From 2648ef578fde5a02f66a434689c5cd16fc837667 Mon Sep 17 00:00:00 2001
From: Oswald Buddenhagen <ossi@users.sf.net>
Date: Sat, 21 May 2016 13:08:09 +0200
Subject: [PATCH 1/3] fix server certificate validation error reporting
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

use the right function to decode the error code.

found by Andrés Ramírez <sunshavi@fastmail.fm>.
---
 src/socket.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/socket.c b/src/socket.c
index 9fd6eca..5221cd6 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -178,7 +178,7 @@ verify_cert_host( const server_conf_t *conf, conn_t *sock )
 
 	err = SSL_get_verify_result( sock->ssl );
 	if (err != X509_V_OK) {
-		error( "SSL error connecting %s: %s\n", sock->name, ERR_error_string( err, NULL ) );
+		error( "SSL error connecting %s: %s\n", sock->name, X509_verify_cert_error_string( err ) );
 		return -1;
 	}
 

From 719d4a2437d36c09e20a0ceca26891446cd5a1c8 Mon Sep 17 00:00:00 2001
From: Oswald Buddenhagen <ossi@users.sf.net>
Date: Sun, 24 Jul 2016 11:58:09 +0200
Subject: [PATCH 2/3] prune obsolete #include

hmac.h was needed only for the cram-md5 implementation.
---
 src/socket.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/socket.c b/src/socket.c
index 5221cd6..94d0e7f 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -39,7 +39,6 @@
 #ifdef HAVE_LIBSSL
 # include <openssl/ssl.h>
 # include <openssl/err.h>
-# include <openssl/hmac.h>
 # include <openssl/x509v3.h>
 #endif
 

From 41308e481466b91813f6765a0c92ad83fd9d1ab2 Mon Sep 17 00:00:00 2001
From: Oswald Buddenhagen <ossi@users.sf.net>
Date: Sun, 24 Jul 2016 11:58:57 +0200
Subject: [PATCH 3/3] fix build with openssl 1.1

they finally made their structs opaque, and provided proper getters.
---
 src/socket.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/socket.c b/src/socket.c
index 94d0e7f..3736fd5 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -40,6 +40,10 @@
 # include <openssl/ssl.h>
 # include <openssl/err.h>
 # include <openssl/x509v3.h>
+# if OPENSSL_VERSION_NUMBER < 0x10100000L
+#  define X509_OBJECT_get0_X509(o) ((o)->data.x509)
+#  define X509_STORE_get0_objects(o) ((o)->objs)
+# endif
 #endif
 
 enum {
@@ -171,7 +175,7 @@ verify_cert_host( const server_conf_t *conf, conn_t *sock )
 
 	trusted = (STACK_OF(X509_OBJECT) *)sock->conf->trusted_certs;
 	for (i = 0; i < sk_X509_OBJECT_num( trusted ); i++) {
-		if (!X509_cmp( cert, sk_X509_OBJECT_value( trusted, i )->data.x509 ))
+		if (!X509_cmp( cert, X509_OBJECT_get0_X509( sk_X509_OBJECT_value( trusted, i ) ) ))
 			return 0;
 	}
 
@@ -222,7 +226,7 @@ init_ssl_ctx( const server_conf_t *conf )
 		       conf->cert_file, ERR_error_string( ERR_get_error(), 0 ) );
 		return 0;
 	}
-	mconf->trusted_certs = (_STACK *)sk_X509_OBJECT_dup( SSL_CTX_get_cert_store( mconf->SSLContext )->objs );
+	mconf->trusted_certs = (_STACK *)sk_X509_OBJECT_dup( X509_STORE_get0_objects( SSL_CTX_get_cert_store( mconf->SSLContext ) ) );
 	if (mconf->system_certs && !SSL_CTX_set_default_verify_paths( mconf->SSLContext ))
 		warn( "Warning: Unable to load default certificate files: %s\n",
 		      ERR_error_string( ERR_get_error(), 0 ) );