL  3.0.0-0 release
+#if OPENSSL_VERSION_NUMBER >= 0x03000000f
     if (conf.default_ca_store) {
         ctx.set_default_verify_store();
     } else if (!conf.ca_store.empty()) {
         ctx.load_verify_store(conf.ca_store.c_str());
     }
+#endif // OPENSSL_VERSION_NUMBER >= 0x03000000f
 }
 
 } // namespace tls
diff --git a/src/plugins/input/tcp/src/tls/SslCtx.hpp b/src/plugins/input/tcp/src/tls/SslCtx.hpp
@@ -74,16 +74,6 @@ class SslCtx {
         }
     }
 
-    /**
-     * @brief Sets the path to trusted certificate file.
-     * @throws `std::runtime_error` on failure.
-     */
-    void load_verify_file(const char *path) {
-        if (!SSL_CTX_load_verify_file(m_ctx.get(), path)) {
-            throw_ssl_err("Failed to set default trusted certificate file `", path, "`.");
-        }
-    }
-
     /**
      * @brief Sets the path to trusted certificates directory.
      *
@@ -98,35 +88,50 @@ class SslCtx {
     }
 
     /**
-     * @brief Sets the path to trusted certificates directory.
-     * @throws `std::runtime_error` on failure.
+     * @brief Sets the path for trusted certificate file and directory.
+     * @param file Path to trusted certificate file.
+     * @param dir Path to trusted certificate directory.
      */
-    void load_verify_dir(const char *path) {
-        if (!SSL_CTX_load_verify_dir(m_ctx.get(), path)) {
-            throw_ssl_err("Failed to set default trusted certificate directory `", path, "`.");
+    void load_verify_locations(const char *file, const char *dir) {
+        if (!SSL_CTX_load_verify_locations(m_ctx.get(), file, dir)) {
+            throw_ssl_err("Failed to set default trusted certificate locations.");
         }
     }
 
     /**
      * @brief Sets the path to trusted certificates store.
      *
      * It will use the OS defaults.
+     *
+     * This is not available before openssl 3.
      * @throws `std::runtime_error` on failure.
      */
     void set_default_verify_store() {
+// Available only from OpenSSL  3.0.0-0 release
+#if OPENSSL_VERSION_NUMBER >= 0x03000000f
         if (!SSL_CTX_set_default_verify_store(m_ctx.get())) {
             throw_ssl_err("Failed to set default trusted certificate store.");
         }
+#else // OPENSSL_VERSION_NUMBER >= 0x03000000f
+        throw std::runtime_error("`set_default_verify_store` is not available before OpenSSL 3.");
+#endif // OPENSSL_VERSION_NUMBER >= 0x03000000f
     }
 
     /**
      * @brief Sets the path to trusted certificates store.
+     *
+     * This is not available before openssl 3.
      * @throws `std::runtime_error` on failure.
      */
     void load_verify_store(const char *path) {
+// Available only from OpenSSL  3.0.0-0 release
+#if OPENSSL_VERSION_NUMBER >= 0x03000000f
         if (!SSL_CTX_load_verify_store(m_ctx.get(), path)) {
             throw_ssl_err("Failed to set default trusted certificate store `", path, "`.");
         }
+#else // OPENSSL_VERSION_NUMBER >= 0x03000000f
+        throw std::runtime_error("`load_verify_store` is not available before OpenSSL 3.");
+#endif // OPENSSL_VERSION_NUMBER >= 0x03000000f
     }
 
     /**
