Welcome! Log In Create A New Profile

Advanced

[PATCHES] Add support for LibreSSL 2.5.1

Posted by Piotr Kubaj 
Piotr Kubaj
[PATCHES] Add support for LibreSSL 2.5.1
February 10, 2017 02:00PM
I'm attaching two patches:
a) patch-src_ssl__sock.c - it makes possible to build Haproxy against LibreSSL 2.5.1 at all,
b) patch-include_proto_openssl-compat.h - since "auto" ECDHE API doesn't work OOTB, this patch is also needed

They are against the latest 20170209 snapshot. Please consider merging a) to stable branches.

--
______________________________________
/ The things that interest people most \
\ are usually none of their business. /
--------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
Piotr Kubaj
Re: [PATCHES] Add support for LibreSSL 2.5.1
February 10, 2017 04:30PM
Please try the corrected patches. Before Haproxy was kind of unstable. Now it seems to work fine. I also changed tests for defined LIBRESSL_VERSION_NUMBER to testing LibreSSL version to keep the older versions working.

On 17-02-10 13:48:20, Piotr Kubaj wrote:
> I'm attaching two patches:
> a) patch-src_ssl__sock.c - it makes possible to build Haproxy against LibreSSL 2.5.1 at all,
> b) patch-include_proto_openssl-compat.h - since "auto" ECDHE API doesn't work OOTB, this patch is also needed
>
> They are against the latest 20170209 snapshot. Please consider merging a) to stable branches.
>
> --
> ______________________________________
> / The things that interest people most \
> \ are usually none of their business. /
> --------------------------------------
> \ ^__^
> \ (oo)\_______
> (__)\ )\/\
> ||----w |
> || ||

> --- include/proto/openssl-compat.h.orig 2017-02-10 12:38:04 UTC
> +++ include/proto/openssl-compat.h
> @@ -183,7 +183,7 @@ static inline int EVP_PKEY_base_id(EVP_P
> #endif
>
> /* This function does nothing in 1.1.0 and doesn't exist in boringssl */
> -#if defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
> +#if !defined(LIBRESSL_VERSION_NUMBER) && (defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER >= 0x1010000fL))
> #undef SSL_CTX_set_ecdh_auto
> #define SSL_CTX_set_ecdh_auto(ctx, onoff)
> #endif

> --- src/ssl_sock.c.orig 2017-02-08 18:08:38 UTC
> +++ src/ssl_sock.c
> @@ -829,10 +829,13 @@ static int ssl_sock_load_ocsp(SSL_CTX *c
> ocsp = NULL;
>
> #ifndef SSL_CTX_get_tlsext_status_cb
> -# define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
> - *cb = (void (*) (void))ctx->tlsext_status_cb;
> +#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB
> +#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB 128
> #endif
> - SSL_CTX_get_tlsext_status_cb(ctx, &callback);
> +#define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
> + *cb = SSL_CTX_ctrl(ctx,SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB,0, (void (**)(void))cb)
> +#endif
> + SSL_CTX_get_tlsext_status_cb(ctx, &callback);
>
> if (!callback) {
> struct ocsp_cbk_arg *cb_arg = calloc(1, sizeof(*cb_arg));
> @@ -858,10 +861,13 @@ static int ssl_sock_load_ocsp(SSL_CTX *c
> int key_type;
> EVP_PKEY *pkey;
>
> -#ifdef SSL_CTX_get_tlsext_status_arg
> - SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, &cb_arg);
> +#if defined(SSL_CTX_get_tlsext_status_arg) || defined(LIBRESSL_VERSION_NUMBER)
> +#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG
> +#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129
> +#endif
> + SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, &cb_arg);
> #else
> - cb_arg = ctx->tlsext_status_arg;
> + cb_arg = ctx->tlsext_status_arg;
> #endif
>
> /*
> @@ -1842,7 +1848,7 @@ static int ssl_sock_add_cert_sni(SSL_CTX
> /* The following code is used for loading multiple crt files into
> * SSL_CTX's based on CN/SAN
> */
> -#if OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined(LIBRESSL_VERSION_NUMBER)
> +#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined LIBRESSL_VERSION_NUMBER)
> /* This is used to preload the certifcate, private key
> * and Cert Chain of a file passed in via the crt
> * argument
> @@ -3789,7 +3795,7 @@ int ssl_sock_handshake(struct connection
> conn->err_code = CO_ER_SSL_HANDSHAKE;
> #else
> int empty_handshake;
> -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(LIBRESSL_VERSION_NUMBER)
> +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
> OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx);
> empty_handshake = state == TLS_ST_BEFORE;
> #else
> @@ -3867,7 +3873,7 @@ int ssl_sock_handshake(struct connection
> conn->err_code = CO_ER_SSL_HANDSHAKE;
> #else
> int empty_handshake;
> -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(LIBRESSL_VERSION_NUMBER)
> +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
> OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx);
> empty_handshake = state == TLS_ST_BEFORE;
> #else
> @@ -6978,7 +6984,7 @@ static struct xprt_ops ssl_sock = {
> .name = "SSL",
> };
>
> -#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
> +#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL)
>
> static void ssl_sock_sctl_free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl, void *argp)
> {




--
_______________________________________
/ I ain't got no quarrel with them Viet \
| Congs. |
| |
\ -- Muhammad Ali /
---------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
Dave Cottlehuber
Re: [PATCHES] Add support for LibreSSL 2.5.1
February 10, 2017 06:40PM
On Fri, 10 Feb 2017, at 16:21, Piotr Kubaj wrote:
> Please try the corrected patches. Before Haproxy was kind of unstable.
> Now it seems to work fine. I also changed tests for defined
> LIBRESSL_VERSION_NUMBER to testing LibreSSL version to keep the older
> versions working.
>
> On 17-02-10 13:48:20, Piotr Kubaj wrote:
> > I'm attaching two patches:
> > a) patch-src_ssl__sock.c - it makes possible to build Haproxy against LibreSSL 2.5.1 at all,
> > b) patch-include_proto_openssl-compat.h - since "auto" ECDHE API doesn't work OOTB, this patch is also needed
> >
> > They are against the latest 20170209 snapshot. Please consider merging a) to stable branches.

Piotr's got a FreeBSD bug in Bugzilla
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216763 for this
already - thanks!

A+
Dave
Willy Tarreau
Re: [PATCHES] Add support for LibreSSL 2.5.1
February 13, 2017 07:30AM
On Fri, Feb 10, 2017 at 04:21:06PM +0100, Piotr Kubaj wrote:
> Please try the corrected patches. Before Haproxy was kind of unstable. Now it seems to work fine. I also changed tests for defined LIBRESSL_VERSION_NUMBER to testing LibreSSL version to keep the older versions working.
(...)
>
> --- include/proto/openssl-compat.h.orig 2017-02-10 12:38:04 UTC
> +++ include/proto/openssl-compat.h
> @@ -183,7 +183,7 @@ static inline int EVP_PKEY_base_id(EVP_P
> #endif
>
> /* This function does nothing in 1.1.0 and doesn't exist in boringssl */
> -#if defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
> +#if (LIBRESSL_VERSION_NUMBER < 0x2050100fL) && (defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER >= 0x1010000fL))
> #undef SSL_CTX_set_ecdh_auto
> #define SSL_CTX_set_ecdh_auto(ctx, onoff)
> #endif

I don't understand much, your e-mail talks about openssl and you're changing
a line afecting boringssl. You need to provide a bit of description about
what your patch does and tries to solve, that we'll use as the commit message.

> --- src/ssl_sock.c.orig 2017-02-08 18:08:38 UTC
> +++ src/ssl_sock.c
> @@ -829,10 +829,13 @@ static int ssl_sock_load_ocsp(SSL_CTX *c
> ocsp = NULL;
>
> #ifndef SSL_CTX_get_tlsext_status_cb
> -# define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
> - *cb = (void (*) (void))ctx->tlsext_status_cb;
> +#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB
> +#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB 128
> #endif

Here this 128 looks a bit magic and will very likely break sooner or
later, so if this is an internal value used by libressl, it's better
to mention it next to it.

> - SSL_CTX_get_tlsext_status_cb(ctx, &callback);
> +#define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
> + *cb = SSL_CTX_ctrl(ctx,SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB,0, (void (**)(void))cb)
> +#endif
> + SSL_CTX_get_tlsext_status_cb(ctx, &callback);
>
> if (!callback) {
> struct ocsp_cbk_arg *cb_arg = calloc(1, sizeof(*cb_arg));
> @@ -858,10 +861,13 @@ static int ssl_sock_load_ocsp(SSL_CTX *c
> int key_type;
> EVP_PKEY *pkey;
>
> -#ifdef SSL_CTX_get_tlsext_status_arg
> - SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, &cb_arg);
> +#if defined(SSL_CTX_get_tlsext_status_arg) || (LIBRESSL_VERSION_NUMBER >= 0x2050100fL)
> +#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG
> +#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129
> +#endif

Same here.

> + SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, &cb_arg);
> #else
> - cb_arg = ctx->tlsext_status_arg;
> + cb_arg = ctx->tlsext_status_arg;

Be careful not to introduce useless space changes in your patch like this.

> #endif

Thanks,
Willy
Piotr Kubaj
Re: [PATCHES] Add support for LibreSSL 2.5.1
February 15, 2017 03:50PM
Thanks for the feedback. Could you keep me in CC? I'm not subscribed to the list.

> I don't understand much, your e-mail talks about openssl and you're changing
> a line afecting boringssl. You need to provide a bit of description about
> what your patch does and tries to solve, that we'll use as the commit message.

Those lines affect BoringSSL and any OpenSSL-like library with OPENSSL_VERSION_NUMBER >= 0x1010000fL. LibreSSL has OPENSSL_VERSION_NUMBER >= 0x1010000fL but version 2.5.1 actually has SSL_CTX_set_ecdh_auto(), so it needs to be excluded from the check.

> Here this 128 looks a bit magic and will very likely break sooner or
> later, so if this is an internal value used by libressl, it's better
> to mention it next to it.

> Same here.

It's taken from https://git.openssl.org/?p=openssl.git;a=blob;f=include/openssl/ssl.h;h=f2b6198972736676c39de3799d0901f9ccd467ae;hb=refs/heads/master
Haproxy uses macros defined in OpenSSL, but not defined in LibreSSL (although the functions itself work). This patch defines those values.

> Be careful not to introduce useless space changes in your patch like this.

Corrected in the new patch (attached).

--
_______________________________________
/ What scoundrel stole the cork from my \
| lunch? |
| |
\ -- J. D. Farley /
---------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
Piotr Kubaj
Re: [PATCHES] Add support for LibreSSL 2.5.1
March 08, 2017 08:10PM
Could you give your opinion on my patches and commit them if they're fine?

On 17-02-15 15:46:23, Piotr Kubaj wrote:
> Thanks for the feedback. Could you keep me in CC? I'm not subscribed to the list.
>
> > I don't understand much, your e-mail talks about openssl and you're changing
> > a line afecting boringssl. You need to provide a bit of description about
> > what your patch does and tries to solve, that we'll use as the commit message.
>
> Those lines affect BoringSSL and any OpenSSL-like library with OPENSSL_VERSION_NUMBER >= 0x1010000fL. LibreSSL has OPENSSL_VERSION_NUMBER >= 0x1010000fL but version 2.5.1 actually has SSL_CTX_set_ecdh_auto(), so it needs to be excluded from the check.
>
> > Here this 128 looks a bit magic and will very likely break sooner or
> > later, so if this is an internal value used by libressl, it's better
> > to mention it next to it.
>
> > Same here.
>
> It's taken from https://git.openssl.org/?p=openssl.git;a=blob;f=include/openssl/ssl.h;h=f2b6198972736676c39de3799d0901f9ccd467ae;hb=refs/heads/master
> Haproxy uses macros defined in OpenSSL, but not defined in LibreSSL (although the functions itself work). This patch defines those values.
>
> > Be careful not to introduce useless space changes in your patch like this.
>
> Corrected in the new patch (attached).
>
> --
> _______________________________________
> / What scoundrel stole the cork from my \
> | lunch? |
> | |
> \ -- J. D. Farley /
> ---------------------------------------
> \ ^__^
> \ (oo)\_______
> (__)\ )\/\
> ||----w |
> || ||

> --- src/ssl_sock.c.orig 2017-02-08 18:08:38 UTC
> +++ src/ssl_sock.c
> @@ -829,10 +829,13 @@ static int ssl_sock_load_ocsp(SSL_CTX *c
> ocsp = NULL;
>
> #ifndef SSL_CTX_get_tlsext_status_cb
> -# define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
> - *cb = (void (*) (void))ctx->tlsext_status_cb;
> +#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB
> +#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB 128
> #endif
> - SSL_CTX_get_tlsext_status_cb(ctx, &callback);
> +#define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
> + *cb = SSL_CTX_ctrl(ctx,SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB,0, (void (**)(void))cb)
> +#endif
> + SSL_CTX_get_tlsext_status_cb(ctx, &callback);
>
> if (!callback) {
> struct ocsp_cbk_arg *cb_arg = calloc(1, sizeof(*cb_arg));
> @@ -858,10 +861,13 @@ static int ssl_sock_load_ocsp(SSL_CTX *c
> int key_type;
> EVP_PKEY *pkey;
>
> -#ifdef SSL_CTX_get_tlsext_status_arg
> - SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, &cb_arg);
> +#if defined(SSL_CTX_get_tlsext_status_arg) || (LIBRESSL_VERSION_NUMBER >= 0x2050100fL)
> +#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG
> +#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129
> +#endif
> + SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, &cb_arg);
> #else
> cb_arg = ctx->tlsext_status_arg;
> #endif




--
_______________________________________
/ The plot was designed in a light vein \
| that somehow became varicose. |
| |
\ -- David Lardner /
---------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
Willy Tarreau
Re: [PATCHES] Add support for LibreSSL 2.5.1
March 08, 2017 09:20PM
Hi Piotr,

On Wed, Mar 08, 2017 at 07:58:11PM +0100, Piotr Kubaj wrote:
> Could you give your opinion on my patches and commit them if they're fine?

Sorry for the delay but I'm really burried under e-mails and work-related
stuff at the moment. And since your patches will require some manual
handling to be merged, they get delayed until I get enough time to process
them. Given that nobody complained I think they are OK though.

Cheers,
Willy
Piotr Kubaj
Re: [PATCHES] Add support for LibreSSL 2.5.1
March 14, 2017 03:40PM
I have reworked the patches, so that they don't cause any warning to appear.

--
_____________________________________
/ In real love you want the other \
| person's good. In romantic love you |
| want the other person. |
| |
\ -- Margaret Anderson /
-------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
Piotr Kubaj
Re: [PATCHES] Add support for LibreSSL 2.5.1
March 14, 2017 04:00PM
There seems to be some error when doing a clean compilation, so I'm sending corrected patches.

--
________________________________________
/ Any stone in your boot always migrates \
| against the pressure gradient to |
| exactly the point of most pressure. |
| |
\ -- Milt Barber /
----------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
Piotr Kubaj
Re: [PATCHES] Add support for LibreSSL 2.5.1
March 14, 2017 04:10PM
And it seems like the previously attached patches do compile, but the warning is there again so now I'm finally including patches that make Haproxy both compile and not throw additional warnings.

--
______________________________________
/ What good is having someone who can \
| walk on water if you don't follow in |
\ his footsteps? /
--------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
Emmanuel Hocdet
Re: [PATCHES] Add support for LibreSSL 2.5.1
March 14, 2017 04:30PM
Hi Piotr

> Le 14 mars 2017 à 16:04, Piotr Kubaj <[email protected]> a écrit :
>
> And it seems like the previously attached patches do compile, but the warning is there again so now I'm finally including patches that make Haproxy both compile and not throw additional warnings.
>

first patch:

-#if defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
+#if (LIBRESSL_VERSION_NUMBER < 0x2050100fL) && (defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER >= 0x1010000fL))
should be :
+#if (LIBRESSL_VERSION_NUMBER < 0x2050100fL) || (defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER >= 0x1010000fL))

I suspect that test on LIBRESSL_VERSION_NUMBER will not work.

Manu
Emmanuel Hocdet
Re: [PATCHES] Add support for LibreSSL 2.5.1
March 15, 2017 07:20PM
> Le 14 mars 2017 à 16:28, Emmanuel Hocdet <[email protected]> a écrit :
>
> Hi Piotr
>
>> Le 14 mars 2017 à 16:04, Piotr Kubaj <[email protected]> a écrit :
>>
>> And it seems like the previously attached patches do compile, but the warning is there again so now I'm finally including patches that make Haproxy both compile and not throw additional warnings.
>>
>
> first patch:
>
> -#if defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
> +#if (LIBRESSL_VERSION_NUMBER < 0x2050100fL) && (defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER >= 0x1010000fL))
> should be :
> +#if (LIBRESSL_VERSION_NUMBER < 0x2050100fL) || (defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER >= 0x1010000fL))
>
> I suspect that test on LIBRESSL_VERSION_NUMBER will not work.
>
> Manu
>

This patch should be SSL version agnostic:
Attachments:
open | download - 0001-BUILD-ssl-simplify-SSL_CTX_set_ecdh_auto-compatibili.patch (1.6 KB)
Emmanuel Hocdet
Re: [PATCHES] Add support for LibreSSL 2.5.1
March 16, 2017 03:40PM
Hi Piotr,

> Le 16 mars 2017 à 09:48, Piotr Kubaj <[email protected]> a écrit :
>
> Thanks for the patch!
>
> Looks good to me, works fine with Haproxy and LibreSSL 2.5.1.
>
great

Willy, can you merge this two patchs? It fix boringssl and libressl build issues.

Piotr, this patchs should be minimise your patch for libressl compat

Thanks,
Manu
Attachments:
open | download - 0002-BUILD-ssl-fix-OPENSSL_NO_SSL_TRACE-for-boringssl-and.patch (842 bytes)
open | download - 0001-BUILD-ssl-simplify-SSL_CTX_set_ecdh_auto-compatibili.patch (1.5 KB)
Willy Tarreau
Re: [PATCHES] Add support for LibreSSL 2.5.1
March 20, 2017 07:10AM
Hi Manu,

On Thu, Mar 16, 2017 at 03:35:42PM +0100, Emmanuel Hocdet wrote:
> Hi Piotr,
>
> > Le 16 mars 2017 à 09:48, Piotr Kubaj <[email protected]> a écrit :
> >
> > Thanks for the patch!
> >
> > Looks good to me, works fine with Haproxy and LibreSSL 2.5.1.
> >
> great
>
> Willy, can you merge this two patchs? It fix boringssl and libressl build issues.

Yes possibly, but I have two requests here :

1) I really want to have something in the commit message. For now all I have
is a single line for each :

BUILD: ssl: simplify SSL_CTX_set_ecdh_auto compatibility
BUILD: ssl: fix OPENSSL_NO_SSL_TRACE for boringssl and libressl

There's no indication of what the issue is, where it happens, why it
is a good idea to fix it this way. In short, if someone later faces
a problem going back to these patches, I have no idea whether I should
revert them nor what problem this will cause. Please keep in mind that
in general one should be able to take a decision regarding a patch by
a simple "git log" and should not be required to have to read the patch.

2) It would be nice to credit Piotr for the inital patch and for reporting
the problem.

Thanks,
Willy
Emmanuel Hocdet
Re: [PATCHES] Add support for LibreSSL 2.5.1
March 20, 2017 12:00PM
> Le 20 mars 2017 à 07:02, Willy Tarreau <[email protected]> a écrit :
>
> Hi Manu,
>
> On Thu, Mar 16, 2017 at 03:35:42PM +0100, Emmanuel Hocdet wrote:
>> Hi Piotr,
>>
>>> Le 16 mars 2017 à 09:48, Piotr Kubaj <[email protected]> a écrit :
>>>
>>> Thanks for the patch!
>>>
>>> Looks good to me, works fine with Haproxy and LibreSSL 2.5.1.
>>>
>> great
>>
>> Willy, can you merge this two patchs? It fix boringssl and libressl build issues.
>
> Yes possibly, but I have two requests here :
>
> 1) I really want to have something in the commit message. For now all I have
> is a single line for each :
>
> BUILD: ssl: simplify SSL_CTX_set_ecdh_auto compatibility
> BUILD: ssl: fix OPENSSL_NO_SSL_TRACE for boringssl and libressl
>
> There's no indication of what the issue is, where it happens, why it
> is a good idea to fix it this way. In short, if someone later faces
> a problem going back to these patches, I have no idea whether I should
> revert them nor what problem this will cause. Please keep in mind that
> in general one should be able to take a decision regarding a patch by
> a simple "git log" and should not be required to have to read the patch.
>
> 2) It would be nice to credit Piotr for the inital patch and for reporting
> the problem.
>

Indeed, new patchs:
Attachments:
open | download - 0001-BUILD-ssl-simplify-SSL_CTX_set_ecdh_auto-compatibili.patch (1.7 KB)
open | download - 0002-BUILD-ssl-fix-OPENSSL_NO_SSL_TRACE-for-boringssl-and.patch (1.1 KB)
Willy Tarreau
Re: [PATCHES] Add support for LibreSSL 2.5.1
March 20, 2017 12:10PM
On Mon, Mar 20, 2017 at 11:55:46AM +0100, Emmanuel Hocdet wrote:
>
(...)
> Indeed, new patchs:

Both applied, many thanks Manu!
Willy
Sorry, only registered users may post in this forum.

Click here to login