On 14/03/2017 05:24 μμ, Willy Tarreau wrote: > Hi Pavlos, > > On Tue, Mar 14, 2017 at 04:43:26PM +0100, Pavlos Parissis wrote: >> Hi, >> >> On Debian testing with openssl 1.1.0e, I get the following warnings when I >> compile 1.7 and 1.8: >> https://gist.githubusercontent.com/unixsurfer/9c42361822f23cfe36f3b2169133b551/raw/4665476fdfb2a94d287814a2c8a36215cbebb465/gistfile1.txt > > Yes these ones are known and for now we don't have any workaround. It > seems openssl 1.1 wants us to drop support for older TLS versions, but > we definitely can't do that so we'll have to live with the warnings :-/ > I couldn't find a way to make them disappear. >
No worries, it compiles at the end and haproxy starts:-) >> When I compile 1.6 I get errors and compilation fails: >> https://gist.githubusercontent.com/unixsurfer/4476410bbbaf2192af591123f4388850/raw/a733808a3028f0c9d7f53f4e699da6de3ae18969/gistfile1.txt > > This is indeed expected, openssl 1.1's API is very different from 1.0. > >> I compile it with: >> make clean;make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 >> USE_PCRE_JIT=1 USE_TPROXY=1 >> >> Am I the only seeing these warnings/errors? Searched on ML and someone >> mentioned >> that haproxy 1.6 wont support 1.1.0 version of openssl, is this accurate? >> Having >> openssl 1.0.2 and 1.1.0 on my personal development machine is fine, so zero >> problems here if 1.6 does not support openssl 1.1.0 version. > > Yes that's accurate. The risk of breakage is far too high for this to be > backported to 1.6. With 1.7 not much different from 1.6, we'll have all > people willing to explore openssl 1.1 users upgrade to haproxy 1.7 with > very limited risks (and BTW some of the bugs currently affecting 1.7 are > also on 1.6 and are in fact uncovered by some fixes for bugs that were > hiding other ones). > I fully understand the situation, I will compile 1.6 against openssl 1.0.2 version on my Debian testing box. I am not using 1.6 version at all, too old :-), but I am reshuffling code in haproxyadmin python lib and I want to make sure it works with older versions of haproxy. Thanks for the reply, Pavlos
signature.asc
Description: OpenPGP digital signature