On Mon, 16 Dec 2019 at 19:00, Илья Шипицин <[email protected]> wrote: > > > > пн, 16 дек. 2019 г. в 22:42, Rosen Penev <[email protected]>: >> >> LIBRESSL_VERSION_NUMBER evaluates to 0 under OpenSSL, making the condition >> always true. Check for the define before checking it. >> >> Signed-off-by: Rosen Penev <[email protected]> >> --- >> include/common/openssl-compat.h | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/include/common/openssl-compat.h >> b/include/common/openssl-compat.h >> index 25102fbe3..c5029d133 100644 >> --- a/include/common/openssl-compat.h >> +++ b/include/common/openssl-compat.h >> @@ -278,7 +278,7 @@ static inline void EVP_PKEY_up_ref(EVP_PKEY *pkey) >> #define TLSEXT_signature_ecdsa 3 >> #endif >> >> -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || (LIBRESSL_VERSION_NUMBER < >> 0x20700000L) >> +#if (HA_OPENSSL_VERSION_NUMBER < 0x1010000fL) && (LIBRESSL_VERSION_NUMBER < >> 0x2070000fL) > > > assuming "&& (LIBRESSL_VERSION_NUMBER < 0x2070000fL)" part ... it is only > relevant for LibreSSL, right ? > if so, should we leave just second part and omit first ?
Any reason why would not just #ifndef X509_getm_notBefore, testing for what we actually want instead of those backbreaking version assumptions? Lukas
