> Le 14 juin 2017 à 16:43, Willy Tarreau <[email protected]> a écrit : > > On Wed, Jun 14, 2017 at 03:11:28PM +0200, Christopher Faulet wrote: >> Hi, >> >> HAProxy compilation fails if OpenSSL 1.0.2 is compiled without the support >> of SSLv3 methods (SSL3_server_method and SSL3_client_method). The manpage >> SSL_CTX_new(3) specifies that these functions are available if >> OPENSSL_NO_SSL3_METHOD is undefined. Here is a fix. > > These days I feel like every build fix for one version of openssl breaks > another one. We'll quickly need to have something to validate the build > on the various configurations, or it'll become a real mess. I already > hate it that all openssl forks have significantly diverged to the point > of having to cheat on the #ifdefs. I think in the future we'll have to > default to reverting patches for non-legacy openssl when they break the > legacy one. I'm not claiming it was the case here, just that we really > need to be very careful. > > Applied, thanks. > Willy >
I agree but it’s really possible to do that with all ssl implementations, versions and build with special options like this case? In this case, with openssl 1.0.2 build without SSLv3 the #define SSL_OP_NO_SSLv3 is not set to 0 (or undef), otherwise it will not break haproxy build. Same mistake in two minor version of LibreSSL (extract from my patch in the mailinglist): "SSL_OP_NO_SSLv3 to 0 made that haproxy compilation is aware that SSLv3 is unsupported by the library. LibreSSL 2.3.0 removes SSlv3 support but SSL_OP_NO_SSLv3 is not set to 0 until version 2.3.2 » This patch fix the build, but haproxy will continue to supose that SSLv3 is supported. I stop here for today, otherwise the headache will soon happen with this heat. Manu
