Hi Emeric, Christopher If you can review when you have time. (3) for Christopher.
This patches allows to support native multicert selection (RSA/ECDSA) and ssl-min-ver/ ssl-max-ver per certificat with openssl 1.1.1 (boringssl is the only one to support this until this patch). patches: 1) Convert BoringSSL api call (CBS) to ssl-lib independent code. This is the biggest part and only depend on BoringSSL build (until 2). 2) support openssl 1.1.1 early callback API. It mimic BoringSSL api, and this is a good news (small patch). Do we want to push code for openssl 1.1.1 (dev) in haproxy (dev) now? 3) Add generated certificate for early switch-ctx. Historically this part has been skipped (no supported for boringssl). There are now a ssl_sock_generate_certificate_from_conn func, but i don’t understand how this take a real/generated cert. Christopher, can you take a look? ++ Manu
0001-MEDIUM-ssl-convert-CBS-BoringSSL-api-usage-to-neutra.patch
Description: Binary data
0002-MINOR-ssl-support-Openssl-1.1.1-early-callback-for-s.patch
Description: Binary data
0003-MINOR-ssl-generated-certificate-is-missing-in-switch.patch
Description: Binary data