Hi all, I've attached a patch for support for OpenSSL 1.1.0. That version changes quite a few things, mostly it makes a lot of the structures now opaque and private and provides functions to interact with them. Most of this change consists of using these new functions on OpenSSL 1.1.0 and newer.
There are a few things worth calling out specifically in this patch: - I was not 100% clear on the handshake logic. It looked like it tried to detect if a handshake was ever attempted and distinguish that from a failure case. I've used the new state mechanism available through SSL_get_state to hopefully mimic similar behavior. I might have gotten this totally wrong though. - The Makefile change was needed so that linking the OpenSSL bits also pulls in dl if needed (OpenSSL uses this itself). Also OpenSSL will now use pthread by default, so maybe that also should be added? Although I've used USE_PTHREAD_PSHARED for now in testing to link that. - The code guarded with #ifdef SSL_CTX_get_tlsext_status_arg ideally would also use that macro, but there seems to be a closing brace missing at https://github.com/openssl/openssl/blob/fddfc0afc84728f8a5140685163e66ce6471742d/include/openssl/tls1.h#L300-L301 so it throws an error. That's why I've used the implementation of that macro in the code instead. What this does not address at the moment is fixing the use of deprecated functions. These are the warnings still present with these changes: [jessie-amd64] src/ssl_sock.c: In function 'ssl_tlsext_ticket_key_cb': [jessie-amd64] src/ssl_sock.c:492:3: warning: 'RAND_pseudo_bytes' is deprecated (declared at /data/build/jessie-amd64/packages/haproxy/tmp-install/openssl-static/include/openssl/rand.h:47) [-Wdeprecated-declarations] [jessie-amd64] if(!RAND_pseudo_bytes(iv, EVP_MAX_IV_LENGTH)) [jessie-amd64] ^ [jessie-amd64] src/ssl_sock.c: In function 'ssl_sock_prepare_ctx': [jessie-amd64] src/ssl_sock.c:2731:3: warning: 'TLSv1_server_method' is deprecated (declared at /data/build/jessie-amd64/packages/haproxy/tmp-install/openssl-static/include/openssl/ssl.h:1597) [-Wdeprecated-declarations] [jessie-amd64] SSL_CTX_set_ssl_version(ctx, TLSv1_server_method()); [jessie-amd64] ^ [jessie-amd64] src/ssl_sock.c:2734:3: warning: 'TLSv1_1_server_method' is deprecated (declared at /data/build/jessie-amd64/packages/haproxy/tmp-install/openssl-static/include/openssl/ssl.h:1603) [-Wdeprecated-declarations] [jessie-amd64] SSL_CTX_set_ssl_version(ctx, TLSv1_1_server_method()); [jessie-amd64] ^ [jessie-amd64] src/ssl_sock.c:2738:3: warning: 'TLSv1_2_server_method' is deprecated (declared at /data/build/jessie-amd64/packages/haproxy/tmp-install/openssl-static/include/openssl/ssl.h:1609) [-Wdeprecated-declarations] [jessie-amd64] SSL_CTX_set_ssl_version(ctx, TLSv1_2_server_method()); [jessie-amd64] ^ [jessie-amd64] src/ssl_sock.c:2824:13: warning: assignment discards 'const' qualifier from pointer target type [jessie-amd64] cipher = sk_SSL_CIPHER_value(ciphers, idx); [jessie-amd64] ^ [jessie-amd64] src/ssl_sock.c: In function 'ssl_sock_prepare_srv_ctx': [jessie-amd64] src/ssl_sock.c:3111:3: warning: 'TLSv1_client_method' is deprecated (declared at /data/build/jessie-amd64/packages/haproxy/tmp-install/openssl-static/include/openssl/ssl.h:1598) [-Wdeprecated-declarations] [jessie-amd64] SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, TLSv1_client_method()); [jessie-amd64] ^ [jessie-amd64] src/ssl_sock.c:3114:3: warning: 'TLSv1_1_client_method' is deprecated (declared at /data/build/jessie-amd64/packages/haproxy/tmp-install/openssl-static/include/openssl/ssl.h:1604) [-Wdeprecated-declarations] [jessie-amd64] SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, TLSv1_1_client_method()); [jessie-amd64] ^ [jessie-amd64] src/ssl_sock.c:3118:3: warning: 'TLSv1_2_client_method' is deprecated (declared at /data/build/jessie-amd64/packages/haproxy/tmp-install/openssl-static/include/openssl/ssl.h:1610) [-Wdeprecated-declarations] [jessie-amd64] SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, TLSv1_2_client_method()); [jessie-amd64] ^ [jessie-amd64] src/ssl_sock.c: In function '__ssl_sock_deinit': [jessie-amd64] src/ssl_sock.c:6254:9: warning: 'ERR_remove_state' is deprecated (declared at /data/build/jessie-amd64/packages/haproxy/tmp-install/openssl-static/include/openssl/err.h:247) [-Wdeprecated-declarations] [jessie-amd64] ERR_remove_state(0); [jessie-amd64] Let me know what you all think. Cheers, Dirkjan
0001-Add-support-for-OpenSSL-1.1.0.patch
Description: Binary data
