From a15a31611d61379297ec45c2a5d34ab57dfb958d Mon Sep 17 00:00:00 2001
From: Nikias Bassen
Date: Wed, 11 Jan 2023 04:00:51 +0100
Subject: idevice: Fix connections to <= iOS 5 devices with OpenSSL 3

Thanks @tihmstar for pointing this out.
---
 src/idevice.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/idevice.c b/src/idevice.c
index a3c258f..12d9bb3 100644
--- a/src/idevice.c
+++ b/src/idevice.c
@@ -1205,13 +1205,22 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_enable_ssl(idevice_conne
 		SSL_CTX_set_max_proto_version(ssl_ctx, TLS1_VERSION);
 	}
 #endif
-#if (OPENSSL_VERSION_MAJOR >= 3) && defined(SSL_OP_IGNORE_UNEXPECTED_EOF)
+#if (OPENSSL_VERSION_MAJOR >= 3)
+#if defined(SSL_OP_IGNORE_UNEXPECTED_EOF)
 	/*
 	 * For OpenSSL 3 and later, mark close_notify alerts as optional.
 	 * For prior versions of OpenSSL we check for SSL_ERROR_SYSCALL when
 	 * reading instead (this error changes to SSL_ERROR_SSL in OpenSSL 3).
 	 */
 	SSL_CTX_set_options(ssl_ctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
+#endif
+#if defined(SSL_OP_LEGACY_SERVER_CONNECT)
+	/*
+	 * Without setting SSL_OP_LEGACY_SERVER_CONNECT, OpenSSL 3 fails with
+	 * error "unsafe legacy renegotiation disabled" when talking to iOS 5
+	 */
+	SSL_CTX_set_options(ssl_ctx, SSL_OP_LEGACY_SERVER_CONNECT);
+#endif
 #endif
 
 	BIO* membp;
-- 
cgit v1.1-32-gdbae