> Le 15 juin 2017 à 16:18, Emmanuel Hocdet <m...@gandi.net> a écrit : > > >> Le 15 juin 2017 à 14:37, Willy Tarreau <w...@1wt.eu <mailto:w...@1wt.eu>> a >> écrit : >> >> Hi Manu, >> >> On Thu, Jun 15, 2017 at 02:17:01PM +0200, Emmanuel Hocdet wrote: >>> The mistake is from commit 5db33cbd "MEDIUM: ssl: ssl_methods >>> implementation is >>> reworked and factored for min/max tlsxx ». I lost the correct #define when >>> i rework my >>> initials patches. This patch will fix that (for all ssl lib without SSLv3): >> >> From 3a013e94bbf93a83a37a73424afbc9916c9a2868 Mon Sep 17 00:00:00 2001 >> From: Emmanuel Hocdet <m...@gandi.net <mailto:m...@gandi.net>> >> Date: Thu, 15 Jun 2017 12:45:28 +0200 >> Subject: [PATCH] BUG/MINOR: ssl: remove haproxy SSLv3 support when ssl lib >> have no SSLv3 >> >> The commit 5db33cbd "MEDIUM: ssl: ssl_methods implementation is reworked and >> factored for min/max tlsxx" drop this case. OPENSSL_NO_SSL3 is define when >> ssl lib have no SSLv3 support, set SSL_OP_NO_SSLv3 to 0 makes sure that >> haproxy is aware of this. >> --- >> src/ssl_sock.c | 6 +++++- >> 1 file changed, 5 insertions(+), 1 deletion(-) >> >> diff --git a/src/ssl_sock.c b/src/ssl_sock.c >> index c3778b7..8940f09 100644 >> --- a/src/ssl_sock.c >> +++ b/src/ssl_sock.c >> @@ -1808,6 +1808,10 @@ ssl_sock_generate_certificate(const char *servername, >> struct bind_conf *bind_con >> #ifndef SSL_OP_NO_COMPRESSION /* needs OpenSSL >= >> 0.9.9 */ >> #define SSL_OP_NO_COMPRESSION 0 >> #endif >> +#ifdef OPENSSL_NO_SSL3 /* SSLv3 support >> removed */ >> +#undef SSL_OP_NO_SSLv3 >> +#define SSL_OP_NO_SSLv3 0 >> +#endif >> #ifndef SSL_OP_NO_TLSv1_1 /* needs OpenSSL >= >> 1.0.1 */ >> #define SSL_OP_NO_TLSv1_1 0 >> #endif >> @@ -1835,7 +1839,7 @@ typedef enum { SET_CLIENT, SET_SERVER } >> set_context_func; >> >> static void ctx_set_SSLv3_func(SSL_CTX *ctx, set_context_func c) >> { >> -#if SSL_OP_NO_SSLv3 && !defined(OPENSSL_NO_SSL3_METHOD) >> +#if SSL_OP_NO_SSLv3 >> c == SET_SERVER ? SSL_CTX_set_ssl_version(ctx, SSLv3_server_method()) >> : SSL_CTX_set_ssl_version(ctx, SSLv3_client_method()); >> #endif >> >> >> Hmmm, one checks OPENSSL_NO_SSL3 and the other one used to check >> OPENSSL_NO_SSL3_METHOD, are you certain there's strict equivalence ? Also >> do you feel sufficiently confident in doing #undef SSL_OP_NO_SSLv3 ? In >> general I prefer to avoid unsetting what's defined by a lib when it might >> also condition the way certain macros work. >> >> Willy >> > > Long version :) : > > What i see for OPENSSL_NO_SSL3 / OPENSSL_NO_SSL3_METHOD > . both are defined when ssl lib are build without SSL3 (or not support it) > . only OPENSSL_NO_SSL3 is present in haproxy before commit 5db33cbd > what is important in my patch is to know if ssl lib support SSLv3. > openssl 1.0.2k on my debian have only OPENSSL_NO_SSL3, not OPENSSL_NO_SSL3_METHOD (and SSLv3 is really disable)
> SSL_OP_NO_SSLv3 (and other SSL_OP_NO_TLSvX) is option used in ssl_options, > not used for macro and the unsetting is in haproxy.c after #includes. > When ssl lib want to select a method version, it check (in last) ssl_options. > If > SSLv3 is available (via SSL_OP_NO_SSLv3 mask) ssl lib will use SSL3_METHOD. > (and will fail when ssl lib is build without SSLv3) -> I think is safe to > alter it. > Perhaps i can used a INTERNAL_OP_NO_SSLv3 set to SSL_OP_NO_SSLv3 or 0 > if OPENSSL_NO_SSL3 is set. You want it? > > Manu >