Re: [SPAM] Re: Build failure of 1.6 and openssl 0.9.8
Hi Marcus, On Thu, Oct 22, 2015 at 12:14:53PM +0200, Marcus Rueckert wrote: > On 2015-10-22 09:44:05 +0200, Willy Tarreau wrote: > > On Thu, Oct 22, 2015 at 10:40:45AM +0300, Dmitry Sivachenko wrote: > > > 1.6.1 still does not build with OpenSSL < 1.0: > > > > > > src/ssl_sock.o: In function `ssl_sock_do_create_cert': > > > ssl_sock.c:(.text+0x295b): undefined reference to > > > `EVP_PKEY_get_default_digest_nid' > > > Makefile:760: recipe for target 'haproxy' failed > > > > > > So is it intended behavior? > > > > It's neither intended nor not intended, it's just that I was waiting for > > Marcus' confirmation that the patch fixed the issue for him, and forgot > > about this patch while waiting for a response. Can you confirm on your > > side that the patch fixes the issue for you ? If so I'm willing to merge > > the fix immediately. I prefer to be careful because on my side openssl > > 0.9.8 doesn't break so I want to be sure that there isn't a second level > > of breakage after this one. > > 1. actually send a confirmation that it builds for me with the patch >from Christopher Faulet. I'm sorry, I just found your mail and your previous reply in my spambox. Too bad I missed them before the release :-( Thanks for having responded quickly! Willy
Re: Build failure of 1.6 and openssl 0.9.8
On Thu, Oct 22, 2015 at 11:31:01AM +0300, Dmitry Sivachenko wrote: > > > On 22 ??. 2015 ??., at 10:44, Willy Tarreauwrote: > > > > Hello Dmitry, > > > > On Thu, Oct 22, 2015 at 10:40:45AM +0300, Dmitry Sivachenko wrote: > >> 1.6.1 still does not build with OpenSSL < 1.0: > >> > >> src/ssl_sock.o: In function `ssl_sock_do_create_cert': > >> ssl_sock.c:(.text+0x295b): undefined reference to > >> `EVP_PKEY_get_default_digest_nid' > >> Makefile:760: recipe for target 'haproxy' failed > >> > >> So is it intended behavior? > > > > It's neither intended nor not intended, it's just that I was waiting for > > Marcus' confirmation that the patch fixed the issue for him, and forgot > > about this patch while waiting for a response. Can you confirm on your > > side that the patch fixes the issue for you ? If so I'm willing to merge > > the fix immediately. I prefer to be careful because on my side openssl > > 0.9.8 doesn't break so I want to be sure that there isn't a second level > > of breakage after this one. > > > > > Aha, no problem, I thought it is supposed to be fixed before 1.6.1. > > I tried a patch in this thread > (0002-BUILD-ssl-fix-build-error-introduced-in-commit-7969a.patch). > > It does fix the build error (FreeBSD-9, OpenSSL 0.9.8q). Though there is the > following warning: > > src/ssl_sock.c: In function 'ssl_sock_load_cert_chain_file': > src/ssl_sock.c:1623: warning: dereferencing type-punned pointer will break > strict-aliasing rules > src/ssl_sock.c:1636: warning: dereferencing type-punned pointer will break > strict-aliasing rules > src/ssl_sock.c: In function 'ssl_sock_srv_verifycbk': > src/ssl_sock.c:2264: warning: dereferencing type-punned pointer will break > strict-aliasing rules > src/ssl_sock.c:2278: warning: dereferencing type-punned pointer will break > strict-aliasing rules Do you have other patches applied ? Here these line numbers only match closing braces so I have no idea what they correspond to :-/ Willy
Re: Build failure of 1.6 and openssl 0.9.8
> On 22 окт. 2015 г., at 10:44, Willy Tarreauwrote: > > Hello Dmitry, > > On Thu, Oct 22, 2015 at 10:40:45AM +0300, Dmitry Sivachenko wrote: >> 1.6.1 still does not build with OpenSSL < 1.0: >> >> src/ssl_sock.o: In function `ssl_sock_do_create_cert': >> ssl_sock.c:(.text+0x295b): undefined reference to >> `EVP_PKEY_get_default_digest_nid' >> Makefile:760: recipe for target 'haproxy' failed >> >> So is it intended behavior? > > It's neither intended nor not intended, it's just that I was waiting for > Marcus' confirmation that the patch fixed the issue for him, and forgot > about this patch while waiting for a response. Can you confirm on your > side that the patch fixes the issue for you ? If so I'm willing to merge > the fix immediately. I prefer to be careful because on my side openssl > 0.9.8 doesn't break so I want to be sure that there isn't a second level > of breakage after this one. > Aha, no problem, I thought it is supposed to be fixed before 1.6.1. I tried a patch in this thread (0002-BUILD-ssl-fix-build-error-introduced-in-commit-7969a.patch). It does fix the build error (FreeBSD-9, OpenSSL 0.9.8q). Though there is the following warning: src/ssl_sock.c: In function 'ssl_sock_load_cert_chain_file': src/ssl_sock.c:1623: warning: dereferencing type-punned pointer will break strict-aliasing rules src/ssl_sock.c:1636: warning: dereferencing type-punned pointer will break strict-aliasing rules src/ssl_sock.c: In function 'ssl_sock_srv_verifycbk': src/ssl_sock.c:2264: warning: dereferencing type-punned pointer will break strict-aliasing rules src/ssl_sock.c:2278: warning: dereferencing type-punned pointer will break strict-aliasing rules
Re: Build failure of 1.6 and openssl 0.9.8
> On 19 окт. 2015 г., at 17:29, Willy Tarreauwrote: > > Hi Christopher, > > On Mon, Oct 19, 2015 at 03:05:05PM +0200, Christopher Faulet wrote: >> Damned! I generated a huge amount of disturbances with my paches! Really >> sorry for that. > > Shit happens sometimes. I had my hours of fame with option > http-send-name-header merged in 1.4-stable years ago, and that was so badly > designed that it still managed to cause a lot of trouble during 1.6-dev. > >> Add a #ifdef to check the OpenSSL version seems to be a good fix. I >> don't know if there is a workaround to do the same than >> EVP_PKEY_get_default_digest_nid() for old OpenSSL versions. > > I was unsure how the code was supposed to work given that two blocks > were replaced by two others and I was unsure whether there was a > dependence. So as long as we can fall back to the pre-patch behaviour > I'm perfectly fine. > >> This function is used to get default signature digest associated to the >> private key used to sign generated X509 certificates. It is called when >> the private key differs than EVP_PKEY_RSA, EVP_PKEY_DSA and EVP_PKEY_EC. >> It should be enough for most of cases (maybe all cases ?). > > OK great. > >> By the way, I attached a patch to fix the bug. > > Thank you. Marcus, can you confirm that it's OK for you with this fix so > that I can merge it ? Hello, 1.6.1 still does not build with OpenSSL < 1.0: src/ssl_sock.o: In function `ssl_sock_do_create_cert': ssl_sock.c:(.text+0x295b): undefined reference to `EVP_PKEY_get_default_digest_nid' Makefile:760: recipe for target 'haproxy' failed So is it intended behavior?
[SPAM] Re: Build failure of 1.6 and openssl 0.9.8
On 2015-10-22 13:59:09 +0300, Dmitry Sivachenko wrote: > > On 22 окт. 2015 г., at 13:54, Marcus Rueckertwrote: > > > > On 2015-10-22 13:38:45 +0300, Dmitry Sivachenko wrote: > >> I see this warnings with gcc-4.2.1 (shipped with FreeBSD-9), but no > >> warnings with clang 3.6.1. > >> I see a lot of such warnings with gcc48, but it seems expected according > >> to comments in Makefile: > >> Compiler-specific flags that may be used to disable some negative > >> over- > >> # optimization or to silence some warnings. -fno-strict-aliasing is needed > >> with > >> # gcc >= 4.4. > > > > 4.3.4 on SLES 11 SP 4 > > 4.8.3 on openSUSE 13.2 > > 5.1.1 on openSUSE Tumbleweed > > > > https://build.opensuse.org/package/show/server:http/haproxy (succeeded > > links on the right side) > > > There is -fno-strict-aliasing option in your build logs. But it is set by the upstream Makefile. so unless you break the CFLAGS of the makefile. shouldnt you have that too? darix -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org
[SPAM] Re: Build failure of 1.6 and openssl 0.9.8
On 2015-10-22 14:30:07 +0300, Dmitry Sivachenko wrote: > I override CFLAGS variable during make invocation (because otherwise > build system does not respect CFLAGS environment variable), as well as > CC environment (FreeBSD does not have "gcc" at all). just set DEBUG_CFLAGS on the make cmdline. see my spec file. darix -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org
Re: Build failure of 1.6 and openssl 0.9.8
> On 22 окт. 2015 г., at 13:54, Marcus Rueckertwrote: > > On 2015-10-22 13:38:45 +0300, Dmitry Sivachenko wrote: >> I see this warnings with gcc-4.2.1 (shipped with FreeBSD-9), but no warnings >> with clang 3.6.1. >> I see a lot of such warnings with gcc48, but it seems expected according to >> comments in Makefile: >> Compiler-specific flags that may be used to disable some negative over- >> # optimization or to silence some warnings. -fno-strict-aliasing is needed >> with >> # gcc >= 4.4. > > 4.3.4 on SLES 11 SP 4 > 4.8.3 on openSUSE 13.2 > 5.1.1 on openSUSE Tumbleweed > > https://build.opensuse.org/package/show/server:http/haproxy (succeeded > links on the right side) There is -fno-strict-aliasing option in your build logs.
[SPAM] Re: Build failure of 1.6 and openssl 0.9.8
On 2015-10-22 13:38:45 +0300, Dmitry Sivachenko wrote: > I see this warnings with gcc-4.2.1 (shipped with FreeBSD-9), but no warnings > with clang 3.6.1. > I see a lot of such warnings with gcc48, but it seems expected according to > comments in Makefile: > Compiler-specific flags that may be used to disable some negative over- > # optimization or to silence some warnings. -fno-strict-aliasing is needed > with > # gcc >= 4.4. 4.3.4 on SLES 11 SP 4 4.8.3 on openSUSE 13.2 5.1.1 on openSUSE Tumbleweed https://build.opensuse.org/package/show/server:http/haproxy (succeeded links on the right side) darix -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org
Re: Build failure of 1.6 and openssl 0.9.8
> On 22 окт. 2015 г., at 14:12, Marcus Rueckertwrote: > > On 2015-10-22 13:59:09 +0300, Dmitry Sivachenko wrote: >>> On 22 окт. 2015 г., at 13:54, Marcus Rueckert wrote: >>> >>> On 2015-10-22 13:38:45 +0300, Dmitry Sivachenko wrote: I see this warnings with gcc-4.2.1 (shipped with FreeBSD-9), but no warnings with clang 3.6.1. I see a lot of such warnings with gcc48, but it seems expected according to comments in Makefile: Compiler-specific flags that may be used to disable some negative over- # optimization or to silence some warnings. -fno-strict-aliasing is needed with # gcc >= 4.4. >>> >>> 4.3.4 on SLES 11 SP 4 >>> 4.8.3 on openSUSE 13.2 >>> 5.1.1 on openSUSE Tumbleweed >>> >>> https://build.opensuse.org/package/show/server:http/haproxy (succeeded >>> links on the right side) >> >> >> There is -fno-strict-aliasing option in your build logs. > > But it is set by the upstream Makefile. so unless you break the CFLAGS > of the makefile. shouldnt you have that too? > I override CFLAGS variable during make invocation (because otherwise build system does not respect CFLAGS environment variable), as well as CC environment (FreeBSD does not have "gcc" at all).
Re: Build failure of 1.6 and openssl 0.9.8
On Thu, Oct 22, 2015 at 12:54:00PM +0200, Marcus Rueckert wrote: > On 2015-10-22 13:38:45 +0300, Dmitry Sivachenko wrote: > > I see this warnings with gcc-4.2.1 (shipped with FreeBSD-9), but no > > warnings with clang 3.6.1. > > I see a lot of such warnings with gcc48, but it seems expected according to > > comments in Makefile: > > Compiler-specific flags that may be used to disable some negative over- > > # optimization or to silence some warnings. -fno-strict-aliasing is needed > > with > > # gcc >= 4.4. > > 4.3.4 on SLES 11 SP 4 > 4.8.3 on openSUSE 13.2 > 5.1.1 on openSUSE Tumbleweed > > https://build.opensuse.org/package/show/server:http/haproxy (succeeded > links on the right side) OK thanks guys, I've merged the patch now. Regarding the warnings, they're indeed caused by the lack of -fno-strict-aliasing which was added for this reason. When using gcc, it emits the warning at different places (and not this one). When using clang, I don't see them at all. Regards, Willy
[SPAM] Re: Build failure of 1.6 and openssl 0.9.8
On 2015-10-22 09:44:05 +0200, Willy Tarreau wrote: > On Thu, Oct 22, 2015 at 10:40:45AM +0300, Dmitry Sivachenko wrote: > > 1.6.1 still does not build with OpenSSL < 1.0: > > > > src/ssl_sock.o: In function `ssl_sock_do_create_cert': > > ssl_sock.c:(.text+0x295b): undefined reference to > > `EVP_PKEY_get_default_digest_nid' > > Makefile:760: recipe for target 'haproxy' failed > > > > So is it intended behavior? > > It's neither intended nor not intended, it's just that I was waiting for > Marcus' confirmation that the patch fixed the issue for him, and forgot > about this patch while waiting for a response. Can you confirm on your > side that the patch fixes the issue for you ? If so I'm willing to merge > the fix immediately. I prefer to be careful because on my side openssl > 0.9.8 doesn't break so I want to be sure that there isn't a second level > of breakage after this one. 1. actually send a confirmation that it builds for me with the patch from Christopher Faulet. 2. i just tested 1.6.1 - fails without patch - works with the patch 3. i can not reproduce the strict alias warnings. darix -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org
Re: Build failure of 1.6 and openssl 0.9.8
> On 22 окт. 2015 г., at 13:14, Marcus Rueckertwrote: > > 3. i can not reproduce the strict alias warnings. > I see this warnings with gcc-4.2.1 (shipped with FreeBSD-9), but no warnings with clang 3.6.1. I see a lot of such warnings with gcc48, but it seems expected according to comments in Makefile: Compiler-specific flags that may be used to disable some negative over- # optimization or to silence some warnings. -fno-strict-aliasing is needed with # gcc >= 4.4.
Re: Build failure of 1.6 and openssl 0.9.8
> On 22 окт. 2015 г., at 11:45, Willy Tarreauwrote: > > On Thu, Oct 22, 2015 at 11:31:01AM +0300, Dmitry Sivachenko wrote: >> >>> On 22 ??. 2015 ??., at 10:44, Willy Tarreau wrote: >>> >>> Hello Dmitry, >>> >>> On Thu, Oct 22, 2015 at 10:40:45AM +0300, Dmitry Sivachenko wrote: 1.6.1 still does not build with OpenSSL < 1.0: src/ssl_sock.o: In function `ssl_sock_do_create_cert': ssl_sock.c:(.text+0x295b): undefined reference to `EVP_PKEY_get_default_digest_nid' Makefile:760: recipe for target 'haproxy' failed So is it intended behavior? >>> >>> It's neither intended nor not intended, it's just that I was waiting for >>> Marcus' confirmation that the patch fixed the issue for him, and forgot >>> about this patch while waiting for a response. Can you confirm on your >>> side that the patch fixes the issue for you ? If so I'm willing to merge >>> the fix immediately. I prefer to be careful because on my side openssl >>> 0.9.8 doesn't break so I want to be sure that there isn't a second level >>> of breakage after this one. >>> >> >> >> Aha, no problem, I thought it is supposed to be fixed before 1.6.1. >> >> I tried a patch in this thread >> (0002-BUILD-ssl-fix-build-error-introduced-in-commit-7969a.patch). >> >> It does fix the build error (FreeBSD-9, OpenSSL 0.9.8q). Though there is >> the following warning: >> >> src/ssl_sock.c: In function 'ssl_sock_load_cert_chain_file': >> src/ssl_sock.c:1623: warning: dereferencing type-punned pointer will break >> strict-aliasing rules >> src/ssl_sock.c:1636: warning: dereferencing type-punned pointer will break >> strict-aliasing rules >> src/ssl_sock.c: In function 'ssl_sock_srv_verifycbk': >> src/ssl_sock.c:2264: warning: dereferencing type-punned pointer will break >> strict-aliasing rules >> src/ssl_sock.c:2278: warning: dereferencing type-punned pointer will break >> strict-aliasing rules > > Do you have other patches applied ? Here these line numbers only match > closing braces so I have no idea what they correspond to :-/ > No, this is haproxy-1.6.1 tarball + this patch applied. BTW, by default FreeBSD uses -fno-strict-aliasing, so this warning was here before most likely, I just did not see it, I suppose it is not a problem. Also: src/stick_table.c: In function 'smp_to_stkey': src/stick_table.c:490: warning: dereferencing type-punned pointer will break strict-aliasing rules
Re: Build failure of 1.6 and openssl 0.9.8
Hello Dmitry, On Thu, Oct 22, 2015 at 10:40:45AM +0300, Dmitry Sivachenko wrote: > 1.6.1 still does not build with OpenSSL < 1.0: > > src/ssl_sock.o: In function `ssl_sock_do_create_cert': > ssl_sock.c:(.text+0x295b): undefined reference to > `EVP_PKEY_get_default_digest_nid' > Makefile:760: recipe for target 'haproxy' failed > > So is it intended behavior? It's neither intended nor not intended, it's just that I was waiting for Marcus' confirmation that the patch fixed the issue for him, and forgot about this patch while waiting for a response. Can you confirm on your side that the patch fixes the issue for you ? If so I'm willing to merge the fix immediately. I prefer to be careful because on my side openssl 0.9.8 doesn't break so I want to be sure that there isn't a second level of breakage after this one. Thanks, Willy
Re: Build failure of 1.6 and openssl 0.9.8
Le 16/10/2015 22:42, Willy Tarreau a écrit : Hi Christopher, Marcus (in CC) reported that 1.6 doesn't build anymore on SuSE 11 (which uses openssl 0.9.8). After some digging, we found that it is caused by the absence of EVP_PKEY_get_default_digest_nid() which was introduced in 1.0.0 and which was introduced by this patch : commit 7969a33a01c3a70e48cddf36ea5a66710bd7a995 Author: Christopher FauletDate: Fri Oct 9 11:15:03 2015 +0200 MINOR: ssl: Add support for EC for the CA used to sign generated certificate This is done by adding EVP_PKEY_EC type in supported types for the CA privat key when we get the message digest used to sign a generated X509 certificate So now, we support DSA, RSA and EC private keys. And to be sure, when the type of the private key is not directly supported, get its default message digest using the function 'EVP_PKEY_get_default_digest_nid'. We also use the key of the default certificate instead of generated it. So w are sure to use the same key type instead of always using a RSA key. Interestingly, not all 0.9.8 will see the same problem since SNI is not enabled by default, it requires a build option. This explains why on my old PC I didn't get this problem with the same version. I initially thought it would just be a matter of adding a #if on the openssl version but it doesn't appear that easy given that the previous code was different, so I have no idea how to fix this. Do you have any idea ? Probably we can have a block of code instead of EVP_PKEY_... on older versions and that will be fine. I even wonder if EC was supported on 0.9.8. It's unfortunate that we managed to break things just a few days before the release with code that looked obviously right :-( Thanks for any insight. Hi Willy, Damned! I generated a huge amount of disturbances with my paches! Really sorry for that. Add a #ifdef to check the OpenSSL version seems to be a good fix. I don't know if there is a workaround to do the same than EVP_PKEY_get_default_digest_nid() for old OpenSSL versions. This function is used to get default signature digest associated to the private key used to sign generated X509 certificates. It is called when the private key differs than EVP_PKEY_RSA, EVP_PKEY_DSA and EVP_PKEY_EC. It should be enough for most of cases (maybe all cases ?). By the way, I attached a patch to fix the bug. Regards, -- Christopher Faulet >From 76e79a8c8a98474f3caf701b75370f50729516b2 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Mon, 19 Oct 2015 13:59:24 +0200 Subject: [PATCH 2/2] BUILD: ssl: fix build error introduced in commit 7969a3 with OpenSSL < 1.0.0 The function 'EVP_PKEY_get_default_digest_nid()' was introduced in OpenSSL 1.0.0. So for older version of OpenSSL, compiled with the SNI support, the HAProxy compilation fails with the following error: src/ssl_sock.c: In function 'ssl_sock_do_create_cert': src/ssl_sock.c:1096:7: warning: implicit declaration of function 'EVP_PKEY_get_default_digest_nid' if (EVP_PKEY_get_default_digest_nid(capkey, ) <= 0) [...] src/ssl_sock.c:1096: undefined reference to `EVP_PKEY_get_default_digest_nid' collect2: error: ld returned 1 exit status Makefile:760: recipe for target 'haproxy' failed make: *** [haproxy] Error 1 So we must add a #ifdef to check the OpenSSL version (>= 1.0.0) to use this function. It is used to get default signature digest associated to the private key used to sign generated X509 certificates. It is called when the private key differs than EVP_PKEY_RSA, EVP_PKEY_DSA and EVP_PKEY_EC. It should be enough for most of cases. --- src/ssl_sock.c | 4 1 file changed, 4 insertions(+) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 35a3edf..7c82464 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1091,12 +1091,16 @@ ssl_sock_do_create_cert(const char *servername, unsigned int serial, else if (EVP_PKEY_type (capkey->type) == EVP_PKEY_EC) digest = EVP_sha256(); else { +#if (OPENSSL_VERSION_NUMBER >= 0x100fL) int nid; if (EVP_PKEY_get_default_digest_nid(capkey, ) <= 0) goto mkcert_error; if (!(digest = EVP_get_digestbynid(nid))) goto mkcert_error; +#else + goto mkcert_error; +#endif } if (!(X509_sign(newcrt, capkey, digest))) -- 2.4.3
Re: Build failure of 1.6 and openssl 0.9.8
Hi Christopher, On Mon, Oct 19, 2015 at 03:05:05PM +0200, Christopher Faulet wrote: > Damned! I generated a huge amount of disturbances with my paches! Really > sorry for that. Shit happens sometimes. I had my hours of fame with option http-send-name-header merged in 1.4-stable years ago, and that was so badly designed that it still managed to cause a lot of trouble during 1.6-dev. > Add a #ifdef to check the OpenSSL version seems to be a good fix. I > don't know if there is a workaround to do the same than > EVP_PKEY_get_default_digest_nid() for old OpenSSL versions. I was unsure how the code was supposed to work given that two blocks were replaced by two others and I was unsure whether there was a dependence. So as long as we can fall back to the pre-patch behaviour I'm perfectly fine. > This function is used to get default signature digest associated to the > private key used to sign generated X509 certificates. It is called when > the private key differs than EVP_PKEY_RSA, EVP_PKEY_DSA and EVP_PKEY_EC. > It should be enough for most of cases (maybe all cases ?). OK great. > By the way, I attached a patch to fix the bug. Thank you. Marcus, can you confirm that it's OK for you with this fix so that I can merge it ? Thanks! Willy
[SPAM] Re: Build failure of 1.6 and openssl 0.9.8
On 2015-10-19 16:29:45 +0200, Willy Tarreau wrote: > On Mon, Oct 19, 2015 at 03:05:05PM +0200, Christopher Faulet wrote: > > Damned! I generated a huge amount of disturbances with my paches! Really > > sorry for that. > > Shit happens sometimes. I had my hours of fame with option > http-send-name-header merged in 1.4-stable years ago, and that was so badly > designed that it still managed to cause a lot of trouble during 1.6-dev. > > > Add a #ifdef to check the OpenSSL version seems to be a good fix. I > > don't know if there is a workaround to do the same than > > EVP_PKEY_get_default_digest_nid() for old OpenSSL versions. > > I was unsure how the code was supposed to work given that two blocks > were replaced by two others and I was unsure whether there was a > dependence. So as long as we can fall back to the pre-patch behaviour > I'm perfectly fine. > > > This function is used to get default signature digest associated to the > > private key used to sign generated X509 certificates. It is called when > > the private key differs than EVP_PKEY_RSA, EVP_PKEY_DSA and EVP_PKEY_EC. > > It should be enough for most of cases (maybe all cases ?). > > OK great. > > > By the way, I attached a patch to fix the bug. > > Thank you. Marcus, can you confirm that it's OK for you with this fix so > that I can merge it ? confirmed: compiles now. just for my understanding ... we do not hit the compile error we saw before with ssl_sock_switchctx_cbk now because jump out of the ssl_sock_prepare_ctx function early. my question would be ... could we jump out even earlier if we already know that we will fail? e.g. why create the private key and setting up the new x509 object if we already know it will fail? why not go to mkcert_error on top of the function? darix -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org