From 7fbe1b6c7769dc474b78c250382e0251fc88974e Mon Sep 17 00:00:00 2001
From: Robert Scheck <robert@fedoraproject.org>
Date: May 04 2015 23:20:50 +0000
Subject: Added patch to handle the old OpenSSL 0.9.8e in RHEL 5 (and derivates) as good as possible


---

diff --git a/prosody-0.9.8-rhel5.patch b/prosody-0.9.8-rhel5.patch
new file mode 100644
index 0000000..6a4a1a8
--- /dev/null
+++ b/prosody-0.9.8-rhel5.patch
@@ -0,0 +1,35 @@
+Patch by Robert Scheck <robert@fedoraproject.org> for prosody >= 0.9.8 which removes all
+options that OpenSSL 0.9.8e (as shipped by Red Hat Enterprise Linux 5 and derivates such
+as CentOS) does not support: SSL_OP_NO_TICKET (added by upstream with OpenSSL 0.9.8f) and
+the support for secp384r1 (added by Red Hat for RHEL 6.5 with openssl-1.0.1e-15). LuaSec
+0.5 does not offer any option to detect which OpenSSL features are (not) available, thus
+Prosody upstream tries to determine them by the LuaSec version - risky, because EPEL 5 is
+shipping LuaSec 0.4.1 since ever, but still had no support for the "no_ticket" option.
+
+--- prosody-0.9.8/core/certmanager.lua			2015-03-24 20:18:04.000000000 +0100
++++ prosody-0.9.8/core/certmanager.lua.rhel5		2015-05-05 00:47:21.000000000 +0200
+@@ -33,7 +33,7 @@
+ local default_ssl_config = configmanager.get("*", "ssl");
+ local default_capath = "/etc/ssl/certs";
+ local default_verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none";
+-local default_options = { "no_sslv2", "no_sslv3", "cipher_server_preference", luasec_has_noticket and "no_ticket" or nil };
++local default_options = { "no_sslv2", "no_sslv3", "cipher_server_preference" };
+ local default_verifyext = { "lsec_continue", "lsec_ignore_purpose" };
+ 
+ if ssl and not luasec_has_verifyext and ssl.x509 then
+@@ -56,6 +56,7 @@
+ 
+ 	if not ssl then return nil, "LuaSec (required for encryption) was not found"; end
+ 	if not user_ssl_config then return nil, "No SSL/TLS configuration present for "..host; end
++	if user_ssl_config.options then user_ssl_config.options.no_ticket = nil; end
+ 	
+ 	local ssl_config = {
+ 		mode = mode;
+@@ -69,7 +70,6 @@
+ 		verifyext = user_ssl_config.verifyext or default_verifyext;
+ 		options = user_ssl_config.options or default_options;
+ 		depth = user_ssl_config.depth;
+-		curve = user_ssl_config.curve or "secp384r1";
+ 		ciphers = user_ssl_config.ciphers or "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL";
+ 		dhparam = user_ssl_config.dhparam;
+ 	};
diff --git a/prosody.spec b/prosody.spec
index 3905160..382bf71 100644
--- a/prosody.spec
+++ b/prosody.spec
@@ -18,6 +18,7 @@ Source5:           prosody.tmpfilesd
 Source6:           prosody-localhost.cfg.lua
 Source7:           prosody-example.com.cfg.lua
 Patch0:            prosody-0.9.8-config.patch
+Patch1:            prosody-0.9.8-rhel5.patch
 BuildRequires:     libidn-devel, openssl-devel
 Requires(pre):     shadow-utils
 %if 0%{?rhel} > 6 || 0%{?fedora} > 17
@@ -56,6 +57,9 @@ added functionality, or prototype new protocols.
 %prep
 %setup -q
 %patch0 -p1 -b .config
+%if 0%{?rhel} == 5
+%patch1 -p1
+%endif
 
 %build
 # CFLAG -D_GNU_SOURCE requires fallocate() which requires GLIBC >= 2.10