ssl: use SSL_CTX_load_verify_{file,dir}() if available

rhenium · rhenium · commit cd3971b15bd4 · 2021-10-23T17:48:05.000+09:00
SSL_CTX_load_verify_locations() is deprecated in OpenSSL 3.0 and
replaced with those two separate functions. Use them if they exist.
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
@@ -174,6 +174,7 @@ def find_openssl_library
 have_func("SSL_set0_tmp_dh_pkey")
 have_func("ERR_get_error_all")
 have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h")
+have_func("SSL_CTX_load_verify_file")
 
 Logging::message "=== Checking done. ===\n"
 
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
@@ -828,10 +828,17 @@ ossl_sslctx_setup(VALUE self)
     ca_file = NIL_P(val) ? NULL : StringValueCStr(val);
     val = rb_attr_get(self, id_i_ca_path);
     ca_path = NIL_P(val) ? NULL : StringValueCStr(val);
+#ifdef HAVE_SSL_CTX_LOAD_VERIFY_FILE
+    if (ca_file && !SSL_CTX_load_verify_file(ctx, ca_file))
+        ossl_raise(eSSLError, "SSL_CTX_load_verify_file");
+    if (ca_path && !SSL_CTX_load_verify_dir(ctx, ca_path))
+        ossl_raise(eSSLError, "SSL_CTX_load_verify_dir");
+#else
     if(ca_file || ca_path){
 	if (!SSL_CTX_load_verify_locations(ctx, ca_file, ca_path))
 	    rb_warning("can't set verify locations");
     }
+#endif
 
     val = rb_attr_get(self, id_i_verify_mode);
     verify_mode = NIL_P(val) ? SSL_VERIFY_NONE : NUM2INT(val);
