Welcome! Log In Create A New Profile

Advanced

[PATCH 2/4] BUILD: ssl: disable OCSP when using boringssl

Posted by Lukas Tribus 
Lukas Tribus
[PATCH 2/4] BUILD: ssl: disable OCSP when using boringssl
August 18, 2014 01:00AM
Google's boringssl doesn't currently support OCSP, so
disable it if detected.

OCSP support may be reintroduced as per:
https://code.google.com/p/chromium/issues/detail?id=398677

In that case we can simply revert this commit.

Signed-off-by: Lukas Tribus <luky-37@hotmail.com>
---
include/proto/ssl_sock.h | 2 +-
src/dumpstats.c | 2 +-
src/ssl_sock.c | 6 +++---
3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
index 3e111cd..6362953 100644
--- a/include/proto/ssl_sock.h
+++ b/include/proto/ssl_sock.h
@@ -54,7 +54,7 @@ char *ssl_sock_get_version(struct connection *conn);
int ssl_sock_get_cert_used(struct connection *conn);
int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk *out);
unsigned int ssl_sock_get_verify_result(struct connection *conn);
-#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
+#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
int ssl_sock_update_ocsp_response(struct chunk *ocsp_response, char **err);
#endif

diff --git a/src/dumpstats.c b/src/dumpstats.c
index 5365042..3855e09 100644
--- a/src/dumpstats.c
+++ b/src/dumpstats.c
@@ -1794,7 +1794,7 @@ static int stats_sock_parse_request(struct stream_interface *si, char *line)
#ifdef USE_OPENSSL
else if (strcmp(args[1], "ssl") == 0) {
if (strcmp(args[2], "ocsp-response") == 0) {
-#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
+#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
char *err = NULL;

/* Expect one parameter: the new response in base64 encoding */
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index cf8adc7..e53e3bd 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -44,7 +44,7 @@
#include <openssl/x509.h>
#include <openssl/err.h>
#include <openssl/rand.h>
-#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
+#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
#include <openssl/ocsp.h>
#endif

@@ -112,7 +112,7 @@ static DH *local_dh_4096 = NULL;
static DH *local_dh_8192 = NULL;
#endif /* OPENSSL_NO_DH */

-#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
+#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
struct certificate_ocsp {
struct ebmb_node key;
unsigned char key_data[OCSP_MAX_CERTID_ASN1_LENGTH];
@@ -1282,7 +1282,7 @@ static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf
}
#endif

-#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
+#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
ret = ssl_sock_load_ocsp(ctx, path);
if (ret < 0) {
if (err)
--
1.9.1
tried compile 1.7.1 with boringssl, but seems not work, error like below:

In file included from src/ssl_sock.c:87:0:
include/proto/openssl-compat.h:107:1: error: unknown type name ‘OCSP_CERTID’
static inline const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const
OCSP_SINGLERESP *single)
^
include/proto/openssl-compat.h:107:1: error: unknown type name ‘OCSP_SINGLERESP’
include/proto/openssl-compat.h: In function ‘OCSP_SINGLERESP_get0_id’:
include/proto/openssl-compat.h:109:15: error: request for member
‘certId’ in something not a structure or union
return single->certId;
^
src/ssl_sock.c: In function ‘ssl_sock_bind_verifycbk’:
src/ssl_sock.c:1070:4: warning: implicit declaration of function
‘ssl_sock_dump_errors’ [-Wimplicit-function-declaration]
ssl_sock_dump_errors(conn);
^
src/ssl_sock.c: In function ‘ssl_sock_do_create_cert’:
src/ssl_sock.c:1241:3: warning: implicit declaration of function
‘X509V3_EXT_conf’ [-Wimplicit-function-declaration]
if (!(ext = X509V3_EXT_conf(NULL, &ctx, x509v3_ext_names,
x509v3_ext_values)))
^
src/ssl_sock.c:1241:13: warning: assignment makes pointer from integer
without a cast [enabled by default]
if (!(ext = X509V3_EXT_conf(NULL, &ctx, x509v3_ext_names,
x509v3_ext_values)))
^
src/ssl_sock.c:1252:2: warning: implicit declaration of function
‘EVP_PKEY_base_id’ [-Wimplicit-function-declaration]
key_type = EVP_PKEY_base_id(capkey);
^
src/ssl_sock.c:1264:3: warning: implicit declaration of function
‘EVP_PKEY_get_default_digest_nid’ [-Wimplicit-function-declaration]
if (EVP_PKEY_get_default_digest_nid(capkey, &nid) <= 0)
^
src/ssl_sock.c: In function ‘ssl_sock_prepare_ctx’:
src/ssl_sock.c:2720:3: warning: implicit declaration of function
‘SSL_CTX_set_ssl_version’ [-Wimplicit-function-declaration]
SSL_CTX_set_ssl_version(ctx, SSLv3_server_method());
^
src/ssl_sock.c:2786:46: error: ‘ssl_tlsext_ticket_key_cb’ undeclared
(first use in this function)
if (!SSL_CTX_set_tlsext_ticket_key_cb(ctx, ssl_tlsext_ticket_key_cb)) {
^
src/ssl_sock.c:2786:46: note: each undeclared identifier is reported
only once for each function it appears in
src/ssl_sock.c:2820:13: warning: assignment discards ‘const’ qualifier
from pointer target type [enabled by default]
cipher = sk_SSL_CIPHER_value(ciphers, idx);
^
src/ssl_sock.c:2874:2: warning: passing argument 2 of
‘SSL_CTX_set_tlsext_servername_callback’ from incompatible pointer
type [enabled by default]
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_cbk);
^
In file included from src/ssl_sock.c:43:0:
/build/boringssl/include/openssl/ssl.h:2357:20: note: expected ‘int
(*)(struct SSL *, int *, void *)’ but argument is of type ‘int
(*)(struct SSL *, int *, struct bind_conf *)’
OPENSSL_EXPORT int SSL_CTX_set_tlsext_servername_callback(
^
src/ssl_sock.c: In function ‘ssl_sock_handshake’:
src/ssl_sock.c:3531:48: error: ‘SSL’ has no member named ‘packet_length’
empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
^
src/ssl_sock.c:3609:46: error: ‘SSL’ has no member named ‘packet_length’
empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
^
make: *** [src/ssl_sock.o] Error 1

On Mon, Aug 18, 2014 at 6:56 AM, Lukas Tribus <luky-37@hotmail.com> wrote:
> Google's boringssl doesn't currently support OCSP, so
> disable it if detected.
>
> OCSP support may be reintroduced as per:
> https://code.google.com/p/chromium/issues/detail?id=398677
>
> In that case we can simply revert this commit.
>
> Signed-off-by: Lukas Tribus <luky-37@hotmail.com>
> ---
> include/proto/ssl_sock.h | 2 +-
> src/dumpstats.c | 2 +-
> src/ssl_sock.c | 6 +++---
> 3 files changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
> index 3e111cd..6362953 100644
> --- a/include/proto/ssl_sock.h
> +++ b/include/proto/ssl_sock.h
> @@ -54,7 +54,7 @@ char *ssl_sock_get_version(struct connection *conn);
> int ssl_sock_get_cert_used(struct connection *conn);
> int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk *out);
> unsigned int ssl_sock_get_verify_result(struct connection *conn);
> -#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
> +#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
> int ssl_sock_update_ocsp_response(struct chunk *ocsp_response, char **err);
> #endif
>
> diff --git a/src/dumpstats.c b/src/dumpstats.c
> index 5365042..3855e09 100644
> --- a/src/dumpstats.c
> +++ b/src/dumpstats.c
> @@ -1794,7 +1794,7 @@ static int stats_sock_parse_request(struct stream_interface *si, char *line)
> #ifdef USE_OPENSSL
> else if (strcmp(args[1], "ssl") == 0) {
> if (strcmp(args[2], "ocsp-response") == 0) {
> -#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
> +#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
> char *err = NULL;
>
> /* Expect one parameter: the new response in base64 encoding */
> diff --git a/src/ssl_sock.c b/src/ssl_sock.c
> index cf8adc7..e53e3bd 100644
> --- a/src/ssl_sock.c
> +++ b/src/ssl_sock.c
> @@ -44,7 +44,7 @@
> #include <openssl/x509.h>
> #include <openssl/err.h>
> #include <openssl/rand.h>
> -#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
> +#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
> #include <openssl/ocsp.h>
> #endif
>
> @@ -112,7 +112,7 @@ static DH *local_dh_4096 = NULL;
> static DH *local_dh_8192 = NULL;
> #endif /* OPENSSL_NO_DH */
>
> -#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
> +#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
> struct certificate_ocsp {
> struct ebmb_node key;
> unsigned char key_data[OCSP_MAX_CERTID_ASN1_LENGTH];
> @@ -1282,7 +1282,7 @@ static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf
> }
> #endif
>
> -#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
> +#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
> ret = ssl_sock_load_ocsp(ctx, path);
> if (ret < 0) {
> if (err)
> --
> 1.9.1
>
>
Emmanuel Hocdet
PATCH] BUILD: ssl: fix to build (again) with boringssl
January 06, 2017 06:30PM
Hi Igor,

The patch is for 1.8dev.




> Le 3 janv. 2017 à 17:19, Igor Pav <igor@fastsp.net> a écrit :
>
> tried compile 1.7.1 with boringssl, but seems not work, error like below:
>
> In file included from src/ssl_sock.c:87:0:
> include/proto/openssl-compat.h:107:1: error: unknown type name ‘OCSP_CERTID’
> static inline const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const
> OCSP_SINGLERESP *single)
> ^
> include/proto/openssl-compat.h:107:1: error: unknown type name ‘OCSP_SINGLERESP’
> include/proto/openssl-compat.h: In function ‘OCSP_SINGLERESP_get0_id’:
> include/proto/openssl-compat.h:109:15: error: request for member
> ‘certId’ in something not a structure or union
> return single->certId;
> ^
> src/ssl_sock.c: In function ‘ssl_sock_bind_verifycbk’:
> src/ssl_sock.c:1070:4: warning: implicit declaration of function
> ‘ssl_sock_dump_errors’ [-Wimplicit-function-declaration]
> ssl_sock_dump_errors(conn);
> ^
> src/ssl_sock.c: In function ‘ssl_sock_do_create_cert’:
> src/ssl_sock.c:1241:3: warning: implicit declaration of function
> ‘X509V3_EXT_conf’ [-Wimplicit-function-declaration]
> if (!(ext = X509V3_EXT_conf(NULL, &ctx, x509v3_ext_names,
> x509v3_ext_values)))
> ^
> src/ssl_sock.c:1241:13: warning: assignment makes pointer from integer
> without a cast [enabled by default]
> if (!(ext = X509V3_EXT_conf(NULL, &ctx, x509v3_ext_names,
> x509v3_ext_values)))
> ^
> src/ssl_sock.c:1252:2: warning: implicit declaration of function
> ‘EVP_PKEY_base_id’ [-Wimplicit-function-declaration]
> key_type = EVP_PKEY_base_id(capkey);
> ^
> src/ssl_sock.c:1264:3: warning: implicit declaration of function
> ‘EVP_PKEY_get_default_digest_nid’ [-Wimplicit-function-declaration]
> if (EVP_PKEY_get_default_digest_nid(capkey, &nid) <= 0)
> ^
> src/ssl_sock.c: In function ‘ssl_sock_prepare_ctx’:
> src/ssl_sock.c:2720:3: warning: implicit declaration of function
> ‘SSL_CTX_set_ssl_version’ [-Wimplicit-function-declaration]
> SSL_CTX_set_ssl_version(ctx, SSLv3_server_method());
> ^
> src/ssl_sock.c:2786:46: error: ‘ssl_tlsext_ticket_key_cb’ undeclared
> (first use in this function)
> if (!SSL_CTX_set_tlsext_ticket_key_cb(ctx, ssl_tlsext_ticket_key_cb)) {
> ^
> src/ssl_sock.c:2786:46: note: each undeclared identifier is reported
> only once for each function it appears in
> src/ssl_sock.c:2820:13: warning: assignment discards ‘const’ qualifier
> from pointer target type [enabled by default]
> cipher = sk_SSL_CIPHER_value(ciphers, idx);
> ^
> src/ssl_sock.c:2874:2: warning: passing argument 2 of
> ‘SSL_CTX_set_tlsext_servername_callback’ from incompatible pointer
> type [enabled by default]
> SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_cbk);
> ^
> In file included from src/ssl_sock.c:43:0:
> /build/boringssl/include/openssl/ssl.h:2357:20: note: expected ‘int
> (*)(struct SSL *, int *, void *)’ but argument is of type ‘int
> (*)(struct SSL *, int *, struct bind_conf *)’
> OPENSSL_EXPORT int SSL_CTX_set_tlsext_servername_callback(
> ^
> src/ssl_sock.c: In function ‘ssl_sock_handshake’:
> src/ssl_sock.c:3531:48: error: ‘SSL’ has no member named ‘packet_length’
> empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
> ^
> src/ssl_sock.c:3609:46: error: ‘SSL’ has no member named ‘packet_length’
> empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
> ^
> make: *** [src/ssl_sock.o] Error 1
>
> On Mon, Aug 18, 2014 at 6:56 AM, Lukas Tribus <luky-37@hotmail.com> wrote:
>> Google's boringssl doesn't currently support OCSP, so
>> disable it if detected.
>>
>> OCSP support may be reintroduced as per:
>> https://code.google.com/p/chromium/issues/detail?id=398677
>>
>> In that case we can simply revert this commit.
>>
>> Signed-off-by: Lukas Tribus <luky-37@hotmail.com>
>> ---
>> include/proto/ssl_sock.h | 2 +-
>> src/dumpstats.c | 2 +-
>> src/ssl_sock.c | 6 +++---
>> 3 files changed, 5 insertions(+), 5 deletions(-)
>>
>> diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
>> index 3e111cd..6362953 100644
>> --- a/include/proto/ssl_sock.h
>> +++ b/include/proto/ssl_sock.h
>> @@ -54,7 +54,7 @@ char *ssl_sock_get_version(struct connection *conn);
>> int ssl_sock_get_cert_used(struct connection *conn);
>> int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk *out);
>> unsigned int ssl_sock_get_verify_result(struct connection *conn);
>> -#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
>> +#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
>> int ssl_sock_update_ocsp_response(struct chunk *ocsp_response, char **err);
>> #endif
>>
>> diff --git a/src/dumpstats.c b/src/dumpstats.c
>> index 5365042..3855e09 100644
>> --- a/src/dumpstats.c
>> +++ b/src/dumpstats.c
>> @@ -1794,7 +1794,7 @@ static int stats_sock_parse_request(struct stream_interface *si, char *line)
>> #ifdef USE_OPENSSL
>> else if (strcmp(args[1], "ssl") == 0) {
>> if (strcmp(args[2], "ocsp-response") == 0) {
>> -#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
>> +#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
>> char *err = NULL;
>>
>> /* Expect one parameter: the new response in base64 encoding */
>> diff --git a/src/ssl_sock.c b/src/ssl_sock.c
>> index cf8adc7..e53e3bd 100644
>> --- a/src/ssl_sock.c
>> +++ b/src/ssl_sock.c
>> @@ -44,7 +44,7 @@
>> #include <openssl/x509.h>
>> #include <openssl/err.h>
>> #include <openssl/rand.h>
>> -#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
>> +#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
>> #include <openssl/ocsp.h>
>> #endif
>>
>> @@ -112,7 +112,7 @@ static DH *local_dh_4096 = NULL;
>> static DH *local_dh_8192 = NULL;
>> #endif /* OPENSSL_NO_DH */
>>
>> -#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
>> +#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
>> struct certificate_ocsp {
>> struct ebmb_node key;
>> unsigned char key_data[OCSP_MAX_CERTID_ASN1_LENGTH];
>> @@ -1282,7 +1282,7 @@ static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf
>> }
>> #endif
>>
>> -#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
>> +#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
>> ret = ssl_sock_load_ocsp(ctx, path);
>> if (ret < 0) {
>> if (err)
>> --
>> 1.9.1
>>
>>
>
Attachments:
open | download - 0001-BUILD-ssl-fix-to-build-again-with-boringssl.patch (11.7 KB)
Emmanuel Hocdet
Re: [PATCH] BUILD: ssl: fix to build (again) with boringssl
January 06, 2017 06:40PM
This patch is a WIP and should not be full functional.
Don’t merge to haproxy Willy :)

> Le 6 janv. 2017 à 18:18, Emmanuel Hocdet <manu@gandi.net> a écrit :
>
> Hi Igor,
>
> The patch is for 1.8dev.
>
> <0001-BUILD-ssl-fix-to-build-again-with-boringssl.patch>
>
>
>> Le 3 janv. 2017 à 17:19, Igor Pav <igor@fastsp.net> a écrit :
>>
>> tried compile 1.7.1 with boringssl, but seems not work, error like below:
>>
>> In file included from src/ssl_sock.c:87:0:
>> include/proto/openssl-compat.h:107:1: error: unknown type name ‘OCSP_CERTID’
>> static inline const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const
>> OCSP_SINGLERESP *single)
>> ^
>> include/proto/openssl-compat.h:107:1: error: unknown type name ‘OCSP_SINGLERESP’
>> include/proto/openssl-compat.h: In function ‘OCSP_SINGLERESP_get0_id’:
>> include/proto/openssl-compat.h:109:15: error: request for member
>> ‘certId’ in something not a structure or union
>> return single->certId;
>> ^
>> src/ssl_sock.c: In function ‘ssl_sock_bind_verifycbk’:
>> src/ssl_sock.c:1070:4: warning: implicit declaration of function
>> ‘ssl_sock_dump_errors’ [-Wimplicit-function-declaration]
>> ssl_sock_dump_errors(conn);
>> ^
>> src/ssl_sock.c: In function ‘ssl_sock_do_create_cert’:
>> src/ssl_sock.c:1241:3: warning: implicit declaration of function
>> ‘X509V3_EXT_conf’ [-Wimplicit-function-declaration]
>> if (!(ext = X509V3_EXT_conf(NULL, &ctx, x509v3_ext_names,
>> x509v3_ext_values)))
>> ^
>> src/ssl_sock.c:1241:13: warning: assignment makes pointer from integer
>> without a cast [enabled by default]
>> if (!(ext = X509V3_EXT_conf(NULL, &ctx, x509v3_ext_names,
>> x509v3_ext_values)))
>> ^
>> src/ssl_sock.c:1252:2: warning: implicit declaration of function
>> ‘EVP_PKEY_base_id’ [-Wimplicit-function-declaration]
>> key_type = EVP_PKEY_base_id(capkey);
>> ^
>> src/ssl_sock.c:1264:3: warning: implicit declaration of function
>> ‘EVP_PKEY_get_default_digest_nid’ [-Wimplicit-function-declaration]
>> if (EVP_PKEY_get_default_digest_nid(capkey, &nid) <= 0)
>> ^
>> src/ssl_sock.c: In function ‘ssl_sock_prepare_ctx’:
>> src/ssl_sock.c:2720:3: warning: implicit declaration of function
>> ‘SSL_CTX_set_ssl_version’ [-Wimplicit-function-declaration]
>> SSL_CTX_set_ssl_version(ctx, SSLv3_server_method());
>> ^
>> src/ssl_sock.c:2786:46: error: ‘ssl_tlsext_ticket_key_cb’ undeclared
>> (first use in this function)
>> if (!SSL_CTX_set_tlsext_ticket_key_cb(ctx, ssl_tlsext_ticket_key_cb)) {
>> ^
>> src/ssl_sock.c:2786:46: note: each undeclared identifier is reported
>> only once for each function it appears in
>> src/ssl_sock.c:2820:13: warning: assignment discards ‘const’ qualifier
>> from pointer target type [enabled by default]
>> cipher = sk_SSL_CIPHER_value(ciphers, idx);
>> ^
>> src/ssl_sock.c:2874:2: warning: passing argument 2 of
>> ‘SSL_CTX_set_tlsext_servername_callback’ from incompatible pointer
>> type [enabled by default]
>> SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_cbk);
>> ^
>> In file included from src/ssl_sock.c:43:0:
>> /build/boringssl/include/openssl/ssl.h:2357:20: note: expected ‘int
>> (*)(struct SSL *, int *, void *)’ but argument is of type ‘int
>> (*)(struct SSL *, int *, struct bind_conf *)’
>> OPENSSL_EXPORT int SSL_CTX_set_tlsext_servername_callback(
>> ^
>> src/ssl_sock.c: In function ‘ssl_sock_handshake’:
>> src/ssl_sock.c:3531:48: error: ‘SSL’ has no member named ‘packet_length’
>> empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
>> ^
>> src/ssl_sock.c:3609:46: error: ‘SSL’ has no member named ‘packet_length’
>> empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
>> ^
>> make: *** [src/ssl_sock.o] Error 1
>>
>> On Mon, Aug 18, 2014 at 6:56 AM, Lukas Tribus <luky-37@hotmail.com> wrote:
>>> Google's boringssl doesn't currently support OCSP, so
>>> disable it if detected.
>>>
>>> OCSP support may be reintroduced as per:
>>> https://code.google.com/p/chromium/issues/detail?id=398677
>>>
>>> In that case we can simply revert this commit.
>>>
>>> Signed-off-by: Lukas Tribus <luky-37@hotmail.com>
>>> ---
>>> include/proto/ssl_sock.h | 2 +-
>>> src/dumpstats.c | 2 +-
>>> src/ssl_sock.c | 6 +++---
>>> 3 files changed, 5 insertions(+), 5 deletions(-)
>>>
>>> diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
>>> index 3e111cd..6362953 100644
>>> --- a/include/proto/ssl_sock.h
>>> +++ b/include/proto/ssl_sock.h
>>> @@ -54,7 +54,7 @@ char *ssl_sock_get_version(struct connection *conn);
>>> int ssl_sock_get_cert_used(struct connection *conn);
>>> int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk *out);
>>> unsigned int ssl_sock_get_verify_result(struct connection *conn);
>>> -#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
>>> +#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
>>> int ssl_sock_update_ocsp_response(struct chunk *ocsp_response, char **err);
>>> #endif
>>>
>>> diff --git a/src/dumpstats.c b/src/dumpstats.c
>>> index 5365042..3855e09 100644
>>> --- a/src/dumpstats.c
>>> +++ b/src/dumpstats.c
>>> @@ -1794,7 +1794,7 @@ static int stats_sock_parse_request(struct stream_interface *si, char *line)
>>> #ifdef USE_OPENSSL
>>> else if (strcmp(args[1], "ssl") == 0) {
>>> if (strcmp(args[2], "ocsp-response") == 0) {
>>> -#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
>>> +#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
>>> char *err = NULL;
>>>
>>> /* Expect one parameter: the new response in base64 encoding */
>>> diff --git a/src/ssl_sock.c b/src/ssl_sock.c
>>> index cf8adc7..e53e3bd 100644
>>> --- a/src/ssl_sock.c
>>> +++ b/src/ssl_sock.c
>>> @@ -44,7 +44,7 @@
>>> #include <openssl/x509.h>
>>> #include <openssl/err.h>
>>> #include <openssl/rand.h>
>>> -#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
>>> +#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
>>> #include <openssl/ocsp.h>
>>> #endif
>>>
>>> @@ -112,7 +112,7 @@ static DH *local_dh_4096 = NULL;
>>> static DH *local_dh_8192 = NULL;
>>> #endif /* OPENSSL_NO_DH */
>>>
>>> -#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
>>> +#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
>>> struct certificate_ocsp {
>>> struct ebmb_node key;
>>> unsigned char key_data[OCSP_MAX_CERTID_ASN1_LENGTH];
>>> @@ -1282,7 +1282,7 @@ static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf
>>> }
>>> #endif
>>>
>>> -#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
>>> +#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
>>> ret = ssl_sock_load_ocsp(ctx, path);
>>> if (ret < 0) {
>>> if (err)
>>> --
>>> 1.9.1
>>>
>>>
>>
>
Sorry, only registered users may post in this forum.

Click here to login