On Sun, Oct 18, 2020 at 09:04:51AM +0500, Илья Шипицин wrote: > Hi, > > this is straightforward patch, which is supposed to be backported to all > versions. > master also requires another small patch, will be sent later. > > cheers, > Ilya
> From 8cec1c658607a1370bd87682717f5f6512f242d6 Mon Sep 17 00:00:00 2001 > From: Ilya Shipitsin <chipits...@gmail.com> > Date: Sun, 18 Oct 2020 08:55:39 +0500 > Subject: [PATCH] BUILD: ssl: make BoringSSL use its own version numbers > > BoringSSL is a fork of OpenSSL 1.1.0, however in > 49e9f67d8b7cbeb3953b5548ad1009d15947a523 it has changed version to 1.1.1. > > This must be backported to 2.2, 2.1, 2.0, 1.8 > --- > include/haproxy/openssl-compat.h | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/include/haproxy/openssl-compat.h > b/include/haproxy/openssl-compat.h > index acdc9c5bc..d9affa227 100644 > --- a/include/haproxy/openssl-compat.h > +++ b/include/haproxy/openssl-compat.h > @@ -31,6 +31,12 @@ > * extra features with ORs and not with AND NOT. > */ > #define HA_OPENSSL_VERSION_NUMBER 0x1000107fL > +#elif defined(OPENSSL_IS_BORINGSSL) > +/* > + * in 49e9f67d8b7cbeb3953b5548ad1009d15947a523 BoringSSL has changed its > version to 1.1.1 > + * Let's switch it back to 1.1.0 > + */ > +#define HA_OPENSSL_VERSION_NUMBER 0x1010007f > #else /* this is for a real OpenSSL or a truly compatible derivative */ > #define HA_OPENSSL_VERSION_NUMBER OPENSSL_VERSION_NUMBER > #endif Hello, That's interesting to make it build with relatively new versions of boringSSL. But it does not activate TLSv1.3 keywords and features this way. That should probably be enough for backporting in previous versions though. -- William Lallemand
