Hi Bertrand, On Fri, Jan 22, 2021 at 12:45:10AM +0000, Bertrand Jacquin wrote: > According to INSTALL file, OpenSSL 1.0.1d is still supported by HAProxy, > however OpenSSL 1.0.2 lacking CRYPTO_memcmp(), haproxy does not build:
For me this is not accurate. I build at least weekly on 1.0.2 without any issue. I've just retested, and even 0.9.8 continues to work fine: $ LD_LIBRARY_PATH=/opt/openssl-0.9.8/lib ./haproxy -vv|grep OpenSSL Built with OpenSSL version : OpenSSL 0.9.8zh 3 Dec 2015 Running on OpenSSL version : OpenSSL 0.9.8zh 3 Dec 2015 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : SSLv3 TLSv1.0 $ grep -rwF CRYPTO_memcmp /opt/openssl-0.9.8/include/ /opt/openssl-0.9.8/include/openssl/crypto.h: * CRYPTO_memcmp returns zero iff the |len| bytes at |a| and |b| are equal. /opt/openssl-0.9.8/include/openssl/crypto.h:int CRYPTO_memcmp(const void *a, const void *b, size_t len); This feature was backported to all branches 8 years ago in 2013, and as such it's not correct to mention branch numbers. Either we mention that only versions featuring CRYPTO_memcmp() are supported (and we may designate them for each branch if desired) or we simply don't say anything because it's probably quite hard to find a machine having so old a version that it lacks it. I'm however curious where you managed to find an openssl-1.0.2 version missing it, given that it was merged during development, in 1.0.2-beta1 apparently. Or are there openssl build options that disable it maybe ? If so we could possibly provide our own version, which will also be available without openssl. We could even have a regular memcmp() converter for the binary comparisons if anyone needs it, or it could be the same function. I'm fine with any option as long as they match the identified requirements. Thanks, Willy
