The underlying SSL_get_negotiated_group function has been backported into AWS-LC [1], so expose the feature for users of this TLS stack as well. Note that even though it was actually added in AWS-LC 1.56.0, we require AWSLC_API_VERSION >= 35 which was released in AWS-LC 1.57.0, because API version wasn't incremented after this change. As the delta is one minor version (less than two weeks), I consider this acceptable to avoid relying on a proxy constant like TLSEXT_nid_unknown which might be removed at some point.
[1] https://github.com/aws/aws-lc/commit/d6a37244ad8922f41f70195104b9da9f64c96202 --- doc/configuration.txt | 2 +- src/ssl_sample.c | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index df5724738..ceeb94761 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -24672,7 +24672,7 @@ ssl_bc_client_traffic_secret_0 : string ssl_bc_curve : string Returns the name of the curve used in the key agreement when the outgoing connection was made over an SSL/TLS transport layer. This requires - OpenSSL >= 3.0.0. + OpenSSL >= 3.0.0 or AWS-LC >= 1.57.0. ssl_bc_early_exporter_secret : string Return the EARLY_EXPORTER_SECRET as an hexadecimal string for the diff --git a/src/ssl_sample.c b/src/ssl_sample.c index 230deafc3..5df663814 100644 --- a/src/ssl_sample.c +++ b/src/ssl_sample.c @@ -1501,9 +1501,9 @@ smp_fetch_ssl_fc_is_resumed(const struct arg *args, struct sample *smp, const ch * front and backend connection. * * The function to get the curve name (SSL_get_negotiated_group) is only available - * in OpenSSLv3 onwards and not for previous versions. + * in OpenSSLv3 onwards and not for previous versions, and in AWS-LC >= 1.57.0. */ -#if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL) || (defined(OPENSSL_IS_AWSLC) && AWSLC_API_VERSION >= 35) static int smp_fetch_ssl_fc_ec(const struct arg *args, struct sample *smp, const char *kw, void *private) { @@ -2549,7 +2549,7 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, { { "ssl_bc_alpn", smp_fetch_ssl_fc_alpn, 0, NULL, SMP_T_STR, SMP_USE_L5SRV }, #endif { "ssl_bc_cipher", smp_fetch_ssl_fc_cipher, 0, NULL, SMP_T_STR, SMP_USE_L5SRV }, -#if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL) || (defined(OPENSSL_IS_AWSLC) && AWSLC_API_VERSION >= 35) { "ssl_bc_curve", smp_fetch_ssl_fc_ec, 0, NULL, SMP_T_STR, SMP_USE_L5SRV }, #endif #if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) @@ -2612,7 +2612,7 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, { { "ssl_fc", smp_fetch_ssl_fc, 0, NULL, SMP_T_BOOL, SMP_USE_L5CLI }, { "ssl_fc_alg_keysize", smp_fetch_ssl_fc_alg_keysize, 0, NULL, SMP_T_SINT, SMP_USE_L5CLI }, { "ssl_fc_cipher", smp_fetch_ssl_fc_cipher, 0, NULL, SMP_T_STR, SMP_USE_L5CLI }, -#if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL) || (defined(OPENSSL_IS_AWSLC) && AWSLC_API_VERSION >= 35) { "ssl_fc_curve", smp_fetch_ssl_fc_ec, 0, NULL, SMP_T_STR, SMP_USE_L5CLI }, #endif { "ssl_fc_early_rcvd", smp_fetch_ssl_fc_early_rcvd, 0, NULL, SMP_T_BOOL, SMP_USE_L5CLI }, -- 2.43.0
