On 6/22/18 6:14 PM, Lukas Tribus wrote:> configuration, removing old
interfaces. Drop it from your openssl
> configuration, and it will work fine.
>
>> particularly with tls1.3-capable openssl 1.1.1 "ComingSoon(tm)",
might be worth a review
>
> Haproxy 1.8 and -dev works fine with both openssl 1.1.1 and TLS 1.3.
> 1.1.1 is API compatible with 1.1.0 and there is nothing else on the
> roadmap as far as I know. A different OpenSSL API (1.2) will break all
> applications *anyway*, regardless whether we all remove supposedly
> obsolete interfaces today. On the other hand, likely the new API does
> not have all interfaces required to replace the old functionality.
> That's at least how it was with 1.1.0 (with things that where actually
> removed in 1.1.0).
>
> The --api=1.1.0 is helpful to understand what the openssl developers
> currently believe will be removed one day, but they change their
> opinion all the time and a new braking API change is not even
> announced at this point. That's why I suggest you don't worry about it
> and compile openssl without the API restriction. No OS will ship the
> openssl library with such options anyway.
Have to consider this, then.
The point -- or at least one of them -- of DIY'ing the openssl builds is
to *not* have "deprecated" (unsupported? recommended against? whatever?)
dependencies ... and an app stack built on top of them.
What a distro/OS ships is of little interest, or concern. I find their
packaging, particularly when it comes to security apps, often
unncessarily bloated, and sometimes sloppy. To me, admittedly.
So far, the 'reset' of my stack -- including e.g., but not limited to,
nginx, mariadb, postfix, varnish, php, radicale, etc etc -- has no
problems with the api=1.1.0 (no deprecated) openssl. Each of those
projects has decided to accept/address the reality of current openssl
release build options; specifically, the option to restrict use of
deprecated apis.
The 1st 'issue' I've hit is, apparently, haproxy.
I'll have to decide whether I'm more interested in haproxy, or a
consistently 'modern/current' openssl api. Atm, I'm leaning to sticking
with the openssl api restriction(s).
I'll need to dig further into OpenSSL 1.1.1's API ... sure, it's 1.1.0
compatible, but simply don't yet understand what the implications, if
any, for deprecated APIs is. Ongoing support? Further deprecation
notices? Dropped? Just unclear to me atm.
What I'd prefer, not surprisingly, is an haproxy that'll handle the
option. I understand there's change involved.
Thanks.
