Re: [PATCH] change BoringSSL emulated version back to 1.1.0
I've just tested, this patch is required for 2.1 as well (it was applied today for 2.2 and master) вс, 18 окт. 2020 г. в 09:14, Илья Шипицин : > this is only for master > > вс, 18 окт. 2020 г. в 09:04, Илья Шипицин : > >> Hi, >> >> this is straightforward patch, which is supposed to be backported to all >> versions. >> master also requires another small patch, will be sent later. >> >> cheers, >> Ilya >> >
Re: [PATCH] change BoringSSL emulated version back to 1.1.0
пн, 19 окт. 2020 г. в 13:18, William Lallemand : > On Sun, Oct 18, 2020 at 09:04:51AM +0500, Илья Шипицин wrote: > > Hi, > > > > this is straightforward patch, which is supposed to be backported to all > > versions. > > master also requires another small patch, will be sent later. > > > > cheers, > > Ilya > > > From 8cec1c658607a1370bd87682717f5f6512f242d6 Mon Sep 17 00:00:00 2001 > > From: Ilya Shipitsin > > Date: Sun, 18 Oct 2020 08:55:39 +0500 > > Subject: [PATCH] BUILD: ssl: make BoringSSL use its own version numbers > > > > BoringSSL is a fork of OpenSSL 1.1.0, however in > > 49e9f67d8b7cbeb3953b5548ad1009d15947a523 it has changed version to 1.1.1. > > > > This must be backported to 2.2, 2.1, 2.0, 1.8 > > --- > > include/haproxy/openssl-compat.h | 6 ++ > > 1 file changed, 6 insertions(+) > > > > diff --git a/include/haproxy/openssl-compat.h > b/include/haproxy/openssl-compat.h > > index acdc9c5bc..d9affa227 100644 > > --- a/include/haproxy/openssl-compat.h > > +++ b/include/haproxy/openssl-compat.h > > @@ -31,6 +31,12 @@ > > * extra features with ORs and not with AND NOT. > > */ > > #define HA_OPENSSL_VERSION_NUMBER 0x1000107fL > > +#elif defined(OPENSSL_IS_BORINGSSL) > > +/* > > + * in 49e9f67d8b7cbeb3953b5548ad1009d15947a523 BoringSSL has changed > its version to 1.1.1 > > + * Let's switch it back to 1.1.0 > > + */ > > +#define HA_OPENSSL_VERSION_NUMBER 0x1010007f > > #else /* this is for a real OpenSSL or a truly compatible derivative */ > > #define HA_OPENSSL_VERSION_NUMBER OPENSSL_VERSION_NUMBER > > #endif > > Hello, > > That's interesting to make it build with relatively new versions of > boringSSL. But it does not activate TLSv1.3 keywords and features this > way. > > That should probably be enough for backporting in previous versions > though. > yes. in master we can revisit it soon > > -- > William Lallemand >
Re: [PATCH] change BoringSSL emulated version back to 1.1.0
On Sun, Oct 18, 2020 at 09:04:51AM +0500, Илья Шипицин wrote: > Hi, > > this is straightforward patch, which is supposed to be backported to all > versions. > master also requires another small patch, will be sent later. > > cheers, > Ilya > From 8cec1c658607a1370bd87682717f5f6512f242d6 Mon Sep 17 00:00:00 2001 > From: Ilya Shipitsin > Date: Sun, 18 Oct 2020 08:55:39 +0500 > Subject: [PATCH] BUILD: ssl: make BoringSSL use its own version numbers > > BoringSSL is a fork of OpenSSL 1.1.0, however in > 49e9f67d8b7cbeb3953b5548ad1009d15947a523 it has changed version to 1.1.1. > > This must be backported to 2.2, 2.1, 2.0, 1.8 > --- > include/haproxy/openssl-compat.h | 6 ++ > 1 file changed, 6 insertions(+) > > diff --git a/include/haproxy/openssl-compat.h > b/include/haproxy/openssl-compat.h > index acdc9c5bc..d9affa227 100644 > --- a/include/haproxy/openssl-compat.h > +++ b/include/haproxy/openssl-compat.h > @@ -31,6 +31,12 @@ > * extra features with ORs and not with AND NOT. > */ > #define HA_OPENSSL_VERSION_NUMBER 0x1000107fL > +#elif defined(OPENSSL_IS_BORINGSSL) > +/* > + * in 49e9f67d8b7cbeb3953b5548ad1009d15947a523 BoringSSL has changed its > version to 1.1.1 > + * Let's switch it back to 1.1.0 > + */ > +#define HA_OPENSSL_VERSION_NUMBER 0x1010007f > #else /* this is for a real OpenSSL or a truly compatible derivative */ > #define HA_OPENSSL_VERSION_NUMBER OPENSSL_VERSION_NUMBER > #endif Hello, That's interesting to make it build with relatively new versions of boringSSL. But it does not activate TLSv1.3 keywords and features this way. That should probably be enough for backporting in previous versions though. -- William Lallemand
Re: [PATCH] change BoringSSL emulated version back to 1.1.0
this is only for master
вс, 18 окт. 2020 г. в 09:04, Илья Шипицин :
> Hi,
>
> this is straightforward patch, which is supposed to be backported to all
> versions.
> master also requires another small patch, will be sent later.
>
> cheers,
> Ilya
>
From b34b5ccd8ef31924b9a9d41bc87244baad55c589 Mon Sep 17 00:00:00 2001
From: Ilya Shipitsin
Date: Sun, 18 Oct 2020 09:11:50 +0500
Subject: [PATCH] MINOR: disable dynamic OCSP load with BoringSSL
it was accidently enabled on BoringSSL while
actually it is not supported
---
src/ssl_sock.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index cce06cd62..69d76b05d 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1278,7 +1278,7 @@ int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg)
#endif
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
+#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
/*
@@ -3137,7 +3137,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
}
#endif
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
+#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
/* Load OCSP Info into context */
if (ckch->ocsp_response) {
if (ssl_sock_load_ocsp(ctx, ckch, find_chain) < 0) {
--
2.26.2
