> Le 12 juil. 2017 à 15:23, Willy Tarreau <w...@1wt.eu> a écrit : > > Hi Manu! > > Please don't forget to CC Emeric and keep in mind that I still don't > understand anything about openssl, so for me it's always a huge pain > each time to try to have an opinion on openssl related changes. >
oops indeed > On Wed, Jul 12, 2017 at 02:54:16PM +0200, Emmanuel Hocdet wrote: >> >> Hi Willy, >> >> I would like you consider this patches because Christopher's patch is false >> and >> doesn't support other ssl libs and openssl >= 1.1.0. > > OK so I guess we need to take it. Are you confident that it doesn't break > older versions ? I'm asking because since we started to add support for > openssl derivatives, we've probably had as many patches to fix build with > them as patches needed to fix the build with openssl due to these patches, > to the point that sometimes I'm wondering why we still make so many efforts > supporting these libs given the amount of incompatibilities they cause :-( > Yes i’m confident because i worked a lot to abstract tls version/api support with older/newer openssl versions. It’s what i do with haproxy’s methodVersions table for ssl-min/max-ver support. What i’m missing is OPENSSL_NO_SSL3 define... >> I sent my original patch with more comments and another with a little >> cleanup: > > This one will definitely break : > > Subject: [PATCH 2/2] MINOR: ssl: remove an unecessary SSL_OP_NO_* dependancy > > Use methodVersions table to display "OpenSSL library supports". > (...) > - memprintf(&ptr, "%s\nOpenSSL library supports : " > -#if SSL_OP_NO_SSLv3 > - "SSLv3 " > -#endif > -#if SSL_OP_NO_TLSv1 > - "TLSv1.0 " > -#endif > -#if SSL_OP_NO_TLSv1_1 > - "TLSv1.1 " > -#endif > -#if SSL_OP_NO_TLSv1_2 > - "TLSv1.2 " > -#endif > -#if SSL_OP_NO_TLSv1_3 > - "TLSv1.3" > -#endif > - "", ptr); > + memprintf(&ptr, "%s\nOpenSSL library supports :", ptr); > + for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++) > + if (methodVersions[i].option) > + memprintf(&ptr, "%s %s", ptr, methodVersions[i].name); > > $ grep -rF methodVersions openssl-1.0.2k/ > $ echo $? > 1 methodVersions is in ssl_sock.c, it will break nothing. ++ Manu