$OpenBSD: patch-src_main_tls_c,v 1.9 2020/03/26 09:47:30 sthen Exp $

Index: src/main/tls.c
--- src/main/tls.c.orig
+++ src/main/tls.c
@@ -2122,7 +2122,8 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
 	char		cn_str[1024];
 	char		buf[64];
 	X509		*client_cert;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
+    (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x2080000fL)
 	const STACK_OF(X509_EXTENSION) *ext_list;
 #else
 	STACK_OF(X509_EXTENSION) *ext_list;
@@ -2334,7 +2335,8 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
 	}
 
 	if (lookup == 0) {
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
+    (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x2070000fL)
 		ext_list = X509_get0_extensions(client_cert);
 #else
 		X509_CINF	*client_inf;
@@ -3222,7 +3224,7 @@ post_ca:
 #ifdef SSL_OP_NO_TLSv1
 	if (conf->disable_tlsv1) {
 		ctx_options |= SSL_OP_NO_TLSv1;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L /* ok for libressl */
 		WARN("Please use tls_min_version and tls_max_version instead of disable_tlsv1");
 #endif
 	}
@@ -3232,7 +3234,7 @@ post_ca:
 #ifdef SSL_OP_NO_TLSv1_1
 	if (conf->disable_tlsv1_1) {
 		ctx_options |= SSL_OP_NO_TLSv1_1;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L /* ok for libressl */
 		WARN("Please use tls_min_version and tls_max_version instead of disable_tlsv1_2");
 #endif
 	}
@@ -3243,7 +3245,7 @@ post_ca:
 
 	if (conf->disable_tlsv1_2) {
 		ctx_options |= SSL_OP_NO_TLSv1_2;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L /* ok for libressl */
 		WARN("Please use tls_min_version and tls_max_version instead of disable_tlsv1_2");
 #endif
 	}
