Hi Patrick, On Mon, Jun 12, 2017 at 07:31:36PM -0400, Patrick Hemmer wrote: > I patched my haproxy to add a ssl_fc_session_key fetch, and with the > value I was able to decrypt my test sessions encrypted with > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. > > Since the implementation was fairly easy, I've included a patch for it. > But I've never submitted anything before, so there's a good chance of > something being wrong.
No problem, that's what public review is made for. BTW at first glance your patch looks clean ;-) > The only thing is that the function to do the extraction was added in > 1.1.0 > (https://github.com/openssl/openssl/commit/858618e7e037559b75b0bfca4d30440f9515b888) > The underlying vars are still there, and when I looked have been there > since as early as I could find (going back to 1998). But I'm not sure > how you feel about extracting the values without the helper function. I'd then suggest to proceed differently (if that's OK for you), which is to only expose this sample fetch function in 1.1.0 and above. If you're fine with running on 1.1 you won't feel any difference. Others who don't need this sample fetch right now will not feel any risk of build problem. Cheers, Willy
