Re: [PATCH] BUG/MINOR: ssl: Be sure that SSLv3 connection methods exist for openssl < 1.1.0

Thu, 15 Jun 2017 05:37:51 -0700 

Hi Manu,

On Thu, Jun 15, 2017 at 02:17:01PM +0200, Emmanuel Hocdet wrote:
> The mistake is from commit 5db33cbd "MEDIUM: ssl: ssl_methods implementation 
> is
> reworked and factored for min/max tlsxx ยป. I lost the correct #define when i 
> rework my
> initials patches. This patch will fix that (for all ssl lib without SSLv3):

>From 3a013e94bbf93a83a37a73424afbc9916c9a2868 Mon Sep 17 00:00:00 2001
From: Emmanuel Hocdet <[email protected]>
Date: Thu, 15 Jun 2017 12:45:28 +0200
Subject: [PATCH] BUG/MINOR: ssl: remove haproxy SSLv3 support when ssl lib
 have no SSLv3

The commit 5db33cbd "MEDIUM: ssl: ssl_methods implementation is reworked and
factored for min/max tlsxx" drop this case. OPENSSL_NO_SSL3 is define when
ssl lib have no SSLv3 support, set SSL_OP_NO_SSLv3 to 0 makes sure that
haproxy is aware of this.
---
 src/ssl_sock.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index c3778b7..8940f09 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1808,6 +1808,10 @@ ssl_sock_generate_certificate(const char *servername, 
struct bind_conf *bind_con
 #ifndef SSL_OP_NO_COMPRESSION                           /* needs OpenSSL >= 
0.9.9 */
 #define SSL_OP_NO_COMPRESSION 0
 #endif
+#ifdef OPENSSL_NO_SSL3                                  /* SSLv3 support 
removed */
+#undef  SSL_OP_NO_SSLv3
+#define SSL_OP_NO_SSLv3 0
+#endif
 #ifndef SSL_OP_NO_TLSv1_1                               /* needs OpenSSL >= 
1.0.1 */
 #define SSL_OP_NO_TLSv1_1 0
 #endif
@@ -1835,7 +1839,7 @@ typedef enum { SET_CLIENT, SET_SERVER } set_context_func;
 
 static void ctx_set_SSLv3_func(SSL_CTX *ctx, set_context_func c)
 {
-#if SSL_OP_NO_SSLv3 && !defined(OPENSSL_NO_SSL3_METHOD)
+#if SSL_OP_NO_SSLv3
        c == SET_SERVER ? SSL_CTX_set_ssl_version(ctx, SSLv3_server_method())
                : SSL_CTX_set_ssl_version(ctx, SSLv3_client_method());
 #endif


Hmmm, one checks OPENSSL_NO_SSL3 and the other one used to check
OPENSSL_NO_SSL3_METHOD, are you certain there's strict equivalence ? Also
do you feel sufficiently confident in doing #undef SSL_OP_NO_SSLv3 ? In
general I prefer to avoid unsetting what's defined by a lib when it might
also condition the way certain macros work.

Willy

Reply via email to