> Le 24 oct. 2017 à 18:47, Willy Tarreau <[email protected]> a écrit : > > On Tue, Oct 24, 2017 at 06:26:26PM +0200, Emmanuel Hocdet wrote: >> okay, patch split in 2 parts :) >> >> 1) support OPENSSL_NO_ASYNC #define >> 2) BoringSSL switch OPENSSL_VERSION_NUMBER to 1.1.0 for compatibility. > > It's indeed more understandable to me now. And it allows me to spot this > which I think is a leftover from another change you may have in your > local tree : > > diff --git a/src/ssl_sock.c b/src/ssl_sock.c > index 94d1290d0..bb1d69156 100644 > --- a/src/ssl_sock.c > +++ b/src/ssl_sock.c > @@ -46,6 +46,7 @@ > #include <openssl/x509.h> > #include <openssl/err.h> > #include <openssl/rand.h> > +#include <openssl/hmac.h> > #if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) > #include <openssl/ocsp.h> > #endif > @@ -2055,7 +2056,7 @@ static int ssl_sock_switchctx_cbk(const struct > ssl_early_callback_ctx *ctx) > goto abort; > } > cipher = SSL_get_cipher_by_value(cipher_suite); > - if (cipher && SSL_CIPHER_is_ECDSA(cipher)) { > + if (cipher && SSL_CIPHER_get_auth_nid(cipher) == > NID_auth_ecdsa) { > has_ecdsa = 1; > break; > } > > There's no mention of it in the commit message and it doesn't look much > related to the various #ifdefs. Could you please double-check ? >
It’s in #ifdef BORINGSSL and it’s an old BoringSSL API call moved to an openssl 1.1.0 compat API call. It's really part of the patch. > Otherwise I'm fine with the other changes, they seem totally riskless. > ++ Manu
