Re: Fix building without NPN support

Thu, 15 Feb 2018 06:59:08 -0800 

On 2018-02-15 15:03, Lukas Tribus wrote:

Hello,


On 15 February 2018 at 13:42, Bernard Spil <br...@freebsd.org> wrote:

Hello HAProxy maintainers,

https://github.com/Sp1l/haproxy/tree/20180215-fix-no-NPN

Fix build with OpenSSL without NPN capability

OpenSSL can be built without NEXTPROTONEG support by passing
-no-npn to the configure script. This sets the
OPENSSL_NO_NEXTPROTONEG flag in opensslconf.h

Since NEXTPROTONEG is now considered deprecated, it is superseeded
by ALPN (Application Layer Protocol Next), HAProxy should allow
building withough NPN support.

Git diff attached for your consideration.


Please don't remove npn config parsing (no ifdefs in "ssl_bind_kw
ssl_bind_kws" and "bind_kw_list bind_kws"). ssl_bind_parse_npn returns
a fatal configuration error when npn is configured and the library
doesn't support it.

"library does not support TLS NPN extension" is a better error message
than something like "npn is not a valid keyword".

Otherwise I agree, thanks for the patch!

cheers,
lukas


Hi Lukas,

Agree. Updated patch attached.

Bernard.
From e3c39d698d8a6ab4fe99d9681fe3cfbe6c9eb272 Mon Sep 17 00:00:00 2001
From: Bernard Spil <br...@freebsd.org>
Date: Thu, 15 Feb 2018 13:34:58 +0100
Subject: [PATCH] Fix build with OpenSSL without NPN capability

OpenSSL can be built without NEXTPROTONEG support by passing
-no-npn to the configure script. This sets the
OPENSSL_NO_NEXTPROTONEG flag in opensslconf.h

Since NEXTPROTONEG is now considered deprecated, it is superseeded
by ALPN (Application Layer Protocol Next), HAProxy should allow
building withough NPN support.
---
 src/ssl_sock.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index e6945c0c..93286a88 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1596,7 +1596,7 @@ void ssl_sock_msgcbk(int write_p, int version, int content_type, const void *buf
 		ssl_sock_parse_clienthello(write_p, version, content_type, buf, len, ssl);
 }
 
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
 /* This callback is used so that the server advertises the list of
  * negociable protocols for NPN.
  */
@@ -3500,7 +3500,7 @@ static int ssl_initialize_random()
 void ssl_sock_free_ssl_conf(struct ssl_bind_conf *conf)
 {
 	if (conf) {
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
 		free(conf->npn_str);
 		conf->npn_str = NULL;
 #endif
@@ -4216,7 +4216,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_
 	SSL_CTX_set_msg_callback(ctx, ssl_sock_msgcbk);
 #endif
 
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
 	ssl_conf_cur = NULL;
 	if (ssl_conf && ssl_conf->npn_str)
 		ssl_conf_cur = ssl_conf;
@@ -6011,7 +6011,7 @@ static int ssl_sock_get_alpn(const struct connection *conn, const char **str, in
 	if (*str)
 		return 1;
 #endif
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
 	SSL_get0_next_proto_negotiated(conn->xprt_ctx, (const unsigned char **)str, (unsigned *)len);
 	if (*str)
 		return 1;
@@ -6673,7 +6673,7 @@ smp_fetch_ssl_fc_use_keysize(const struct arg *args, struct sample *smp, const c
 	return 1;
 }
 
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
 static int
 smp_fetch_ssl_fc_npn(const struct arg *args, struct sample *smp, const char *kw, void *private)
 {
@@ -7363,7 +7363,7 @@ static int bind_parse_allow_0rtt(char **args, int cur_arg, struct proxy *px, str
 /* parse the "npn" bind keyword */
 static int ssl_bind_parse_npn(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
 {
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
 	char *p1, *p2;
 
 	if (!*args[cur_arg + 1]) {
@@ -8538,7 +8538,7 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, {
 	{ "ssl_fc_has_early",       smp_fetch_ssl_fc_has_early,   0,                   NULL,    SMP_T_BOOL, SMP_USE_L5CLI },
 	{ "ssl_fc_has_sni",         smp_fetch_ssl_fc_has_sni,     0,                   NULL,    SMP_T_BOOL, SMP_USE_L5CLI },
 	{ "ssl_fc_is_resumed",      smp_fetch_ssl_fc_is_resumed,  0,                   NULL,    SMP_T_BOOL, SMP_USE_L5CLI },
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
 	{ "ssl_fc_npn",             smp_fetch_ssl_fc_npn,         0,                   NULL,    SMP_T_STR,  SMP_USE_L5CLI },
 #endif
 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation

Reply via email to