Hi,
A while back, Lukas Tribus mentioned that HAproxy used quite a few
OpenSSL internals that were not going to be usable in the 1.1.x branch,
and that we would better take a look at it. As I am currently having
unexpected free time, here is a first attempt at fixing it.
This patch tries to make HAproxy compatible with the OpenSSL 1.1.x
branch, which is still in development, by using accessors instead of
directly using OpenSSL internals when possible, and replacing the use of
deprecated functions by the new ones.
There is still some issues left with this patch:
- in src/shctx.c, the context size increases because I didn't find a way
to alter the session_id_length and sid_ctx_length fields in the same way
it was done before ;
- in ssl_sock_handshake(), we have now slightly less accurate SSL
handshake error messages, because I couldn't find how to retrieve the
information contained in (SSL *)conn->xprt_ctx)->packet_length in a
clean way ;
- in ssl_sock_load_ocsp_response(), we still access the certId field
from a OCSP_SINGLERESP struct, which is becoming opaque in 1.1. I
couldn't find an accessor for this field so I proposed to add one in a
pull request to OpenSSL [1].
Of course these only occur when built against the OpenSSL 1.1.x.
Any comment would be welcome!
Regards,
[1]: https://github.com/openssl/openssl/pull/334
--
Remi Gacogne
A while back, Lukas Tribus mentioned that HAproxy used quite a few
OpenSSL internals that were not going to be usable in the 1.1.x branch,
and that we would better take a look at it. As I am currently having
unexpected free time, here is a first attempt at fixing it.
This patch tries to make HAproxy compatible with the OpenSSL 1.1.x
branch, which is still in development, by using accessors instead of
directly using OpenSSL internals when possible, and replacing the use of
deprecated functions by the new ones.
There is still some issues left with this patch:
- in src/shctx.c, the context size increases because I didn't find a way
to alter the session_id_length and sid_ctx_length fields in the same way
it was done before ;
- in ssl_sock_handshake(), we have now slightly less accurate SSL
handshake error messages, because I couldn't find how to retrieve the
information contained in (SSL *)conn->xprt_ctx)->packet_length in a
clean way ;
- in ssl_sock_load_ocsp_response(), we still access the certId field
from a OCSP_SINGLERESP struct, which is becoming opaque in 1.1. I
couldn't find an accessor for this field so I proposed to add one in a
pull request to OpenSSL [1].
Of course these only occur when built against the OpenSSL 1.1.x.
Any comment would be welcome!
Regards,
[1]: https://github.com/openssl/openssl/pull/334
--
Remi Gacogne