From 18140082d6bccd58bbab1b5510ee29d60b76d90b Mon Sep 17 00:00:00 2001
From: MSP-Greg <MSP-Greg@users.noreply.github.com>
Date: Mon, 8 Jul 2019 14:49:45 -0500
Subject: [PATCH] Use OpenSSL DTLS_method & TLS_server_method when available
 (#1832)

* Add extconf test for DTLS_method & use in mini_ssl.c

* Rakefile - use require_relative for 'lib/puma/detect'

* Add Trusty OpenSSL 1.0.1 job to Travis

* Add extconf test for TLS_server_method & use in mini_ssl.c
---
 .travis.yml                |  3 +++
 History.md                 |  4 +++-
 Rakefile                   |  2 +-
 ext/puma_http11/extconf.rb |  8 ++++++++
 ext/puma_http11/mini_ssl.c | 10 ++++++++--
 5 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 53302eab..776dab16 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -35,6 +35,9 @@ rvm:
 matrix:
   fast_finish: true
   include:
+    - rvm: 2.2 
+      dist: trusty 
+      env: NOTES="Trusty OpenSSL 1.0.1"
     - rvm: ruby-head
       env: RUBYOPT="--jit"
     - rvm: 2.4.6
diff --git a/History.md b/History.md
index a397c0be..cbdf90b1 100644
--- a/History.md
+++ b/History.md
@@ -1,7 +1,9 @@
 ## Master
 
 x features
-x bugfixes
+
+* ? bugfixes
+  * Add extconf tests for DTLS_method & TLS_server_method, use in minissl.rb.  (#1832)
 
 ## 4.0.0 / 2019-06-25
 
diff --git a/Rakefile b/Rakefile
index 58873a65..f56dce4a 100644
--- a/Rakefile
+++ b/Rakefile
@@ -3,7 +3,7 @@ require "rake/testtask"
 require "rake/extensiontask"
 require "rake/javaextensiontask"
 require "rubocop/rake_task"
-require 'puma/detect'
+require_relative 'lib/puma/detect'
 require 'rubygems/package_task'
 require 'bundler/gem_tasks'
 
diff --git a/ext/puma_http11/extconf.rb b/ext/puma_http11/extconf.rb
index 59c54f9c..ee672306 100644
--- a/ext/puma_http11/extconf.rb
+++ b/ext/puma_http11/extconf.rb
@@ -9,6 +9,14 @@ unless ENV["DISABLE_SSL"]
       %w'ssl ssleay32'.find {|ssl| have_library(ssl, 'SSL_CTX_new')}
 
     have_header "openssl/bio.h"
+
+    # below is  yes for 1.0.2 & later
+    have_func  "DTLS_method"                  , "openssl/ssl.h"
+
+    # below are yes for 1.1.0 & later, may need to check func rather than macro
+    # with versions after 1.1.1
+    have_func  "TLS_server_method"            , "openssl/ssl.h"
+    have_macro "SSL_CTX_set_min_proto_version", "openssl/ssl.h"
   end
 end
 
diff --git a/ext/puma_http11/mini_ssl.c b/ext/puma_http11/mini_ssl.c
index 120ab227..607f6ea8 100644
--- a/ext/puma_http11/mini_ssl.c
+++ b/ext/puma_http11/mini_ssl.c
@@ -168,8 +168,11 @@ VALUE engine_init_server(VALUE self, VALUE mini_ssl_ctx) {
   ID sym_no_tlsv1 = rb_intern("no_tlsv1");
   VALUE no_tlsv1 = rb_funcall(mini_ssl_ctx, sym_no_tlsv1, 0);
 
-
+#ifdef HAVE_TLS_SERVER_METHOD
+  ctx = SSL_CTX_new(TLS_server_method());
+#else
   ctx = SSL_CTX_new(SSLv23_server_method());
+#endif
   conn->ctx = ctx;
 
   SSL_CTX_use_certificate_chain_file(ctx, RSTRING_PTR(cert));
@@ -232,8 +235,11 @@ VALUE engine_init_server(VALUE self, VALUE mini_ssl_ctx) {
 VALUE engine_init_client(VALUE klass) {
   VALUE obj;
   ms_conn* conn = engine_alloc(klass, &obj);
-
+#ifdef HAVE_DTLS_METHOD
   conn->ctx = SSL_CTX_new(DTLS_method());
+#else
+  conn->ctx = SSL_CTX_new(DTLSv1_method());
+#endif
   conn->ssl = SSL_new(conn->ctx);
   SSL_set_app_data(conn->ssl, NULL);
   SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL);