Hi Ilya, On Wed, Nov 04, 2020 at 12:43:44AM +0500, ???? ??????? wrote: > Hi, > > let us use macros instead of openssl versions. > > Cheers, > Ilya
> From 278857e7d21e593e1b5a05a05605c89bdb08581d Mon Sep 17 00:00:00 2001 > From: Ilya Shipitsin <chipits...@gmail.com> > Date: Wed, 4 Nov 2020 00:39:07 +0500 > Subject: [PATCH 1/2] BUILD: ssl: use feature macros for detecting ec curves > manipulation support > > let us use SSL_CTX_set1_curves_list (OpenSSL), SSL_CTRL_SET_CURVES_LIST > (BoringSSL) > for feature detection instead of versions > --- > include/haproxy/ssl_sock-t.h | 2 +- > src/cfgparse-ssl.c | 8 ++++---- > src/ssl_sock.c | 2 +- > 3 files changed, 6 insertions(+), 6 deletions(-) > > diff --git a/include/haproxy/ssl_sock-t.h b/include/haproxy/ssl_sock-t.h > index c8c8616ea..1f9045cb9 100644 > --- a/include/haproxy/ssl_sock-t.h > +++ b/include/haproxy/ssl_sock-t.h > @@ -274,7 +274,7 @@ struct global_ssl { > char *listen_default_ciphersuites; > char *connect_default_ciphersuites; > #endif > -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || > defined(LIBRESSL_VERSION_NUMBER)) > +#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) I could run that from 0.9.8 to 1.1.1 and confirm it gives the same resultss (not tested on libressl though). However given that it results in yet another "OR" between two variables supposedly identical, I think we should remap the boringssl one to the SSL_CTX_set1_curves_list in openssl-compat.h, something like this: #if !defined(SSL_CTX_set1_curves_list) && defined(SSL_CTRL_SET_CURVES_LIST) // boringSSL only sets SSL_CTRL_SET_CURVES_LIST #define SSL_CTX_set1_curves_list #endif This way it's cleaner to only test on the canonical name through the code (SSL_CTX_set1_curves_list). Not very important, I'll let William decide, it's just a suggestion, because as you've certainly figured by yourself now, this code full of #ifdef has become a real mess. Cheers, Willy