--- loncom/lonssl.pm	2018/12/11 15:15:26	1.23
+++ loncom/lonssl.pm	2018/12/14 02:05:38	1.24
@@ -1,5 +1,5 @@
 #
-# $Id: lonssl.pm,v 1.23 2018/12/11 15:15:26 raeburn Exp $
+# $Id: lonssl.pm,v 1.24 2018/12/14 02:05:38 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -121,6 +121,8 @@ sub SetFdBlocking {
 #               CRLFile                    Full path name to the certificate
 #                                          revocation list file for the cluster
 #                                          to which server belongs (optional)
+#               serverversion              LON-CAPA version running on remote
+#                                          server.
 
 # Returns
 #	-	Reference to an SSL socket on success
@@ -136,9 +138,10 @@ sub PromoteClientSocket {
 	$KeyFile,
         $peer,
         $peerdef,
-        $CRLFile) = @_;
+        $CRLFile,
+        $serverversion) = @_;
 
-    Debug("Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert, CRL: $CRLFile, Remote Host: $peer, RemoteDefHost: $peerdef\n");
+    Debug("Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert, CRL: $CRLFile, Remote Host: $peer, RemoteDefHost: $peerdef, RemoteLCVersion: $serverversion\n");
 
     # To create the ssl socket we need to duplicate the existing
     # socket.  Otherwise closing the ssl socket will close the plaintext socket
@@ -169,14 +172,24 @@ sub PromoteClientSocket {
     my %sslargs = (SSL_use_cert      => 1,
                    SSL_key_file      => $KeyFile,
                    SSL_cert_file     => $MyCert,
-                   SSL_ca_file       => $CACert,
-                   SSL_verifycn_name => $verify_cn,
-                   SSL_verify_mode   => Net::SSLeay::VERIFY_PEER());
-    if (($CRLFile ne '') && (-e $CRLFile)) {
-        $sslargs{SSL_check_crl} = 1;
-        $sslargs{SSL_crl_file} = $CRLFile;
+                   SSL_ca_file       => $CACert);
+    my ($major,$minor) = split(/\./,$serverversion);
+    if (($major < 2) || ($major == 2 && $minor < 12)) {
+        $sslargs{SSL_verify_mode} = Net::SSLeay::VERIFY_NONE();
+    } else {
+        $sslargs{SSL_verifycn_scheme} = 'http',
+        $sslargs{SSL_verifycn_name} = $verify_cn,
+        $sslargs{SSL_verify_mode} = Net::SSLeay::VERIFY_PEER();
+        if (($CRLFile ne '') && (-e $CRLFile)) {
+            $sslargs{SSL_check_crl} = 1;
+            $sslargs{SSL_crl_file} = $CRLFile;
+        }
     }
+# Uncomment next two $IO::Socket::SSL::DEBUG lines, for debugging
+#    $IO::Socket::SSL::DEBUG = 0; # Set to integer >0 and <4
+#                                 # to write debugging to lonc_errors
     my $client = IO::Socket::SSL->new_from_fd($dupfno,%sslargs);
+#    $IO::Socket::SSL::DEBUG = 0; # Do not change
     if(!$client) {
         if ($IO::Socket::SSL::SSL_ERROR == -1) {
 	    $lasterror = -1;
@@ -241,6 +254,7 @@ sub PromoteServerSocket {
     if (($major < 2) || ($major == 2 && $minor < 12)) {
         $sslargs{SSL_verify_mode} = Net::SSLeay::VERIFY_NONE();
     } else {
+        $sslargs{SSL_verifycn_scheme} = 'http'; 
         $sslargs{SSL_verifycn_name} = $peer;
         $sslargs{SSL_verify_mode} = Net::SSLeay::VERIFY_PEER();
         if (($CRLFile ne '') && (-e $CRLFile)) {
@@ -248,7 +262,11 @@ sub PromoteServerSocket {
             $sslargs{SSL_crl_file} = $CRLFile;
         }
     }
+# Uncomment next two $IO::Socket::SSL::DEBUG lines, for debugging
+#    $IO::Socket::SSL::DEBUG = 0; # Set to integer >0 and <4
+#                                 # to write debugging to lond_errors
     my $client = IO::Socket::SSL->new_from_fd($dupfno,%sslargs);
+#    $IO::Socket::SSL::DEBUG = 0; # Do not change
     if(!$client) {
         if ($IO::Socket::SSL::SSL_ERROR == -1) {
             $lasterror = -1;