> Le 15 juin 2017 à 14:37, Willy Tarreau <w...@1wt.eu> a écrit :
>
> Hi Manu,
>
> On Thu, Jun 15, 2017 at 02:17:01PM +0200, Emmanuel Hocdet wrote:
>> The mistake is from commit 5db33cbd "MEDIUM: ssl: ssl_methods implementation
>> is
>> reworked and factored for min/max tlsxx ». I lost the correct #define when i
>> rework my
>> initials patches. This patch will fix that (for all ssl lib without SSLv3):
>
> From 3a013e94bbf93a83a37a73424afbc9916c9a2868 Mon Sep 17 00:00:00 2001
> From: Emmanuel Hocdet <m...@gandi.net>
> Date: Thu, 15 Jun 2017 12:45:28 +0200
> Subject: [PATCH] BUG/MINOR: ssl: remove haproxy SSLv3 support when ssl lib
> have no SSLv3
>
> The commit 5db33cbd "MEDIUM: ssl: ssl_methods implementation is reworked and
> factored for min/max tlsxx" drop this case. OPENSSL_NO_SSL3 is define when
> ssl lib have no SSLv3 support, set SSL_OP_NO_SSLv3 to 0 makes sure that
> haproxy is aware of this.
> ---
> src/ssl_sock.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/src/ssl_sock.c b/src/ssl_sock.c
> index c3778b7..8940f09 100644
> --- a/src/ssl_sock.c
> +++ b/src/ssl_sock.c
> @@ -1808,6 +1808,10 @@ ssl_sock_generate_certificate(const char *servername,
> struct bind_conf *bind_con
> #ifndef SSL_OP_NO_COMPRESSION /* needs OpenSSL >=
> 0.9.9 */
> #define SSL_OP_NO_COMPRESSION 0
> #endif
> +#ifdef OPENSSL_NO_SSL3 /* SSLv3 support
> removed */
> +#undef SSL_OP_NO_SSLv3
> +#define SSL_OP_NO_SSLv3 0
> +#endif
> #ifndef SSL_OP_NO_TLSv1_1 /* needs OpenSSL >=
> 1.0.1 */
> #define SSL_OP_NO_TLSv1_1 0
> #endif
> @@ -1835,7 +1839,7 @@ typedef enum { SET_CLIENT, SET_SERVER }
> set_context_func;
>
> static void ctx_set_SSLv3_func(SSL_CTX *ctx, set_context_func c)
> {
> -#if SSL_OP_NO_SSLv3 && !defined(OPENSSL_NO_SSL3_METHOD)
> +#if SSL_OP_NO_SSLv3
> c == SET_SERVER ? SSL_CTX_set_ssl_version(ctx, SSLv3_server_method())
> : SSL_CTX_set_ssl_version(ctx, SSLv3_client_method());
> #endif
>
>
> Hmmm, one checks OPENSSL_NO_SSL3 and the other one used to check
> OPENSSL_NO_SSL3_METHOD, are you certain there's strict equivalence ? Also
> do you feel sufficiently confident in doing #undef SSL_OP_NO_SSLv3 ? In
> general I prefer to avoid unsetting what's defined by a lib when it might
> also condition the way certain macros work.
>
> Willy
>
Long version :) :
What i see for OPENSSL_NO_SSL3 / OPENSSL_NO_SSL3_METHOD
. both are defined when ssl lib are build without SSL3 (or not support it)
. only OPENSSL_NO_SSL3 is present in haproxy before commit 5db33cbd
what is important in my patch is to know if ssl lib support SSLv3.
SSL_OP_NO_SSLv3 (and other SSL_OP_NO_TLSvX) is option used in ssl_options,
not used for macro and the unsetting is in haproxy.c after #includes.
When ssl lib want to select a method version, it check (in last) ssl_options. If
SSLv3 is available (via SSL_OP_NO_SSLv3 mask) ssl lib will use SSL3_METHOD.
(and will fail when ssl lib is build without SSLv3) -> I think is safe to
alter it.
Perhaps i can used a INTERNAL_OP_NO_SSLv3 set to SSL_OP_NO_SSLv3 or 0
if OPENSSL_NO_SSL3 is set. You want it?
Manu
