ср, 8 мая 2019 г. в 13:55, Willy Tarreau <w...@1wt.eu>:

> On Wed, May 08, 2019 at 01:13:56PM +0500, ???? ??????? wrote:
> > > libressl ? My understanding of this thing is that this problem is not
> > > easy to detect by accident and causes a mess for people who reload
> often.
> > > If libressl is affected by this we probably need to find a different
> > > fix. And if it's not affected, at least the tested version(s) must be
> > > mentioned in the commit message so that we can reconsider or refine
> this
> > > choice later if/when the problem appears with a subsequent version.
> > > CCing William and Emeric who worked on addressing this issue for
> OpenSSL.
> > >
> >
> > I planned to have a look at it actually. The idea is to write some reg
> test
> > which will reload and watch for open FDs.
> > not sure whether it is easy or not
> But before writing reg tests, it's important not to revert part of a patch
> without knowing if it brings the issue back. Otherwise you end up with a
> patch merged into a branch, making users believe their bug is fixed since
> the patch is there, while in fact it was later silently reverted as a
> "build fix".
> > the idea behind quick patch is "if you use LibreSSL you are on your own
> and
> > you have been warned"
> > (yes, we did our best to make it work with LibreSSL, but it is still a
> > niche solution, not very well tested)
> Some of the users here do rely on it. However, seeing that you had to
> turn off this test makes me think that LibreSSL pretends to be openssl
> 1.1.1 but is not compatible with it. I suspect that instead the OpenSSL
> test version is wrong in the original patch. It seems to be testing for
> 1.1.1-dev instead of testing for 1.1.1-release. So probably that this
> RAND_* function appears late in the development process and that libressl
> only complies with an early 1.1.1-dev version.
> Surprisingly I'm seeing that *all* of our tests for 1.1.1 are wrong. I
> suspect that one was either wrong or deliberate initially and that it
> got copy-pasted everywhere :-(
> Ilya, could you please instead change the test like this and test again :
> -#if defined(USE_OPENSSL) && (OPENSSL_VERSION_NUMBER >= 0x10101000L)
> +#if defined(USE_OPENSSL) && (OPENSSL_VERSION_NUMBER >= 0x1010100fL)

LibreSSL defines is

#define OPENSSL_VERSION_NUMBER    0x20000000L

it is bigger then any released OpenSSL (yet, for openssl master it is 3.0.0)

> Thanks,
> Willy

Reply via email to