> Le 14 juin 2017 à 18:09, Emmanuel Hocdet <[email protected]> a écrit : > > >> Le 14 juin 2017 à 16:43, Willy Tarreau <[email protected]> a écrit : >> >> On Wed, Jun 14, 2017 at 03:11:28PM +0200, Christopher Faulet wrote: >>> Hi, >>> >>> HAProxy compilation fails if OpenSSL 1.0.2 is compiled without the support >>> of SSLv3 methods (SSL3_server_method and SSL3_client_method). The manpage >>> SSL_CTX_new(3) specifies that these functions are available if >>> OPENSSL_NO_SSL3_METHOD is undefined. Here is a fix. >> >> These days I feel like every build fix for one version of openssl breaks >> another one. We'll quickly need to have something to validate the build >> on the various configurations, or it'll become a real mess. I already >> hate it that all openssl forks have significantly diverged to the point >> of having to cheat on the #ifdefs. I think in the future we'll have to >> default to reverting patches for non-legacy openssl when they break the >> legacy one. I'm not claiming it was the case here, just that we really >> need to be very careful. >> >> Applied, thanks. >> Willy >> > > I agree but it’s really possible to do that with all ssl implementations, > versions > and build with special options like this case? > > In this case, with openssl 1.0.2 build without SSLv3 the #define > SSL_OP_NO_SSLv3 > is not set to 0 (or undef), otherwise it will not break haproxy build. > Same mistake in two minor version of LibreSSL (extract from my patch in the > mailinglist): > "SSL_OP_NO_SSLv3 to 0 made that haproxy compilation is aware that SSLv3 > is unsupported by the library. LibreSSL 2.3.0 removes SSlv3 support but > SSL_OP_NO_SSLv3 is not set to 0 until version 2.3.2 » > > This patch fix the build, but haproxy will continue to supose that SSLv3 is > supported. > > I stop here for today, otherwise the headache will soon happen with this heat. >
Hi Willy, The mistake is from commit 5db33cbd "MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx ». I lost the correct #define when i rework my initials patches. This patch will fix that (for all ssl lib without SSLv3):
0001-BUG-MINOR-ssl-remove-haproxy-SSLv3-support-when-ssl.patch
Description: Binary data
