Hi, > Le 27 nov. 2019 à 03:46, Willy Tarreau <[email protected]> a écrit : > >> @@ -5046,7 +5046,9 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, >> struct ssl_bind_conf *ssl_ >> NULL); >> >> if (ecdhe == NULL) { >> +#if defined(SSL_CTX_set_ecdh_auto) >> (void)SSL_CTX_set_ecdh_auto(ctx, 1); >> +#endif >> return cfgerr; >> } >> #else > > Here, in order to avoid the pollution caused by too many ifdefs, I'd > instead put this into openssl-compat.h: > > +#if !defined(SSL_CTX_set_ecdh_auto) > +#define SSL_CTX_set_ecdh_auto(a,b) 0 > +#endif > > As long as we can keep all such changes limited, we could imagine > backporting them, that's great! >
To be suitable with deprecated version of libssl* should be: #define SSL_CTX_set_ecdh_auto(ctx, onoff) ((onoff) != 0) or #define SSL_CTX_set_ecdh_auto(ctx, onoff) 1 ++ Manu
