ср, 8 мая 2019 г. в 13:03, Willy Tarreau <w...@1wt.eu>: > Hi Ilya, > > On Wed, May 08, 2019 at 11:34:57AM +0500, ???? ??????? wrote: > > From ad9961e92c692430272c9088a49759c889dac6f1 Mon Sep 17 00:00:00 2001 > > From: Ilya Shipitsin <chipits...@gmail.com> > > Date: Wed, 8 May 2019 11:32:02 +0500 > > Subject: [PATCH] BUILD: do not use "RAND_keep_random_devices_open" when > > building against LibreSSL > > > > --- > > src/haproxy.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/src/haproxy.c b/src/haproxy.c > > index 4c371254..c8a8aaf0 100644 > > --- a/src/haproxy.c > > +++ b/src/haproxy.c > > @@ -590,7 +590,7 @@ void mworker_reload() > > ptdf->fct(); > > if (fdtab) > > deinit_pollers(); > > -#if defined(USE_OPENSSL) && (OPENSSL_VERSION_NUMBER >= 0x10101000L) > > +#if defined(USE_OPENSSL) && (OPENSSL_VERSION_NUMBER >= 0x10101000L) && > !defined LIBRESSL_VERSION_NUMBER) > > A parenthesis is missing here, please be careful to always try to build > the code with submitted patches. > > > if (global.ssl_used_frontend || global.ssl_used_backend) > > /* close random device FDs */ > > RAND_keep_random_devices_open(0); > > Did you verify if this has an impact on FD leaks upon reloads when using >
I did a mess two times :) > libressl ? My understanding of this thing is that this problem is not > easy to detect by accident and causes a mess for people who reload often. > If libressl is affected by this we probably need to find a different > fix. And if it's not affected, at least the tested version(s) must be > mentioned in the commit message so that we can reconsider or refine this > choice later if/when the problem appears with a subsequent version. > CCing William and Emeric who worked on addressing this issue for OpenSSL. > I planned to have a look at it actually. The idea is to write some reg test which will reload and watch for open FDs. not sure whether it is easy or not the idea behind quick patch is "if you use LibreSSL you are on your own and you have been warned" (yes, we did our best to make it work with LibreSSL, but it is still a niche solution, not very well tested) > Thanks, > Willy >
