On 2015-10-19 16:29:45 +0200, Willy Tarreau wrote:
> On Mon, Oct 19, 2015 at 03:05:05PM +0200, Christopher Faulet wrote:
> > Damned! I generated a huge amount of disturbances with my paches! Really
> > sorry for that.
>
> Shit happens sometimes. I had my hours of fame with option
> http-send-name-header merged in 1.4-stable years ago, and that was so badly
> designed that it still managed to cause a lot of trouble during 1.6-dev.
>
> > Add a #ifdef to check the OpenSSL version seems to be a good fix. I
> > don't know if there is a workaround to do the same than
> > EVP_PKEY_get_default_digest_nid() for old OpenSSL versions.
>
> I was unsure how the code was supposed to work given that two blocks
> were replaced by two others and I was unsure whether there was a
> dependence. So as long as we can fall back to the pre-patch behaviour
> I'm perfectly fine.
>
> > This function is used to get default signature digest associated to the
> > private key used to sign generated X509 certificates. It is called when
> > the private key differs than EVP_PKEY_RSA, EVP_PKEY_DSA and EVP_PKEY_EC.
> > It should be enough for most of cases (maybe all cases ?).
>
> OK great.
>
> > By the way, I attached a patch to fix the bug.
>
> Thank you. Marcus, can you confirm that it's OK for you with this fix so
> that I can merge it ?
confirmed: compiles now.
just for my understanding ... we do not hit the compile error we saw
before with ssl_sock_switchctx_cbk now because jump out of the
ssl_sock_prepare_ctx function early. my question would be ... could we
jump out even earlier if we already know that we will fail? e.g. why
create the private key and setting up the new x509 object if we already
know it will fail? why not go to mkcert_error on top of the function?
darix
--
openSUSE - SUSE Linux is my linux
openSUSE is good for you
www.opensuse.org
