> On 19 окт. 2015 г., at 17:29, Willy Tarreau <w...@1wt.eu> wrote: > > Hi Christopher, > > On Mon, Oct 19, 2015 at 03:05:05PM +0200, Christopher Faulet wrote: >> Damned! I generated a huge amount of disturbances with my paches! Really >> sorry for that. > > Shit happens sometimes. I had my hours of fame with option > http-send-name-header merged in 1.4-stable years ago, and that was so badly > designed that it still managed to cause a lot of trouble during 1.6-dev. > >> Add a #ifdef to check the OpenSSL version seems to be a good fix. I >> don't know if there is a workaround to do the same than >> EVP_PKEY_get_default_digest_nid() for old OpenSSL versions. > > I was unsure how the code was supposed to work given that two blocks > were replaced by two others and I was unsure whether there was a > dependence. So as long as we can fall back to the pre-patch behaviour > I'm perfectly fine. > >> This function is used to get default signature digest associated to the >> private key used to sign generated X509 certificates. It is called when >> the private key differs than EVP_PKEY_RSA, EVP_PKEY_DSA and EVP_PKEY_EC. >> It should be enough for most of cases (maybe all cases ?). > > OK great. > >> By the way, I attached a patch to fix the bug. > > Thank you. Marcus, can you confirm that it's OK for you with this fix so > that I can merge it ?
Hello, 1.6.1 still does not build with OpenSSL < 1.0: src/ssl_sock.o: In function `ssl_sock_do_create_cert': ssl_sock.c:(.text+0x295b): undefined reference to `EVP_PKEY_get_default_digest_nid' Makefile:760: recipe for target 'haproxy' failed So is it intended behavior?