git: 4e160c6197f7 - main - libfetch: Check for failure to create SSL context

From: Dag-Erling Smørgrav <des_at_FreeBSD.org>
Date: Sat, 07 Feb 2026 14:24:56 UTC 
The branch main has been updated by des:

URL: https://cgit.FreeBSD.org/src/commit/?id=4e160c6197f75fda3d5d5997ce893087058cf718

commit 4e160c6197f75fda3d5d5997ce893087058cf718
Author:     Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2026-02-07 14:24:40 +0000
Commit:     Dag-Erling Smørgrav <des@FreeBSD.org>
CommitDate: 2026-02-07 14:24:40 +0000

    libfetch: Check for failure to create SSL context
    
    * Drop the ssl_meth member, there is no reason to hang on to it.
    
    * Replace deprecated SSLv23_client_method() with TLS_client_method().
    
    * Check the return value from SSL_CTX_new().
    
    MFC after:      1 week
    PR:             292903
    Reviewed by:    markj
    Differential Revision:  https://reviews.freebsd.org/D55098
---
 lib/libfetch/common.c | 10 +++++++---
 lib/libfetch/common.h |  1 -
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/lib/libfetch/common.c b/lib/libfetch/common.c
index 9b36a9e61a75..ec010909218b 100644
--- a/lib/libfetch/common.c
+++ b/lib/libfetch/common.c
@@ -1182,8 +1182,11 @@ fetch_ssl(conn_t *conn, const struct url *URL, int verbose)
 	X509_NAME *name;
 	char *str;
 
-	conn->ssl_meth = SSLv23_client_method();
-	conn->ssl_ctx = SSL_CTX_new(conn->ssl_meth);
+	if ((conn->ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL) {
+		fprintf(stderr, "SSL context creation failed\n");
+		ERR_print_errors_fp(stderr);
+		return (-1);
+	}
 	SSL_CTX_set_mode(conn->ssl_ctx, SSL_MODE_AUTO_RETRY);
 
 	fetch_ssl_setup_transport_layer(conn->ssl_ctx, verbose);
@@ -1194,7 +1197,8 @@ fetch_ssl(conn_t *conn, const struct url *URL, int verbose)
 
 	conn->ssl = SSL_new(conn->ssl_ctx);
 	if (conn->ssl == NULL) {
-		fprintf(stderr, "SSL context creation failed\n");
+		fprintf(stderr, "SSL connection creation failed\n");
+		ERR_print_errors_fp(stderr);
 		return (-1);
 	}
 	SSL_set_fd(conn->ssl, conn->sd);
diff --git a/lib/libfetch/common.h b/lib/libfetch/common.h
index 7396c8a68ab6..06089aae5451 100644
--- a/lib/libfetch/common.h
+++ b/lib/libfetch/common.h
@@ -56,7 +56,6 @@ struct fetchconn {
 	SSL		*ssl;		/* SSL handle */
 	SSL_CTX		*ssl_ctx;	/* SSL context */
 	X509		*ssl_cert;	/* server certificate */
-	const SSL_METHOD *ssl_meth;	/* SSL method */
 #endif
 	int		 ref;		/* reference count */
 };