On Mon, Dec 16, 2019 at 10:09 AM Lukas Tribus <li...@ltri.eu> wrote:
>
> On Mon, 16 Dec 2019 at 19:00, Илья Шипицин <chipits...@gmail.com> wrote:
> >
> >
> >
> > пн, 16 дек. 2019 г. в 22:42, Rosen Penev <ros...@gmail.com>:
> >>
> >> LIBRESSL_VERSION_NUMBER evaluates to 0 under OpenSSL, making the condition
> >> always true. Check for the define before checking it.
> >>
> >> Signed-off-by: Rosen Penev <ros...@gmail.com>
> >> ---
> >> include/common/openssl-compat.h | 2 +-
> >> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/include/common/openssl-compat.h
> >> b/include/common/openssl-compat.h
> >> index 25102fbe3..c5029d133 100644
> >> --- a/include/common/openssl-compat.h
> >> +++ b/include/common/openssl-compat.h
> >> @@ -278,7 +278,7 @@ static inline void EVP_PKEY_up_ref(EVP_PKEY *pkey)
> >> #define TLSEXT_signature_ecdsa 3
> >> #endif
> >>
> >> -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || (LIBRESSL_VERSION_NUMBER <
> >> 0x20700000L)
> >> +#if (HA_OPENSSL_VERSION_NUMBER < 0x1010000fL) && (LIBRESSL_VERSION_NUMBER
> >> < 0x2070000fL)
> >
> >
> > assuming "&& (LIBRESSL_VERSION_NUMBER < 0x2070000fL)" part ... it is only
> > relevant for LibreSSL, right ?
> > if so, should we leave just second part and omit first ?
>
> Any reason why would not just #ifndef X509_getm_notBefore, testing for
> what we actually want instead of those backbreaking version
> assumptions?
X509_getm_notBefore is a function, not a define.
>
>
> Lukas
