ср, 8 мая 2019 г. в 13:55, Willy Tarreau <[email protected]>: > On Wed, May 08, 2019 at 01:13:56PM +0500, ???? ??????? wrote: > > > libressl ? My understanding of this thing is that this problem is not > > > easy to detect by accident and causes a mess for people who reload > often. > > > If libressl is affected by this we probably need to find a different > > > fix. And if it's not affected, at least the tested version(s) must be > > > mentioned in the commit message so that we can reconsider or refine > this > > > choice later if/when the problem appears with a subsequent version. > > > CCing William and Emeric who worked on addressing this issue for > OpenSSL. > > > > > > > I planned to have a look at it actually. The idea is to write some reg > test > > which will reload and watch for open FDs. > > not sure whether it is easy or not > > But before writing reg tests, it's important not to revert part of a patch > without knowing if it brings the issue back. Otherwise you end up with a > patch merged into a branch, making users believe their bug is fixed since > the patch is there, while in fact it was later silently reverted as a > "build fix". > > > the idea behind quick patch is "if you use LibreSSL you are on your own > and > > you have been warned" > > (yes, we did our best to make it work with LibreSSL, but it is still a > > niche solution, not very well tested) > > Some of the users here do rely on it. However, seeing that you had to > turn off this test makes me think that LibreSSL pretends to be openssl > 1.1.1 but is not compatible with it. I suspect that instead the OpenSSL > test version is wrong in the original patch. It seems to be testing for > 1.1.1-dev instead of testing for 1.1.1-release. So probably that this > RAND_* function appears late in the development process and that libressl > only complies with an early 1.1.1-dev version. > > Surprisingly I'm seeing that *all* of our tests for 1.1.1 are wrong. I > suspect that one was either wrong or deliberate initially and that it > got copy-pasted everywhere :-( > > Ilya, could you please instead change the test like this and test again : > > -#if defined(USE_OPENSSL) && (OPENSSL_VERSION_NUMBER >= 0x10101000L) > +#if defined(USE_OPENSSL) && (OPENSSL_VERSION_NUMBER >= 0x1010100fL) >
LibreSSL defines is #define OPENSSL_VERSION_NUMBER 0x20000000L it is bigger then any released OpenSSL (yet, for openssl master it is 3.0.0) > > Thanks, > Willy >
