Re: [PATCH] BUG/MINOR: ssl: Be sure that SSLv3 connection methods exist for openssl < 1.1.0

Wed, 12 Jul 2017 06:55:11 -0700 

> Le 12 juil. 2017 à 15:23, Willy Tarreau <w...@1wt.eu> a écrit :
> 
> Hi Manu!
> 
> Please don't forget to CC Emeric and keep in mind that I still don't
> understand anything about openssl, so for me it's always a huge pain
> each time to try to have an opinion on openssl related changes.
> 

oops indeed

> On Wed, Jul 12, 2017 at 02:54:16PM +0200, Emmanuel Hocdet wrote:
>> 
>> Hi Willy,
>> 
>> I would like you consider this patches because Christopher's patch is false 
>> and
>> doesn't support other ssl libs and openssl >= 1.1.0.
> 
> OK so I guess we need to take it. Are you confident that it doesn't break
> older versions ? I'm asking because since we started to add support for
> openssl derivatives, we've probably had as many patches to fix build with
> them as patches needed to fix the build with openssl due to these patches,
> to the point that sometimes I'm wondering why we still make so many efforts
> supporting these libs given the amount of incompatibilities they cause :-(
> 

Yes i’m confident because i worked a lot to abstract tls version/api support 
with
older/newer openssl versions. It’s what i do with haproxy’s methodVersions table
for ssl-min/max-ver support.
What i’m missing is OPENSSL_NO_SSL3 define...


>> I sent my original patch with more comments and another with a little 
>> cleanup:
> 
> This one will definitely break :
> 
> Subject: [PATCH 2/2] MINOR: ssl: remove an unecessary SSL_OP_NO_* dependancy
> 
> Use methodVersions table to display "OpenSSL library supports".
> (...)
> -     memprintf(&ptr, "%s\nOpenSSL library supports : "
> -#if SSL_OP_NO_SSLv3
> -               "SSLv3 "
> -#endif
> -#if SSL_OP_NO_TLSv1
> -               "TLSv1.0 "
> -#endif
> -#if SSL_OP_NO_TLSv1_1
> -               "TLSv1.1 "
> -#endif
> -#if SSL_OP_NO_TLSv1_2
> -               "TLSv1.2 "
> -#endif
> -#if SSL_OP_NO_TLSv1_3
> -               "TLSv1.3"
> -#endif
> -            "", ptr);
> +     memprintf(&ptr, "%s\nOpenSSL library supports :", ptr);
> +     for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++)
> +             if (methodVersions[i].option)
> +                     memprintf(&ptr, "%s %s", ptr, methodVersions[i].name);
> 
> $ grep -rF methodVersions openssl-1.0.2k/
> $ echo $?
> 1

methodVersions is in ssl_sock.c, it will break nothing.

++
Manu

Reply via email to