Re: [PATCH v2] BUILD: SSL: function "ERR_func_error_string" is deprecated in OpenSSL-3.0.0

2021-10-19 Thread Илья Шипицин 
similar patchset

https://patchwork.openvpn.net/project/openvpn2/list/?series=1309

Willy, please forward to SSL support team

чт, 7 окт. 2021 г. в 14:08, Илья Шипицин :

>
>
> чт, 7 окт. 2021 г. в 12:49, Willy Tarreau :
>
>> On Thu, Oct 07, 2021 at 11:30:54AM +0500,  ??? wrote:
>> > > Just thinking about something, given that the new API was already
>> adopted
>> > > by BoringSSL and will probably be at some point in time by LibreSSL,
>> would
>> > > it not be better to have a single macro "HA_SSL_USE_API_V3" or
>> something
>> > > like this that we set based on the various libs' versions, and rely
>> on this
>> > > one for all other defines ? I think it could significantly simplify
>> the
>> > > porting to other libs and avoid a real mess with version numbers
>> > > everywhere.
>> > >
>> >
>> > even BoringSSL states "it adopted upstream changes", it is different in
>> > details, for example ERR_func_error_string
>> > is not deprecated in BoringSSL.
>> >
>> > Well, there might be a common divisor of course. I'll keep an eye on it
>> :)
>> >
>> > as for this particular patch, it is openssl specific (at least now)
>>
>> OK. I'll let the SSL maintainers deal with this.
>>
>
> I set up Fedora Rawhide builds.
> Fedora now uses openssl-3.0.0, all builds are bloody murder:
>
> fedora_clang (#1657157053) · Jobs · Ilya Shipitsin / haproxy-ci-playground
> · GitLab
> 
>
>
>
>>
>> Thanks!
>> Willy
>>
>

Re: [PATCH v2] BUILD: SSL: function "ERR_func_error_string" is deprecated in OpenSSL-3.0.0

2021-10-07 Thread Илья Шипицин 
чт, 7 окт. 2021 г. в 12:49, Willy Tarreau :

> On Thu, Oct 07, 2021 at 11:30:54AM +0500,  ??? wrote:
> > > Just thinking about something, given that the new API was already
> adopted
> > > by BoringSSL and will probably be at some point in time by LibreSSL,
> would
> > > it not be better to have a single macro "HA_SSL_USE_API_V3" or
> something
> > > like this that we set based on the various libs' versions, and rely on
> this
> > > one for all other defines ? I think it could significantly simplify the
> > > porting to other libs and avoid a real mess with version numbers
> > > everywhere.
> > >
> >
> > even BoringSSL states "it adopted upstream changes", it is different in
> > details, for example ERR_func_error_string
> > is not deprecated in BoringSSL.
> >
> > Well, there might be a common divisor of course. I'll keep an eye on it
> :)
> >
> > as for this particular patch, it is openssl specific (at least now)
>
> OK. I'll let the SSL maintainers deal with this.
>

I set up Fedora Rawhide builds.
Fedora now uses openssl-3.0.0, all builds are bloody murder:

fedora_clang (#1657157053) · Jobs · Ilya Shipitsin / haproxy-ci-playground
· GitLab




>
> Thanks!
> Willy
>

Re: [PATCH v2] BUILD: SSL: function "ERR_func_error_string" is deprecated in OpenSSL-3.0.0

2021-10-07 Thread Willy Tarreau 
On Thu, Oct 07, 2021 at 11:30:54AM +0500,  ??? wrote:
> > Just thinking about something, given that the new API was already adopted
> > by BoringSSL and will probably be at some point in time by LibreSSL, would
> > it not be better to have a single macro "HA_SSL_USE_API_V3" or something
> > like this that we set based on the various libs' versions, and rely on this
> > one for all other defines ? I think it could significantly simplify the
> > porting to other libs and avoid a real mess with version numbers
> > everywhere.
> >
> 
> even BoringSSL states "it adopted upstream changes", it is different in
> details, for example ERR_func_error_string
> is not deprecated in BoringSSL.
> 
> Well, there might be a common divisor of course. I'll keep an eye on it :)
> 
> as for this particular patch, it is openssl specific (at least now)

OK. I'll let the SSL maintainers deal with this.

Thanks!
Willy

Re: [PATCH v2] BUILD: SSL: function "ERR_func_error_string" is deprecated in OpenSSL-3.0.0

2021-10-07 Thread Илья Шипицин 
чт, 7 окт. 2021 г. в 10:58, Willy Tarreau :

> Hi Ilya,
>
> On Wed, Oct 06, 2021 at 11:26:13PM +0500, Ilya Shipitsin wrote:
> > +/* ERR_func_error_string is deprecated in OpenSSL-3.0.0 */
> > +#if (OPENSSL_VERSION_NUMBER >= 0x3000L)
> > +#define HA_ERR_func_error_string(ret) "OPENSSL_internal"
> > +#else
> > +#define HA_ERR_func_error_string(ret) ERR_func_error_string(ret)
> > +#endif
>
> Just thinking about something, given that the new API was already adopted
> by BoringSSL and will probably be at some point in time by LibreSSL, would
> it not be better to have a single macro "HA_SSL_USE_API_V3" or something
> like this that we set based on the various libs' versions, and rely on this
> one for all other defines ? I think it could significantly simplify the
> porting to other libs and avoid a real mess with version numbers
> everywhere.
>

even BoringSSL states "it adopted upstream changes", it is different in
details, for example ERR_func_error_string
is not deprecated in BoringSSL.

Well, there might be a common divisor of course. I'll keep an eye on it :)

as for this particular patch, it is openssl specific (at least now)



>
> Just my two cents,
> Willy
>

Re: [PATCH v2] BUILD: SSL: function "ERR_func_error_string" is deprecated in OpenSSL-3.0.0

2021-10-06 Thread Willy Tarreau 
Hi Ilya,

On Wed, Oct 06, 2021 at 11:26:13PM +0500, Ilya Shipitsin wrote:
> +/* ERR_func_error_string is deprecated in OpenSSL-3.0.0 */
> +#if (OPENSSL_VERSION_NUMBER >= 0x3000L)
> +#define HA_ERR_func_error_string(ret) "OPENSSL_internal"
> +#else
> +#define HA_ERR_func_error_string(ret) ERR_func_error_string(ret)
> +#endif

Just thinking about something, given that the new API was already adopted
by BoringSSL and will probably be at some point in time by LibreSSL, would
it not be better to have a single macro "HA_SSL_USE_API_V3" or something
like this that we set based on the various libs' versions, and rely on this
one for all other defines ? I think it could significantly simplify the
porting to other libs and avoid a real mess with version numbers everywhere.

Just my two cents,
Willy

[PATCH v2] BUILD: SSL: function "ERR_func_error_string" is deprecated in OpenSSL-3.0.0

2021-10-06 Thread Ilya Shipitsin 
 let us prepare for using OpenSSL-3.0.0 in no deprecation mode
---
 include/haproxy/openssl-compat.h | 7 +++
 src/ssl_sock.c   | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h
index 17d073d51..1b7272636 100644
--- a/include/haproxy/openssl-compat.h
+++ b/include/haproxy/openssl-compat.h
@@ -41,6 +41,13 @@
 #define OpenSSL_version_num SSLeay
 #endif
 
+/* ERR_func_error_string is deprecated in OpenSSL-3.0.0 */
+#if (OPENSSL_VERSION_NUMBER >= 0x3000L)
+#define HA_ERR_func_error_string(ret) "OPENSSL_internal"
+#else
+#define HA_ERR_func_error_string(ret) ERR_func_error_string(ret)
+#endif
+
 #if (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 
0x2070100fL) || defined(OPENSSL_IS_BORINGSSL) || 
(!defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x1010L))
 #define HAVE_SSL_EXTRACT_RANDOM
 #endif
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 8be8c6fde..a7505e5a9 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -606,7 +606,7 @@ static forceinline void ssl_sock_dump_errors(struct 
connection *conn)
return;
fprintf(stderr, "fd[%#x] OpenSSL error[0x%lx] %s: %s\n",
conn->handle.fd, ret,
-   ERR_func_error_string(ret), 
ERR_reason_error_string(ret));
+   HA_ERR_func_error_string(ret), 
ERR_reason_error_string(ret));
}
}
 }
-- 
2.29.2.windows.2