libfetch: Check for failure to create SSL context

* Drop the ssl_meth member, there is no reason to hang on to it.

* Replace deprecated SSLv23_client_method() with TLS_client_method().

* Check the return value from SSL_CTX_new().

MFC after:	1 week
PR:		292903
Reviewed by:	markj
Differential Revision:	https://reviews.freebsd.org/D55098

2 files changed, 7 insertions, 4 deletions

diff --git a/lib/libfetch/common.c b/lib/libfetch/common.c
index 9b36a9e61a75..ec010909218b 100644
--- a/lib/libfetch/common.c
+++ b/lib/libfetch/common.c
@@ -1182,8 +1182,11 @@ fetch_ssl(conn_t *conn, const struct url *URL, int verbose)
 	X509_NAME *name;
 	char *str;
 
-	conn->ssl_meth = SSLv23_client_method();
-	conn->ssl_ctx = SSL_CTX_new(conn->ssl_meth);
+	if ((conn->ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL) {
+		fprintf(stderr, "SSL context creation failed\n");
+		ERR_print_errors_fp(stderr);
+		return (-1);
+	}
 	SSL_CTX_set_mode(conn->ssl_ctx, SSL_MODE_AUTO_RETRY);
 
 	fetch_ssl_setup_transport_layer(conn->ssl_ctx, verbose);
@@ -1194,7 +1197,8 @@ fetch_ssl(conn_t *conn, const struct url *URL, int verbose)
 
 	conn->ssl = SSL_new(conn->ssl_ctx);
 	if (conn->ssl == NULL) {
-		fprintf(stderr, "SSL context creation failed\n");
+		fprintf(stderr, "SSL connection creation failed\n");
+		ERR_print_errors_fp(stderr);
 		return (-1);
 	}
 	SSL_set_fd(conn->ssl, conn->sd);
diff --git a/lib/libfetch/common.h b/lib/libfetch/common.h
index 7396c8a68ab6..06089aae5451 100644
--- a/lib/libfetch/common.h
+++ b/lib/libfetch/common.h
@@ -56,7 +56,6 @@ struct fetchconn {
 	SSL		*ssl;		/* SSL handle */
 	SSL_CTX		*ssl_ctx;	/* SSL context */
 	X509		*ssl_cert;	/* server certificate */
-	const SSL_METHOD *ssl_meth;	/* SSL method */
 #endif
 	int		 ref;		/* reference count */
 };