> Le 15 juin 2017 à 14:37, Willy Tarreau <w...@1wt.eu> a écrit : > > Hi Manu, > > On Thu, Jun 15, 2017 at 02:17:01PM +0200, Emmanuel Hocdet wrote: >> The mistake is from commit 5db33cbd "MEDIUM: ssl: ssl_methods implementation >> is >> reworked and factored for min/max tlsxx ». I lost the correct #define when i >> rework my >> initials patches. This patch will fix that (for all ssl lib without SSLv3): > > From 3a013e94bbf93a83a37a73424afbc9916c9a2868 Mon Sep 17 00:00:00 2001 > From: Emmanuel Hocdet <m...@gandi.net> > Date: Thu, 15 Jun 2017 12:45:28 +0200 > Subject: [PATCH] BUG/MINOR: ssl: remove haproxy SSLv3 support when ssl lib > have no SSLv3 > > The commit 5db33cbd "MEDIUM: ssl: ssl_methods implementation is reworked and > factored for min/max tlsxx" drop this case. OPENSSL_NO_SSL3 is define when > ssl lib have no SSLv3 support, set SSL_OP_NO_SSLv3 to 0 makes sure that > haproxy is aware of this. > --- > src/ssl_sock.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/src/ssl_sock.c b/src/ssl_sock.c > index c3778b7..8940f09 100644 > --- a/src/ssl_sock.c > +++ b/src/ssl_sock.c > @@ -1808,6 +1808,10 @@ ssl_sock_generate_certificate(const char *servername, > struct bind_conf *bind_con > #ifndef SSL_OP_NO_COMPRESSION /* needs OpenSSL >= > 0.9.9 */ > #define SSL_OP_NO_COMPRESSION 0 > #endif > +#ifdef OPENSSL_NO_SSL3 /* SSLv3 support > removed */ > +#undef SSL_OP_NO_SSLv3 > +#define SSL_OP_NO_SSLv3 0 > +#endif > #ifndef SSL_OP_NO_TLSv1_1 /* needs OpenSSL >= > 1.0.1 */ > #define SSL_OP_NO_TLSv1_1 0 > #endif > @@ -1835,7 +1839,7 @@ typedef enum { SET_CLIENT, SET_SERVER } > set_context_func; > > static void ctx_set_SSLv3_func(SSL_CTX *ctx, set_context_func c) > { > -#if SSL_OP_NO_SSLv3 && !defined(OPENSSL_NO_SSL3_METHOD) > +#if SSL_OP_NO_SSLv3 > c == SET_SERVER ? SSL_CTX_set_ssl_version(ctx, SSLv3_server_method()) > : SSL_CTX_set_ssl_version(ctx, SSLv3_client_method()); > #endif > > > Hmmm, one checks OPENSSL_NO_SSL3 and the other one used to check > OPENSSL_NO_SSL3_METHOD, are you certain there's strict equivalence ? Also > do you feel sufficiently confident in doing #undef SSL_OP_NO_SSLv3 ? In > general I prefer to avoid unsetting what's defined by a lib when it might > also condition the way certain macros work. > > Willy >
Long version :) : What i see for OPENSSL_NO_SSL3 / OPENSSL_NO_SSL3_METHOD . both are defined when ssl lib are build without SSL3 (or not support it) . only OPENSSL_NO_SSL3 is present in haproxy before commit 5db33cbd what is important in my patch is to know if ssl lib support SSLv3. SSL_OP_NO_SSLv3 (and other SSL_OP_NO_TLSvX) is option used in ssl_options, not used for macro and the unsetting is in haproxy.c after #includes. When ssl lib want to select a method version, it check (in last) ssl_options. If SSLv3 is available (via SSL_OP_NO_SSLv3 mask) ssl lib will use SSL3_METHOD. (and will fail when ssl lib is build without SSLv3) -> I think is safe to alter it. Perhaps i can used a INTERNAL_OP_NO_SSLv3 set to SSL_OP_NO_SSLv3 or 0 if OPENSSL_NO_SSL3 is set. You want it? Manu