Hi Pavlos > Le 14 mars 2017 à 16:43, Pavlos Parissis <[email protected]> a écrit : > > Hi, > > On Debian testing with openssl 1.1.0e, I get the following warnings when I > compile 1.7 and 1.8: > https://gist.githubusercontent.com/unixsurfer/9c42361822f23cfe36f3b2169133b551/raw/4665476fdfb2a94d287814a2c8a36215cbebb465/gistfile1.txt > > When I compile 1.6 I get errors and compilation fails: > https://gist.githubusercontent.com/unixsurfer/4476410bbbaf2192af591123f4388850/raw/a733808a3028f0c9d7f53f4e699da6de3ae18969/gistfile1.txt > > I compile it with: > make clean;make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 > USE_PCRE_JIT=1 USE_TPROXY=1 > > Am I the only seeing these warnings/errors? Searched on ML and someone > mentioned > that haproxy 1.6 wont support 1.1.0 version of openssl, is this accurate? > Having > openssl 1.0.2 and 1.1.0 on my personal development machine is fine, so zero > problems here if 1.6 does not support openssl 1.1.0 version. > > Cheers, > Pavlos >
For the little story: openssl-1.1.0 and boringssl have SSL_CTX_set_min_proto_version/SSL_CTX_set_max_proto_version and other methods to set protocol version are deprecated (or not implemented). It will be boring to keep compat with haproxy ssl directive no-<method> and force-<method>. And perhaps the add of some min-<method> and max-<method>. Willy, what do you think? Manu
