> > Am 16.11.2016 um 15:39 schrieb Willy Tarreau: > > > > > > Same here. What is annoying is that every time it appears, it's protected > > > by a #if OPENSSL_VERSION_NUMBER >= 1.1.0 so that means that LibreSSL is > > > spoofing OpenSSL version numbers without providing compatibility. If so, > > > that will become quite painful to support.
I can see how over time this would become quite unsupportable. > > Something like this (which is already in the code twice) should permit the > > build: > > #if (OPENSSL_VERSION_NUMBER >= ......... && !defined > > LIBRESSL_VERSION_NUMBER) > > > > It will be a mess, and it will unconditionally disable new features for all > > LibreSSL releases, but I don't see any other easy way out of this. > > I think for the mid-term what we can do is to check what highest openssl > version LibreSSL is compatible with, and redefine it accordingly. For > example > (not correct values) : > > #if LIBRESSL_VERSION_NUMBER >= 1.2.3.4 > #undef OPENSSL_VERSION_NUMBER > #define OPENSSL_VERSION_NUMBER 1.0.2 > #endif Would this happen in haproxy itself, or in the FreeBSD port carrying patches? Thanks everybody for the suggestions & feedback. At present I can safely build all other production ports using LibreSSL, so I will try to get the FreeBSD port to build against ports security/OpenSSL statically. It should be possible to have our cake and eat it too / avoir le buerre et l'argent de beurre... I'll post back when I get this sorted. A+ Dave
