On Fri, Dec 20, 2019 at 10:54 AM Илья Шипицин <chipits...@gmail.com> wrote:
>
>
>
> пт, 20 дек. 2019 г. в 22:39, Lukas Tribus <lu...@ltri.eu>:
>>
>> Hello Ilya,
>>
>>
>>
>> sorry about the delay ...
>>
>>
>> On Wed, 27 Nov 2019 at 07:11, Илья Шипицин <chipits...@gmail.com> wrote:
>> >
>> > -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL)
>> > +#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) || 
>> > defined(OPENSSL_NO_DEPRECATED)
>> > [...]
>> > -#if defined(USE_THREAD) && (HA_OPENSSL_VERSION_NUMBER < 0x10100000L)
>> > +#if defined(USE_THREAD) && (HA_OPENSSL_VERSION_NUMBER < 0x10100000L) && 
>> > !defined(OPENSSL_NO_DEPRECATED)
no idea what patch this is, but OPENSSL_NO_DEPRECATED should not be
used anywhere. Always use OPENSSL_API_COMPAT.
>> > [...]
>> > -#if defined(USE_THREAD) && (HA_OPENSSL_VERSION_NUMBER < 0x10100000L)
>> > +#if defined(USE_THREAD) && (HA_OPENSSL_VERSION_NUMBER < 0x10100000L) && 
>> > !defined(OPENSSL_NO_DEPRECATED)
>> > [...]
>>
>> I'm confused. This is not required in my environment for the build to
>> succeed and I don't see any reason why HA_OPENSSL_VERSION_NUMBER would
>> be smaller here? Can you elaborate why the HA_OPENSSL_VERSION_NUMBER
>> comparison would fail to do its job in those comparisons?
>
>
> what is the lowest openssl we support ?
>
> those callbacks are required if threads are used for non-deprecated builds 
> and for early openssl versions like 1.0.0
>>
>>
>> The X509_getm_ issue has been fixed by Rosen's patch [1], which is
>> committed and backported.
>>
>> SSL_CTX_set_ecdh_auto issue is fixed by your patch (additional guard
>> in ssl_sock.c) or by removing the existing guards and defining the
>> same compatibility macro openssl uses [2] (as per the input from Willy
>> and Emmanuel):
>>
>> #ifndef SSL_CTX_set_ecdh_auto
>> #define SSL_CTX_set_ecdh_auto(dummy, onoff)      ((onoff) != 0)
>> #endif
>>
>> I'd prefer the latter, which is what OpenSSL uses (when not using
>> no-deprecated) and does not pollute the ssl_sock.c.
>
>
> that's just perfect
>
>>
>>
>> Everything builds just fine after that for me (both master and 2.0),
>> without any warnings. I also tried with threading disabled
>> (USE_THREAD=).
>>
>> I will be sending the single SSL_CTX_set_ecdh_auto() fix shortly. Let
>> me know what you think and if you believe something is missing for
>> no-deprecated compatibility.
>>
>>
>> FYI: to avoid rebuilding openssl each time with and without
>> no-deprecate option, the same can be achieved when building haproxy by
>> adding DEFINE="-DOPENSSL_API_COMPAT=0x10100000L
>> -DOPENSSL_NO_DEPRECATED" to the make command (maybe this can be useful
>> in CI - I don't know anything about that).
>
>
> yep, I'll have a look at that and will send patch for CI
>
>>
>>
>> Once we agree on a fix and commit it, we should definitely add a CI
>> build testing this (with openssl 1.1.1). I disagree to test the build
>> against openssl master, because the API may continually change during
>> development (I mentioned this point in another conversation but I
>> don't recall whether it was on ML or GH).
>>
>>
>>
>> thanks,
>> lukas
>>
>>
>> [1] 
>> https://github.com/haproxy/haproxy/commit/b3814c2ca8a8c28a890f8f50e0a35d5247222a12
>> [2] 
>> https://github.com/openssl/openssl/blob/bf4006a6f9be691ba6eef0e8629e63369a033ccf/include/openssl/ssl.h#L1480

Reply via email to