Hi Remi!
(previous mail got messed up be the mailer again, sorry about that) > Date: Thu, 23 Jul 2015 16:58:51 +0200 > > Hi, > > A while back, Lukas Tribus mentioned that HAproxy used quite a few > OpenSSL internals that were not going to be usable in the 1.1.x branch, > and that we would better take a look at it. another half year later ... first of all thanks for all this work!! FYI some build changes for OpenSSL 1.1.0 since last year are [2]: > Deprecated interfaces can now be disabled at build time either relative to > the latest release via the "no-deprecated" Configure argument, or via > the "--api=1.1.0|1.0.0|0.9.8" option. and: > Application software can be compiled with -DOPENSSL_API_COMPAT=version > to ensure that features deprecated in that version are not exposed. So to expose haproxy to the 1.1.0 API, we can compile haproxy with: DEFINE="-DOPENSSL_API_COMPAT=0x10100000L" But even with all deprecated interfaces still enabled (which is default) the API changed and the build breaks (for example due to [6]). > This patch tries to make HAproxy compatible with the OpenSSL 1.1.x > branch, which is still in development, by using accessors instead of > directly using OpenSSL internals when possible, and replacing the use of > deprecated functions by the new ones. It appears the API changed quite a bit again, so we will probably have to go through this again :( > There is still some issues left with this patch: > > - in src/shctx.c, the context size increases because I didn't find a way > to alter the session_id_length and sid_ctx_length fields in the same way > it was done before ; > - in ssl_sock_handshake(), we have now slightly less accurate SSL > handshake error messages, because I couldn't find how to retrieve the > information contained in (SSL *)conn->xprt_ctx)->packet_length in a > clean way ; Since your work on this, new accessors have been included, they will hopefully help with the new breakages: ~/openssl$ git log --oneline --since="Jun 2015" | grep ccessor 213f60b Accessor update; fix API, document one. 9e5cd4b Add some accessors. e79f877 Make EVP_CIPHER opaque and add creator/destructor/accessor/writer functions 83b0634 Add accessors and writers for EVP_CIPHER_CTX 919ba00 DANE support structures, constructructors and accessors f8d7d2d EC_KEY_METHOD accessors. cf70b8f modify ecdsatest to use accessor 7236e3c Add ECDSA_SIG accessor. cc9d665 Have the few apps that accessed EVP_MD directly use accessors instead 6e59a89 Adjust all accesses to EVP_MD_CTX to use accessor functions. 699f163 Use accessors for X509_print_ex(). 748118a Add new X509 accessors dd332ce Document signature accessors. 7880e14 Use accessors in X509_REQ_print(). 32f5c25 Use accessor functions in X509_CRL_print(). 1f143e0 New accessor X509_REQ_get_X509_PUBKEY() 835911b Additional X509_CRL accessors. dc29030 Add accessors for X509_REVOKED. a9732d0 Add accessors for request and CRL signatures e7451ed EVP_PKEY_METHOD accessor functions. ~/openssl$ > - in ssl_sock_load_ocsp_response(), we still access the certId field > from a OCSP_SINGLERESP struct, which is becoming opaque in 1.1. I > couldn't find an accessor for this field so I proposed to add one in a > pull request to OpenSSL [1]. Apparently [3] they also want a ticket on their bug tracker, which is what I did [4], and your patch is now in master [5]. So we can assume (OPENSSL_VERSION_NUMBER>= 0x10100000L) that your accessor is there. Do you think we will need additional accessors? First beta (= API freeze) is planned for 3rd March 2016 [7]. cheers, lukas [1] https://github.com/openssl/openssl/pull/334 [2] https://www.openssl.org/news/openssl-1.1.0-notes.html [3] http://openssl.org/community/#bugs [4] https://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=4251 [5] https://github.com/openssl/openssl/commit/9e5cd4bac777e27ebcdc9aa411f0a63c27500468 [6] https://github.com/openssl/openssl/commit/7f572e958b13041056f377a62d3219633cfb1e8a [7] https://www.openssl.org/policies/releasestrat.html
