The 16 branch doesn't have the call to ASN1_UTCTIME_cmp_time_t() and compiles cleanly. This looks like it is in code related to 3270 communication.

No, it has nothing to do with 3270. This is for the ssl_check_exp capability of TN5250. I added that capability in order to allow me to check for an SSL certificate that's going to expire in the future. For example, I can specify a number of seconds that corresponds to 1 week if I want to know that my iSeries server's certificate will expire 1 week from now.


I use that so that I won't forget to renew the iSeries certificate before everyone gets locked out of the system :)


Scott, do you know what I can do to get this to compile? Is ASN1_UTCTIME_cmp_time_t() a function in newer versions of openssl? Can we test for this in configure?

What version of OpenSSL do you have?

You should be able to comment out both "if" blocks. There's one for checking the client certificate, and one for checking the server certificate. They look like this:

if (ASN1_UTCTIME_cmp_time_t(X509_get_notAfter(server_cert), tnow)
== -1 ) {
if (extra_time > 1) {
printf("SSL error: server certificate will be expired\n");
TN5250_LOG(("SSL: server certificate will be expired\n"));
} else {
printf("SSL error: server certificate has expired\n");
TN5250_LOG(("SSL: server certificate has expired\n"));
}
return -1;
}


Just put an "#if 0" before the block, and an "#endif" after it, and you should be able to make it compile without any problems. (Please verify that) it won't check to make sure the certificates haven't expired anymore, but I guess it's better that it works :)

Once you've verified that this solves your problem, add a configure check for that function, and use a real #ifdef so that configure will disable that code if needed.


btw - I tried compiling with --without-ssl and it compiles the ssl code anyway. Shouldn't this turn off any ssl code?

Hmmm.. I know that if you don't specify anything, it tries to figure out if OpenSSL is available or not and tries to use it based on whether it exists.


But, theoretically, specifying --without-ssl should force it to turn SSL off. Maybe that functionality is broken, though.

I don't really have time to .... well, I don't really have time to breathe -- but I also don't have time to look a this now. Maybe you can figure it out?


This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2020 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].