Hi Cyril, > Le 18 mai 2017 à 23:02, Cyril Bonté <[email protected]> a écrit : > > Hi all, > > Le 12/05/2017 à 15:13, Willy Tarreau a écrit : >> Hi guys, >> >> On Tue, May 09, 2017 at 11:21:36AM +0200, Emeric Brun wrote: >>> It seems to do what we want, so we can merge it. >> >> So the good news is that this patch set now got merged :-) > > Commit 5db33cbdc4 [1] seems to have broken the compilation when > OPENSSL_NO_SSL3 is defined : SSLv3_server_method() and SSLv3_client_method() > won't exist in this case. > Previously there was a condition to verify this, which has disappeared with > this patch set. >
There is something wrong with that. What is going on if haproxy is build with OPENSSL_NO_SSL3 and library support SSLv3? If library does not support SSLv3, haproxy should compile and disable SSLv3 natively, without this compilation flag. I look at the current LibreSSL include and SSL_OP_NO_SSLv3 is correctly set to 0 => haproxy will build natively without SSLv3. What is the value of SSL_OP_NO_SSLv3 in our ssl library? Perhaps it could be fix in openssl-compat.h. #if LIBRESSL_VERSION_NUMBER >= X #undef SSL_OP_NO_SSLv3 #define SSL_OP_NO_SSLv3 0 #endif > >> Thanks for your time and efforts back-and-forth on this one! >> Willy >> > > [1] > http://www.haproxy.org/git?p=haproxy.git;a=commit;h=5db33cbdc4f2952cbd3c140edce0eda84e1447b4 > > -- > Cyril Bonté
