сб, 21 нояб. 2020 г. в 10:18, Willy Tarreau <[email protected]>: > On Fri, Nov 20, 2020 at 02:10:33AM +0500, ???? ??????? wrote: > > I'd like to get rid of OPENSSL_VERSION as much as possible. > > what would be better for guarding TLS13 ciphers manipulation ? > > > > approach 1 (macro defined in openssl-compat.h) > > > > #if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && > > !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)) > > #define HAVE_SSL_CTX_SET_CIPHERSUITES > > #endif > > > > approach 2 (macro TLS13_NUM_CIPHERS) > > > > #ifdef TLS13_NUM_CIPHERS > > conf_ciphersuites = (ssl_conf && ssl_conf->ciphersuites) ? > > ssl_conf->ciphersuites : bind_conf->ssl_conf.ciphersuites; > > ... > > #endif > > Interesting. How about a mix of the two then: > > #ifdef TLS13_NUM_CIPHERS // only set when TLSv1.3 ciphers are defined > #define HAVE_SSL_CTX_SET_CIPHERSUITES > #endif >
unfortunately, it is an internal macro. it is set inside C code file, not headers :( ./ssl/s3_lib.c:#define TLS13_NUM_CIPHERS OSSL_NELEM(tls13_ciphers) > > Then only use ifdef HAVE_SSL_CTX_SET_CIPHERSUITES. > The benefit is that we keep the magic in openssl-compat.h. > > Willy >
