Hi Willy, > On 22 Jan 2019, at 07:07, Willy Tarreau <w...@1wt.eu> wrote: > > Hi guys, > > On Tue, Jan 22, 2019 at 03:22:38PM +0100, Emeric Brun wrote: >> I think you can merge this. > > OK. I still find it very fragile in that we usually don't make a > difference between an absent define and the same declared as zero, and > most SSL_OP_* entries are defined this way in ssl_sock.c, but I don't > see that many other options here. I think that the #ifndef at least > deserves a comment indicating that it may also match a zero value to > detect safe implementations so that we are not tempted later to refactor > this and break BoringSSL. > > We can also add a Reported-By to ack Adam's original work on the issue. > > Just let me know if I need to adjust it myself or if anyone wants to take > care of it.
I have adjusted the patch to make it more robust and more match the style of how we use other options. How does this look to you? Cheers, Dirkjan
0001-BUG-MEDIUM-ssl-Fix-handling-of-TLS-1.3-KeyUpdate-mes.patch
Description: Binary data
