On 4. 1. 26 18:02, Branko Čibej wrote:
On 4. 1. 26 17:40, Daniel Sahlberg wrote:
[...]
Comment: N/A for Serf? We should probably still have such discussion
after
reviewing the new APIs (below).
The "current stable branch" in our case is 1.3.x. Doesn't seem to be
anything there. Re LibreSSL, I've tested Serf builds on OpenBSD with
LibreSSL. Some SSL tests of course fail because of different error
reporting. We have special-caseing there for different OpenSSL
versions, we could add similar for LibreSSL – not too onerous since it
advertises as OpenSSL 2.x.
On that note, Fedora/Centos/RHEL have patched OpenSSL 3.x that has
stricter constraints, causing some of our SSL tests fail, too.
We don't really have to delay 1.5 for this as long as we review the
failures and decide they're cosmetic only. Those kinds of fixes can be
backported later.
I can take a look at the state of that again. I should be able to
build with LibreSSL on my mac, too.
It was a good thing that I tried building with older OpenSSL and with
LibreSSL, I found some nits in the code that way; see r1931107.
Long story short: Our SSL tests pass with no comments with OpenSSL
1.1.1w, the last release from that stream. With LibreSSL 4.2.1, we get
11 failures and all of them are because of different expected output
(errors) emitted by LibreSSL.
IIRC, with OpenSSL 3.2 on Fedora 43, we get 4 such failures.
IMO let's leave the cosmetics for trunk and 1.5.x backports.
However, I would like to gather all the Cert/URI related conditional
code to one place; right now it's scattered all over ssl_buckets.c and
there's no good reason for that. It's one of the for r1931107.
-- Brane
