Hi Manu, On Mon, Sep 04, 2017 at 04:39:45PM +0200, Emmanuel Hocdet wrote: > Hi Emeric, Christopher > > If you can review when you have time. (3) for Christopher. > > This patches allows to support native multicert selection (RSA/ECDSA) and > ssl-min-ver/ ssl-max-ver per certificat with openssl 1.1.1 (boringssl is the > only > one to support this until this patch). > > patches: > 1) Convert BoringSSL api call (CBS) to ssl-lib independent code. > This is the biggest part and only depend on BoringSSL build (until 2). > > 2) support openssl 1.1.1 early callback API. It mimic BoringSSL api, and this > is a good news (small patch). > Do we want to push code for openssl 1.1.1 (dev) in haproxy (dev) now?
I suspect it will be mandatory in order to support TLS early-data (0-RTT). So I think it will be nice to have it before the release. However given that both Christopher and Emeric are heavily loaded on the multi-threading part, I suggest that we postpone the patchset review until the multi-thread stuff gets merged. As you say, the patch is small so it will be easy to review and apply, and/or revert in case of issues so it's not a big deal to merge it late in the cycle. Thanks, Willy