On 02/02/2022 17:49, William Lallemand wrote:
Subject: [PATCH 2/7] BUILD: SSL: define X509_OBJECT for BoringSSL
X509_OBJECT is opaque in BonringSSL, since we still use it, let us move it to
openssl-compat.h
from
https://boringssl.googlesource.com/boringssl/+/refs/heads/2924/include/openssl/x509_vfy.h#120
I'm not really fond of this kind of declaration, most of the time we
added helpers that were available in recent version of OpenSSL in this
file. But in this case, adding a whole structure that was removed...
with no guarantee that this will continue to work it's not a good idea.
From what I get they aligned the opaque structures with the OpenSSL API,
so we probably will have the same problem with OpenSSL v3 without the
obsolete API. And we are currently in the process of porting it to
HAProxy. We probably need to change the code that uses X509_OBJECT.
So I suppose it will start to work during this portage.
X509_OBJECT and the APIs working on this structure were not marked as
deprecated in OpenSSLv3, we are facing yet another place where BoringSSL
seems a bit excessive in what they want to keep hidden.
Managing BoringSSL would still be much more expensive than managing
OpenSSLv3 if this kind of problem happens on many structures.
Rémi
