On Sat, Nov 21, 2020 at 02:16:21PM +0500, ???? ??????? wrote: > ??, 21 ????. 2020 ?. ? 10:18, Willy Tarreau <[email protected]>: > > > On Fri, Nov 20, 2020 at 02:10:33AM +0500, ???? ??????? wrote: > > > I'd like to get rid of OPENSSL_VERSION as much as possible. > > > what would be better for guarding TLS13 ciphers manipulation ? > > > > > > approach 1 (macro defined in openssl-compat.h) > > > > > > #if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && > > > !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)) > > > #define HAVE_SSL_CTX_SET_CIPHERSUITES > > > #endif > > > > > > approach 2 (macro TLS13_NUM_CIPHERS) > > > > > > #ifdef TLS13_NUM_CIPHERS > > > conf_ciphersuites = (ssl_conf && ssl_conf->ciphersuites) ? > > > ssl_conf->ciphersuites : bind_conf->ssl_conf.ciphersuites; > > > ... > > > #endif > > > > Interesting. How about a mix of the two then: > > > > #ifdef TLS13_NUM_CIPHERS // only set when TLSv1.3 ciphers are defined > > #define HAVE_SSL_CTX_SET_CIPHERSUITES > > #endif > > > > unfortunately, it is an internal macro. it is set inside C code file, not > headers :( > > ./ssl/s3_lib.c:#define TLS13_NUM_CIPHERS OSSL_NELEM(tls13_ciphers)
So this rules out my proposal and your approach 2, leaving only #1. Willy
