Google's boringssl has a different cipher_list, we cannot use it as in OpenSSL. This is due to the "Equal preference cipher groups" feature:
https://boringssl.googlesource.com/boringssl/+/858a88daf27975f67d9f63e18f95645be2886bfb^!/ also see: https://www.imperialviolet.org/2014/02/27/tlssymmetriccrypto.html cipher_list is used in haproxy since commit f46cd6e4ec3a ("MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits") to check if DHE ciphers are used. So, if boringssl is used, the patch just assumes that there is some DHE cipher enabled. This will lead to false positives, but thats better than compiler warnings and crashes. This may be replaced one day by properly implementing the the new style cipher_list, in the meantime this workaround allows to build and use boringssl. Signed-off-by: Lukas Tribus <[email protected]> --- src/ssl_sock.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 99c2b72..f1d604d 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1478,6 +1478,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_RELEASE_BUFFERS; +#ifndef OPENSSL_IS_BORINGSSL STACK_OF(SSL_CIPHER) * ciphers = NULL; SSL_CIPHER * cipher = NULL; char cipher_description[128]; @@ -1488,6 +1489,10 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy const char dhe_export_description[] = " Kx=DH("; int idx = 0; int dhe_found = 0; +#else /* OPENSSL_IS_BORINGSSL */ + /* assume dhe_found if boringssl is detected */ + int dhe_found = 1; +#endif /* Make sure openssl opens /dev/urandom before the chroot */ if (!ssl_initialize_random()) { @@ -1579,6 +1584,8 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy /* If tune.ssl.default-dh-param has not been set and no static DH params were in the certificate file. */ if (global.tune.ssl_default_dh_param == 0) { + +#ifndef OPENSSL_IS_BORINGSSL ciphers = ctx->cipher_list; if (ciphers) { @@ -1592,10 +1599,11 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy } } } + } +#endif /* OPENSSL_IS_BORINGSSL */ - if (dhe_found) { - Warning("Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.\n"); - } + if (dhe_found) { + Warning("Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.\n"); } global.tune.ssl_default_dh_param = 1024; -- 1.9.1
