From adb6019d31a0632a4d322ac652a53deddc90a420 Mon Sep 17 00:00:00 2001 From: Lukas Tribus Date: Fri, 20 Dec 2019 18:47:18 +0100 Subject: [PATCH] BUILD: ssl: improve SSL_CTX_set_ecdh_auto compatibility SSL_CTX_set_ecdh_auto() is not defined when OpenSSL 1.1.1 is compiled with the no-deprecated option. Remove existing, incomplete guards and add a compatibility macro in openssl-compat.h, just as OpenSSL does: https://github.com/openssl/openssl/blob/bf4006a6f9be691ba6eef0e8629e63369a033ccf/include/openssl/ssl.h#L1486 This should be backported as far as 2.0 and probably even 1.9. (cherry picked from commit a26d1e13245a760bd422e4e4b6a85cc17f9f0a60) Signed-off-by: Willy Tarreau --- include/common/openssl-compat.h | 4 ++++ src/ssl_sock.c | 2 -- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/include/common/openssl-compat.h b/include/common/openssl-compat.h index e119da5..614745f 100644 --- a/include/common/openssl-compat.h +++ b/include/common/openssl-compat.h @@ -334,5 +334,9 @@ static inline void EVP_PKEY_up_ref(EVP_PKEY *pkey) #define BIO_meth_set_destroy(m, f) do { (m)->destroy = (f); } while (0) #endif +#ifndef SSL_CTX_set_ecdh_auto +#define SSL_CTX_set_ecdh_auto(dummy, onoff) ((onoff) != 0) +#endif + #endif /* USE_OPENSSL */ #endif /* _COMMON_OPENSSL_COMPAT_H */ diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 801262e..7c62299 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -5025,9 +5025,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_ *err ? *err : "", curproxy->id, conf_curves, bind_conf->arg, bind_conf->file, bind_conf->line); cfgerr |= ERR_ALERT | ERR_FATAL; } -#if defined(SSL_CTX_set_ecdh_auto) (void)SSL_CTX_set_ecdh_auto(ctx, 1); -#endif } #endif #if defined(SSL_CTX_set_tmp_ecdh) && !defined(OPENSSL_NO_ECDH) -- 1.7.10.4