On Mar 19, 2012, at 6:09 AM, Igor Galić wrote: > > Sorry for the late review! > Sick/work/blah. > > > ----- Original Message ----- >> TS-462: Configure checks for ServerNameIndication >> >> >> Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo >> Commit: >> http://git-wip-us.apache.org/repos/asf/trafficserver/commit/cad0e9b5 >> Tree: >> http://git-wip-us.apache.org/repos/asf/trafficserver/tree/cad0e9b5 >> Diff: >> http://git-wip-us.apache.org/repos/asf/trafficserver/diff/cad0e9b5 >> >> Branch: refs/heads/master >> Commit: cad0e9b529337ee70b52235be9065e73820c157e >> Parents: f67290f >> Author: James Peach <jpe...@apache.org> >> Authored: Wed Feb 29 22:11:40 2012 -0800 >> Committer: James Peach <jpe...@apache.org> >> Committed: Tue Mar 13 20:33:15 2012 -0700 >> >> ---------------------------------------------------------------------- >> build/crypto.m4 | 39 >> +++++++++++++++++++++++++++++++++++++++ >> configure.ac | 4 ++++ >> lib/ts/ink_config.h.in | 1 + >> 3 files changed, 44 insertions(+), 0 deletions(-) >> ---------------------------------------------------------------------- >> >> >> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/cad0e9b5/build/crypto.m4 >> ---------------------------------------------------------------------- >> diff --git a/build/crypto.m4 b/build/crypto.m4 >> index 5cdc80a..3cee32f 100644 >> --- a/build/crypto.m4 >> +++ b/build/crypto.m4 >> @@ -124,3 +124,42 @@ AC_DEFUN([TS_CHECK_CRYPTO_NEXTPROTONEG], [ >> TS_ARG_ENABLE_VAR([use], [tls-npn]) >> AC_SUBST(use_tls_npn) >> ]) >> + >> +AC_DEFUN([TS_CHECK_CRYPTO_SNI], [ >> + _sni_saved_LIBS=$LIBS >> + enable_tls_sni=yes >> + >> + TS_ADDTO(LIBS, [$LIBSSL]) >> + AC_CHECK_HEADERS(openssl/tls1.h openssl/ssl.h) >> + # We are looking for SSL_CTX_set_tlsext_servername_callback, but >> it's a >> + # macro, so AC_CHECK_FUNCS is not going to do the business. >> + AC_MSG_CHECKING([for SSL_CTX_set_tlsext_servername_callback]) >> + AC_COMPILE_IFELSE( >> + [ >> + AC_LANG_PROGRAM([[ >> +#if HAVE_OPENSSL_SSL_H >> +#include <openssl/ssl.h> >> +#endif >> +#if HAVE_OPENSSL_TLS1_H >> +#include <openssl/tls1.h> >> +#endif >> + ]], >> + [[SSL_CTX_set_tlsext_servername_callback(NULL, NULL);]]) >> + ], >> + [ >> + AC_MSG_RESULT([yes]) >> + ], >> + [ >> + AC_MSG_RESULT([no]) >> + enable_tls_sni=no >> + ]) >> + >> + AC_CHECK_FUNCS(SSL_get_servername, [], [enable_tls_sni=no]) >> + >> + LIBS=$_sni_saved_LIBS >> + >> + AC_MSG_CHECKING(whether to enable ServerNameIndication TLS >> extension support) >> + AC_MSG_RESULT([$enable_tls_sni]) >> + TS_ARG_ENABLE_VAR([use], [tls-sni]) >> + AC_SUBST(use_tls_sni) >> +]) > > > This seems like overkill. > All you'd have to do is surround your changes in the code with > > #ifndef OPENSSL_NO_TLSEXT > > At least that's how httpd does it: > > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?view=markup#l495
Yeh zwoop has the same comment, but I didn't think it was worth changing. It's overkill, but still correct. J
