--- loncom/lonssl.pm 2018/08/07 17:12:08 1.17 +++ loncom/lonssl.pm 2018/08/09 13:27:55 1.18 @@ -1,5 +1,5 @@ # -# $Id: lonssl.pm,v 1.17 2018/08/07 17:12:08 raeburn Exp $ +# $Id: lonssl.pm,v 1.18 2018/08/09 13:27:55 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -134,9 +134,8 @@ sub PromoteClientSocket { $MyCert, $KeyFile, $peer, - $CRLFile) = @_; - - + $CRLFile) = @_; + Debug("Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert, CRL: $CRLFile, Remote Host: $peer\n"); # To create the ssl socket we need to duplicate the existing @@ -196,6 +195,8 @@ sub PromoteClientSocket { # CRLFile Full path name to the certificate # revocation list file for the cluster # to which server belongs (optional) +# clientversion LON-CAPA version running on remote +# client # Returns # - Reference to an SSL socket on success # - undef on failure. Reason for failure can be interrogated from @@ -209,9 +210,8 @@ sub PromoteServerSocket { $MyCert, $KeyFile, $peer, - $CRLFile) = @_; - - + $CRLFile, + $clientversion) = @_; # To create the ssl socket we need to duplicate the existing # socket. Otherwise closing the ssl socket will close the plaintext socket @@ -229,12 +229,17 @@ sub PromoteServerSocket { SSL_use_cert => 1, SSL_key_file => $KeyFile, SSL_cert_file => $MyCert, - SSL_ca_file => $CACert, - SSL_verifycn_name => $peer, - SSL_verify_mode => Net::SSLeay::VERIFY_PEER()); - if (($CRLFile ne '') && (-e $CRLFile)) { - $sslargs{SSL_check_crl} = 1; - $sslargs{SSL_crl_file} = $CRLFile; + SSL_ca_file => $CACert); + my ($major,$minor) = split(/\./,$clientversion); + if (($major < 2) || ($major == 2 && $minor < 12)) { + $sslargs{SSL_verify_mode} = Net::SSLeay::VERIFY_NONE(); + } else { + $sslargs{SSL_verifycn_name} = $peer; + $sslargs{SSL_verify_mode} = Net::SSLeay::VERIFY_PEER(); + if (($CRLFile ne '') && (-e $CRLFile)) { + $sslargs{SSL_check_crl} = 1; + $sslargs{SSL_crl_file} = $CRLFile; + } } my $client = IO::Socket::SSL->new_from_fd($dupfno,%sslargs); if(!$client) {