пт, 20 дек. 2019 г. в 22:47, Lukas Tribus <lu...@ltri.eu>:
> SSL_CTX_set_ecdh_auto() is not defined when OpenSSL 1.1.1 is compiled
> with the no-deprecated option. Remove existing, incomplete guards and
> add a compatibility macro in openssl-compat.h, just as OpenSSL does:
>
>
> https://github.com/openssl/openssl/blob/bf4006a6f9be691ba6eef0e8629e63369a033ccf/include/openssl/ssl.h#L1486
> ---
>
> Please wait for Ilya's comments before committing this patch.
>
Ack from me.
> thanks,
> -l
>
> ---
> include/common/openssl-compat.h | 4 ++++
> src/ssl_sock.c | 2 --
> 2 files changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/include/common/openssl-compat.h
> b/include/common/openssl-compat.h
> index 31971bd..72b4e2f 100644
> --- a/include/common/openssl-compat.h
> +++ b/include/common/openssl-compat.h
> @@ -374,5 +374,9 @@ static inline void EVP_PKEY_up_ref(EVP_PKEY *pkey)
> #define BIO_meth_set_destroy(m, f) do { (m)->destroy = (f); } while (0)
> #endif
>
> +#ifndef SSL_CTX_set_ecdh_auto
> +#define SSL_CTX_set_ecdh_auto(dummy, onoff) ((onoff) != 0)
> +#endif
> +
> #endif /* USE_OPENSSL */
> #endif /* _COMMON_OPENSSL_COMPAT_H */
> diff --git a/src/ssl_sock.c b/src/ssl_sock.c
> index 00258b1..e4dd913 100644
> --- a/src/ssl_sock.c
> +++ b/src/ssl_sock.c
> @@ -5178,9 +5178,7 @@ int ssl_sock_prepare_ctx(struct bind_conf
> *bind_conf, struct ssl_bind_conf *ssl_
> err && *err ? *err : "", curproxy->id,
> conf_curves, bind_conf->arg, bind_conf->file, bind_conf->line);
> cfgerr |= ERR_ALERT | ERR_FATAL;
> }
> -#if defined(SSL_CTX_set_ecdh_auto)
> (void)SSL_CTX_set_ecdh_auto(ctx, 1);
> -#endif
> }
> #endif
> #if defined(SSL_CTX_set_tmp_ecdh) && !defined(OPENSSL_NO_ECDH)
> --
> 2.7.4
>
>
