I'm attaching two patches: a) patch-src_ssl__sock.c - it makes possible to build Haproxy against LibreSSL 2.5.1 at all, b) patch-include_proto_openssl-compat.h - since "auto" ECDHE API doesn't work OOTB, this patch is also needed
They are against the latest 20170209 snapshot. Please consider merging a) to
stable branches.
--
______________________________________
/ The things that interest people most \
\ are usually none of their business. /
--------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
--- include/proto/openssl-compat.h.orig 2017-02-10 12:38:04 UTC +++ include/proto/openssl-compat.h @@ -183,7 +183,7 @@ static inline int EVP_PKEY_base_id(EVP_P #endif /* This function does nothing in 1.1.0 and doesn't exist in boringssl */ -#if defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER >= 0x1010000fL) +#if !defined(LIBRESSL_VERSION_NUMBER) && (defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER >= 0x1010000fL)) #undef SSL_CTX_set_ecdh_auto #define SSL_CTX_set_ecdh_auto(ctx, onoff) #endif
--- src/ssl_sock.c.orig 2017-02-08 18:08:38 UTC
+++ src/ssl_sock.c
@@ -829,10 +829,13 @@ static int ssl_sock_load_ocsp(SSL_CTX *c
ocsp = NULL;
#ifndef SSL_CTX_get_tlsext_status_cb
-# define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
- *cb = (void (*) (void))ctx->tlsext_status_cb;
+#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB
+#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB 128
#endif
- SSL_CTX_get_tlsext_status_cb(ctx, &callback);
+#define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
+ *cb = SSL_CTX_ctrl(ctx,SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB,0, (void (**)(void))cb)
+#endif
+ SSL_CTX_get_tlsext_status_cb(ctx, &callback);
if (!callback) {
struct ocsp_cbk_arg *cb_arg = calloc(1, sizeof(*cb_arg));
@@ -858,10 +861,13 @@ static int ssl_sock_load_ocsp(SSL_CTX *c
int key_type;
EVP_PKEY *pkey;
-#ifdef SSL_CTX_get_tlsext_status_arg
- SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, &cb_arg);
+#if defined(SSL_CTX_get_tlsext_status_arg) || defined(LIBRESSL_VERSION_NUMBER)
+#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG
+#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129
+#endif
+ SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, &cb_arg);
#else
- cb_arg = ctx->tlsext_status_arg;
+ cb_arg = ctx->tlsext_status_arg;
#endif
/*
@@ -1842,7 +1848,7 @@ static int ssl_sock_add_cert_sni(SSL_CTX
/* The following code is used for loading multiple crt files into
* SSL_CTX's based on CN/SAN
*/
-#if OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined(LIBRESSL_VERSION_NUMBER)
+#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined LIBRESSL_VERSION_NUMBER)
/* This is used to preload the certifcate, private key
* and Cert Chain of a file passed in via the crt
* argument
@@ -3789,7 +3795,7 @@ int ssl_sock_handshake(struct connection
conn->err_code = CO_ER_SSL_HANDSHAKE;
#else
int empty_handshake;
-#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(LIBRESSL_VERSION_NUMBER)
+#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx);
empty_handshake = state == TLS_ST_BEFORE;
#else
@@ -3867,7 +3873,7 @@ int ssl_sock_handshake(struct connection
conn->err_code = CO_ER_SSL_HANDSHAKE;
#else
int empty_handshake;
-#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(LIBRESSL_VERSION_NUMBER)
+#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx);
empty_handshake = state == TLS_ST_BEFORE;
#else
@@ -6978,7 +6984,7 @@ static struct xprt_ops ssl_sock = {
.name = "SSL",
};
-#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL)
static void ssl_sock_sctl_free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl, void *argp)
{
signature.asc
Description: PGP signature
