Hi Willy, > Le 5 sept. 2017 à 10:11, Willy Tarreau <[email protected]> a écrit : > > Hi Manu, > > On Mon, Sep 04, 2017 at 04:39:45PM +0200, Emmanuel Hocdet wrote: >> Hi Emeric, Christopher >> >> If you can review when you have time. (3) for Christopher. >> >> This patches allows to support native multicert selection (RSA/ECDSA) and >> ssl-min-ver/ ssl-max-ver per certificat with openssl 1.1.1 (boringssl is the >> only >> one to support this until this patch). >> >> patches: >> 1) Convert BoringSSL api call (CBS) to ssl-lib independent code. >> This is the biggest part and only depend on BoringSSL build (until 2). >> >> 2) support openssl 1.1.1 early callback API. It mimic BoringSSL api, and >> this >> is a good news (small patch). >> Do we want to push code for openssl 1.1.1 (dev) in haproxy (dev) now? > > I suspect it will be mandatory in order to support TLS early-data (0-RTT). > So I think it will be nice to have it before the release. However given that > both Christopher and Emeric are heavily loaded on the multi-threading part, > I suggest that we postpone the patchset review until the multi-thread stuff > gets merged. As you say, the patch is small so it will be easy to review and > apply, and/or revert in case of issues so it's not a big deal to merge it > late in the cycle.
It will be mandatory to avoid unexpected behavior (see notes on openssl 1.1.1 API doc), as I have noticed with boringssl before implement early callback. And yes, early-data should need it and will work per certificate (i already tested it with boringssl). Encouraging Emeric and Christopher for the multithreading part! ++ Manu
