[Pkg-haproxy-maintainers] [PATCH] Add compatibility with OpenSSL 1.1.x
apoikos at debian.org
Thu Jun 30 12:30:53 UTC 2016
Hi Lukas, Remi,
On 22:22 Tue 26 Jan , Lukas Tribus wrote:
> > Date: Thu, 23 Jul 2015 16:58:51 +0200
> > Hi,
> > A while back, Lukas Tribus mentioned that HAproxy used quite a few
> > OpenSSL internals that were not going to be usable in the 1.1.x branch,
> > and that we would better take a look at it.
> another half year later ... first of all thanks for all this work!!
> FYI some build changes for OpenSSL 1.1.0 since last year are :
> > Deprecated interfaces can now be disabled at build time either relative to
> > the latest release via the "no-deprecated" Configure argument, or via
> > the "--api=1.1.0|1.0.0|0.9.8" option.
> > Application software can be compiled with -DOPENSSL_API_COMPAT=version
> > to ensure that features deprecated in that version are not exposed.
> So to expose haproxy to the 1.1.0 API, we can compile haproxy with:
> But even with all deprecated interfaces still enabled (which is default)
> the API changed and the build breaks (for example due to ).
> > This patch tries to make HAproxy compatible with the OpenSSL 1.1.x
> > branch, which is still in development, by using accessors instead of
> > directly using OpenSSL internals when possible, and replacing the use of
> > deprecated functions by the new ones.
> It appears the API changed quite a bit again, so we will probably have
> to go through this again :(
> > There is still some issues left with this patch:
> > - in src/shctx.c, the context size increases because I didn't find a way
> > to alter the session_id_length and sid_ctx_length fields in the same way
> > it was done before ;
> > - in ssl_sock_handshake(), we have now slightly less accurate SSL
> > handshake error messages, because I couldn't find how to retrieve the
> > information contained in (SSL *)conn->xprt_ctx)->packet_length in a
> > clean way ;
> Since your work on this, new accessors have been included, they will
> hopefully help with the new breakages:
> ~/openssl$ git log --oneline --since="Jun 2015" | grep ccessor
> 213f60b Accessor update; fix API, document one.
> 9e5cd4b Add some accessors.
> e79f877 Make EVP_CIPHER opaque and add creator/destructor/accessor/writer functions
> 83b0634 Add accessors and writers for EVP_CIPHER_CTX
> 919ba00 DANE support structures, constructructors and accessors
> f8d7d2d EC_KEY_METHOD accessors.
> cf70b8f modify ecdsatest to use accessor
> 7236e3c Add ECDSA_SIG accessor.
> cc9d665 Have the few apps that accessed EVP_MD directly use accessors instead
> 6e59a89 Adjust all accesses to EVP_MD_CTX to use accessor functions.
> 699f163 Use accessors for X509_print_ex().
> 748118a Add new X509 accessors
> dd332ce Document signature accessors.
> 7880e14 Use accessors in X509_REQ_print().
> 32f5c25 Use accessor functions in X509_CRL_print().
> 1f143e0 New accessor X509_REQ_get_X509_PUBKEY()
> 835911b Additional X509_CRL accessors.
> dc29030 Add accessors for X509_REVOKED.
> a9732d0 Add accessors for request and CRL signatures
> e7451ed EVP_PKEY_METHOD accessor functions.
> > - in ssl_sock_load_ocsp_response(), we still access the certId field
> > from a OCSP_SINGLERESP struct, which is becoming opaque in 1.1. I
> > couldn't find an accessor for this field so I proposed to add one in a
> > pull request to OpenSSL .
> Apparently  they also want a ticket on their bug tracker, which is
> what I did , and your patch is now in master .
> So we can assume (OPENSSL_VERSION_NUMBER>= 0x10100000L) that your
> accessor is there.
> Do you think we will need additional accessors?
> First beta (= API freeze) is planned for 3rd March 2016 .
>  https://github.com/openssl/openssl/pull/334
>  https://www.openssl.org/news/openssl-1.1.0-notes.html
>  http://openssl.org/community/#bugs
>  https://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=4251
>  https://github.com/openssl/openssl/commit/9e5cd4bac777e27ebcdc9aa411f0a63c27500468
>  https://github.com/openssl/openssl/commit/7f572e958b13041056f377a62d3219633cfb1e8a
>  https://www.openssl.org/policies/releasestrat.html
I just wanted to revive this thread, since OpenSSL 1.1.0 is apparently
about to be released. We already have an open bug in Debian about
HAProxy failing to build against 1.1.0, together with a log of the
More information about the Pkg-haproxy-maintainers