From 1d27391c291fa5f00f1e41c2e7853e9a27aa5184 Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Wed, 28 Oct 2020 13:06:58 -0400
Subject: [PATCH] [mod_mbedtls] wrap addtl code in preproc defines

wrap additional code in preprocessor defines to check if enabled in lib
---
 src/mod_mbedtls.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/mod_mbedtls.c b/src/mod_mbedtls.c
index e18e59be..1450f47a 100644
--- a/src/mod_mbedtls.c
+++ b/src/mod_mbedtls.c
@@ -401,8 +401,10 @@ static void mod_mbedtls_free_mbedtls (void)
 {
     if (!ssl_is_init) return;
 
+  #ifdef MBEDTLS_SSL_SESSION_TICKETS
     mbedtls_platform_zeroize(session_ticket_keys, sizeof(session_ticket_keys));
     stek_rotate_ts = 0;
+  #endif
 
     plugin_data * const p = plugin_data_singleton;
     mbedtls_ctr_drbg_free(&p->ctr_drbg);
@@ -1395,8 +1397,14 @@ mod_mbedtls_set_defaults_sockets(server *srv, plugin_data *p)
                   "ssl.openssl.ssl-conf-cmd = (\"MinProtocol\" => \"SSLv3\")");
                 break;
               case 10:/* ssl.stek-file */
+               #ifdef MBEDTLS_SSL_SESSION_TICKETS
                 if (!buffer_is_empty(cpv->v.b))
                     p->ssl_stek_file = cpv->v.b->ptr;
+               #else
+                log_error(srv->errh, __FILE__, __LINE__, "MTLS: "
+                  "ssl.stek-file ignored; mbedtls library not built with "
+                  "support for SSL session tickets");
+               #endif
                 break;
               default:/* should not happen */
                 break;
@@ -2039,11 +2047,13 @@ CONNECTION_FUNC(mod_mbedtls_handle_con_accept)
      * overlap, and so renegotiation setting is not reset upon connection close.
      * Once enabled, renegotiation will remain so for this mbedtls_ssl_config.
      * mbedtls defaults to disable client renegotiation
-     *   (MBEDTLS_SSL_RENEGOTIATION_DISABLED)
+     *   (MBEDTLS_LEGACY_SSL_RENEGOTIATION_DISABLED)
      * and it is recommended to leave it disabled (lighttpd mbedtls default) */
+  #ifdef MBEDTLS_LEGACY_SSL_RENEGOTIATION_ENABLED
     if (!hctx->conf.ssl_disable_client_renegotiation)
-        mbedtls_ssl_conf_renegotiation(s->ssl_ctx,
-                                       MBEDTLS_SSL_RENEGOTIATION_ENABLED);
+        mbedtls_legacy_ssl_conf_renegotiation(s->ssl_ctx,
+                                      MBEDTLS_LEGACY_SSL_RENEGOTIATION_ENABLED);
+  #endif
 
     return HANDLER_GO_ON;
 }