On Fri, Jun 22, 2018 at 05:04:39PM -0700, PGNet Dev wrote: > fyi, > > all the ssl 'magic' for haproxy appears to be in > > src/ssl_sock.c > > which references > > *Acknowledgement: > * We'd like to specially thank the Stud project authors for a very > clean > * and well documented code which helped us understand how the > OpenSSL API > * ought to be used in non-blocking mode. This is one difficult part > which > * is not easy to get from the OpenSSL doc, and reading the Stud code > made > * it much more obvious than the examples in the OpenSSL package. > Keep up > * the good works, guys ! > * > * Stud is an extremely efficient and scalable SSL/TLS proxy which > combines > * particularly well with haproxy. For more info about this project, > visit : > * https://github.com/bumptech/stud > > stud's not been updated in years, and per > > https://github.com/bumptech/stud > > Stud is now officially abandonware, thanks for playing. > Recommended alternative: https://github.com/varnish/hitch > > Stud's exemplar usage of the OpenSSL api is likely not the best reference for > modern openssl api usage. >
This was written a long time ago during the first implementation of ssl in 2012. Before working on the SSL in HAProxy, some of us contributes to stud, but that was 6 years ago, you can easily imagine that the code evolved since then. It's not like we are using stud within haproxy. > Taking a look, instead, at the usage approach taken by recommended 'hitch', > > git clone https://github.com/varnish/hitch.git > cd hitch > > their much-simpler, openssl 1.1.0-ready implementation code is in, > > ./src/hssl_locks.c > > which notes, correctly > > /* > * OpenSSL 1.1 has a new threading implementation that no longer > * requires the application to set its own locking callbacks. > */ > > and avoids reference to, and use of, the previously mentioned deprecated > symbols (cref: https://www.openssl.org/news/openssl-1.1.0-notes.html) > > it builds/installs > > ./bootstrap > ./configure \ > --prefix=/usr/local/hitch \ > SSL_CFLAGS="-I/usr/local/openssl/include" \ > SSL_LIBS="-L/usr/local/openssl11/lib64 > -Wl,-rpath,/usr/local/openssl11/lib64 -lssl" \ > CRYPTO_CFLAGS="-I/usr/local/openssl/include" \ > CRYPTO_LIBS="-L/usr/local/openssl11/lib64 > -Wl,-rpath,/usr/local/openssl11/lib64 -lcrypto" > make -j4 > make install > > with no errors, > > ldd /usr/local/hitch/sbin/hitch | egrep "ssl|crypto" > libssl.so.1.1 => /usr/local/openssl11/lib64/libssl.so.1.1 > (0x00007f8c27cb6000) > libcrypto.so.1.1 => /usr/local/openssl11/lib64/libcrypto.so.1.1 > (0x00007f8c2780d000) > > /usr/local/hitch/sbin/hitch --version > hitch 1.4.8 > Well, unfortunately haproxy is a very portable software which compiles with a huge number of openssl and boringssl versions, it's complicated to keep everything clean but any help is welcomed. > particularly with tls1.3-capable openssl 1.1.1 "ComingSoon(tm)", might be > worth a review > What are you suggesting there ? I'm not sure of following, is there a problem with tls1.3 in haproxy? -- William Lallemand