Welcome! Log In Create A New Profile

Advanced

Fix building haproxy 1.8.5 with LibreSSL 2.6.4

Posted by Andy Postnikov 
Andy Postnikov
Fix building haproxy 1.8.5 with LibreSSL 2.6.4
March 31, 2018 04:50PM
I used to rework previous patch from Alpinelinux to build with latest
stable libressl
But found no way to run tests with openssl which is primary library as I see
Is it possible to accept the patch upstream or get review on it?
Willy Tarreau
Re: Fix building haproxy 1.8.5 with LibreSSL 2.6.4
April 06, 2018 07:20PM
Hi Andy,

On Sat, Mar 31, 2018 at 05:43:55PM +0300, Andy Postnikov wrote:
> I used to rework previous patch from Alpinelinux to build with latest
> stable libressl
> But found no way to run tests with openssl which is primary library as I see
> Is it possible to accept the patch upstream or get review on it?

It is probably correct, though I remember that some parts that you changed
used to be tricky with certain openssl versions, thus I'd like that Emeric
takes a look before merging this. And possibly Manu who uses BoringSSL,
which comes with its own set of incompatibilities :-)

CCing them now.

Thanks,
Willy
Andy Postnikov
Re: Fix building haproxy 1.8.5 with LibreSSL 2.6.4
April 07, 2018 01:00PM
Hi Willy,
Alpine migrating to libressl 2.7 and there new patch added
https://github.com/alpinelinux/aports/commit/d32f982f0bbdfe3b902408920923d1d44ab88471
I did not test yet but this patch at least allowed haproxy to build without
errors

2018-04-06 20:12 GMT+03:00 Willy Tarreau <[email protected]>:

> Hi Andy,
>
> On Sat, Mar 31, 2018 at 05:43:55PM +0300, Andy Postnikov wrote:
> > I used to rework previous patch from Alpinelinux to build with latest
> > stable libressl
> > But found no way to run tests with openssl which is primary library as I
> see
> > Is it possible to accept the patch upstream or get review on it?
>
> It is probably correct, though I remember that some parts that you changed
> used to be tricky with certain openssl versions, thus I'd like that Emeric
> takes a look before merging this. And possibly Manu who uses BoringSSL,
> which comes with its own set of incompatibilities :-)
>
> CCing them now.
>
> Thanks,
> Willy
>



--
*Andy Postnikov*, drupal consultant

dgo.to/@andypost
skype:andypost2005
Emmanuel Hocdet
Re: Fix building haproxy 1.8.5 with LibreSSL 2.6.4
April 07, 2018 04:50PM
I Andy

> Le 31 mars 2018 à 16:43, Andy Postnikov <[email protected]> a écrit :
>
> I used to rework previous patch from Alpinelinux to build with latest stable libressl
> But found no way to run tests with openssl which is primary library as I see
> Is it possible to accept the patch upstream or get review on it?
>
> <fix-libressl-1.8.5.patch>


@@ -2208,7 +2223,7 @@
#else
cipher = SSL_CIPHER_find(ssl, cipher_suites);
#endif
- if (cipher && SSL_CIPHER_get_auth_nid(cipher) == NID_auth_ecdsa) {
+ if (cipher && SSL_CIPHER_is_ECDSA(cipher)) {
has_ecdsa = 1;
break;
}

No, it’s a regression in lib compatibility.

++
Manu
Dmitry Sivachenko
Re: Fix building haproxy 1.8.5 with LibreSSL 2.6.4
April 16, 2018 02:40PM
> On 07 Apr 2018, at 17:38, Emmanuel Hocdet <[email protected]> wrote:
>
>
> I Andy
>
>> Le 31 mars 2018 à 16:43, Andy Postnikov <[email protected]> a écrit :
>>
>> I used to rework previous patch from Alpinelinux to build with latest stable libressl
>> But found no way to run tests with openssl which is primary library as I see
>> Is it possible to accept the patch upstream or get review on it?
>>
>> <fix-libressl-1.8.5.patch>
>
>
> @@ -2208,7 +2223,7 @@
> #else
> cipher = SSL_CIPHER_find(ssl, cipher_suites);
> #endif
> - if (cipher && SSL_CIPHER_get_auth_nid(cipher) == NID_auth_ecdsa) {
> + if (cipher && SSL_CIPHER_is_ECDSA(cipher)) {
> has_ecdsa = 1;
> break;
> }
>
> No, it’s a regression in lib compatibility.
>


Hello,

it would be nice if you come to an acceptable solution and finally merge LibreSSL support.
There were several attempts to propose LibreSSL support in the past and every time discussion dies with no result.

Thanks :)
Emeric Brun
Re: Fix building haproxy 1.8.5 with LibreSSL 2.6.4
April 18, 2018 02:30PM
On 04/16/2018 02:30 PM, Dmitry Sivachenko wrote:
>
>> On 07 Apr 2018, at 17:38, Emmanuel Hocdet <[email protected]> wrote:
>>
>>
>> I Andy
>>
>>> Le 31 mars 2018 à 16:43, Andy Postnikov <[email protected]> a écrit :
>>>
>>> I used to rework previous patch from Alpinelinux to build with latest stable libressl
>>> But found no way to run tests with openssl which is primary library as I see
>>> Is it possible to accept the patch upstream or get review on it?
>>>
>>> <fix-libressl-1.8.5.patch>
>>
>>
>> @@ -2208,7 +2223,7 @@
>> #else
>> cipher = SSL_CIPHER_find(ssl, cipher_suites);
>> #endif
>> - if (cipher && SSL_CIPHER_get_auth_nid(cipher) == NID_auth_ecdsa) {
>> + if (cipher && SSL_CIPHER_is_ECDSA(cipher)) {
>> has_ecdsa = 1;
>> break;
>> }
>>
>> No, it’s a regression in lib compatibility.
>>
>
>
> Hello,
>
> it would be nice if you come to an acceptable solution and finally merge LibreSSL support.
> There were several attempts to propose LibreSSL support in the past and every time discussion dies with no result.
>
> Thanks :)
>
>
>

What do you think Manu?

R,
Emeric
Emmanuel Hocdet
Re: Fix building haproxy 1.8.5 with LibreSSL 2.6.4
April 18, 2018 03:10PM
Hi Emeric,

> Le 18 avr. 2018 à 14:21, Emeric Brun <[email protected]> a écrit :
>
> On 04/16/2018 02:30 PM, Dmitry Sivachenko wrote:
>>
>>> On 07 Apr 2018, at 17:38, Emmanuel Hocdet <[email protected]> wrote:
>>>
>>>
>>> I Andy
>>>
>>>> Le 31 mars 2018 à 16:43, Andy Postnikov <[email protected]> a écrit :
>>>>
>>>> I used to rework previous patch from Alpinelinux to build with latest stable libressl
>>>> But found no way to run tests with openssl which is primary library as I see
>>>> Is it possible to accept the patch upstream or get review on it?
>>>>
>>>> <fix-libressl-1.8.5.patch>
>>>
>>>
>>> @@ -2208,7 +2223,7 @@
>>> #else
>>> cipher = SSL_CIPHER_find(ssl, cipher_suites);
>>> #endif
>>> - if (cipher && SSL_CIPHER_get_auth_nid(cipher) == NID_auth_ecdsa) {
>>> + if (cipher && SSL_CIPHER_is_ECDSA(cipher)) {
>>> has_ecdsa = 1;
>>> break;
>>> }
>>>
>>> No, it’s a regression in lib compatibility.
>>>
>>
>>
>> Hello,
>>
>> it would be nice if you come to an acceptable solution and finally merge LibreSSL support.
>> There were several attempts to propose LibreSSL support in the past and every time discussion dies with no result.
>>
>> Thanks :)
>>
>>
>>
>
> What do you think Manu?
>

At least, regression should be fixed, it breaks openssl and boringssl build.
(SSL_CIPHER_get_auth_nid has been added in LibreSSL 2.7)

Otherwise the code only affects parts related to openssl, not boringssl.

++
Manu
Sorry, only registered users may post in this forum.

Click here to login