Hi Lukas, >> in src/ssl_sock.c:1582:11: >>> ciphers = ctx->cipher_list; >> >> can we use the API instead of accessing cipher_list directly? >> With [1] perhaps?
Yes, you are right, we could replace this line with something like:
SSL * ssl = NULL;
...
ssl = SSL_new(ctx);
if (ssl) {
ciphers = SSL_get_ciphers(ssl);
...
SSL_free(ssl);
}
I don't like allocating a new SSL * just to browse the ciphers list, but
it's only done at configuration time and it's cleaner.
> Be that as it may, BoringSSL changed the internal structure because
> of a specific feature, so whether we use the API or access directly
> is irrelevant because the structure is different:
>
> https://boringssl.googlesource.com/boringssl/+/858a88daf27975f67d9f63e18f95645be2886bfb%5E!/
>
>
> Perhaps we should #ifdef the particular code in haproxy out when
> boringssl is used (and be silent or simply assume that DHE is used).
I don't have a working BoringSSL build right now, but it seems that
SSL_get_ciphers() still returns a valid STACK_OF(SSL_CIPHER) *, so I
think the previous fix would still work. The new internal structure
seems to be still using the same STACK_OF(SSL_CIPHER) *, with an
additional field to handle ciphers groups.
--
RĂ©mi
signature.asc
Description: OpenPGP digital signature
