On Fri, Nov 20, 2020 at 02:10:33AM +0500, ???? ??????? wrote: > I'd like to get rid of OPENSSL_VERSION as much as possible. > what would be better for guarding TLS13 ciphers manipulation ? > > approach 1 (macro defined in openssl-compat.h) > > #if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && > !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)) > #define HAVE_SSL_CTX_SET_CIPHERSUITES > #endif > > approach 2 (macro TLS13_NUM_CIPHERS) > > #ifdef TLS13_NUM_CIPHERS > conf_ciphersuites = (ssl_conf && ssl_conf->ciphersuites) ? > ssl_conf->ciphersuites : bind_conf->ssl_conf.ciphersuites; > ... > #endif
Interesting. How about a mix of the two then: #ifdef TLS13_NUM_CIPHERS // only set when TLSv1.3 ciphers are defined #define HAVE_SSL_CTX_SET_CIPHERSUITES #endif Then only use ifdef HAVE_SSL_CTX_SET_CIPHERSUITES. The benefit is that we keep the magic in openssl-compat.h. Willy
