Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 90132726c5aedd70fa6da5836dd6c4664fc2de9c^! / .
commit90132726c5aedd70fa6da5836dd6c4664fc2de9c[log] [tgz]
authorLukas Tribus <luky-37@hotmail.com>Mon Aug 18 00:56:33 2014 +0200
committerWilly Tarreau <w@1wt.eu>Mon Aug 18 14:33:48 2014 +0200
tree0fb1f3ef7a7fbc57e6b8b61289a08b8cf009685a
parent4c0d45a861e296fc78b77a65d79d5e6e927260e7 [diff]
MINOR: ssl: don't use boringssl's cipher_list

Google's boringssl has a different cipher_list, we cannot use it as
in OpenSSL. This is due to the "Equal preference cipher groups" feature:

https://boringssl.googlesource.com/boringssl/+/858a88daf27975f67d9f63e18f95645be2886bfb^!/

also see:
https://www.imperialviolet.org/2014/02/27/tlssymmetriccrypto.html

cipher_list is used in haproxy since commit f46cd6e4ec3a ("MEDIUM: ssl:
Add the option to use standardized DH parameters >= 1024 bits") to
check if DHE ciphers are used.

So, if boringssl is used, the patch just assumes that there is some
DHE cipher enabled. This will lead to false positives, but thats better
than compiler warnings and crashes.

This may be replaced one day by properly implementing the the new style
cipher_list, in the meantime this workaround allows to build and use
boringssl.

Signed-off-by: Lukas Tribus <luky-37@hotmail.com>

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 99c2b72..f1d604d 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -1478,6 +1478,7 @@
 		SSL_MODE_ENABLE_PARTIAL_WRITE |
 		SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
 		SSL_MODE_RELEASE_BUFFERS;
+#ifndef OPENSSL_IS_BORINGSSL
 	STACK_OF(SSL_CIPHER) * ciphers = NULL;
 	SSL_CIPHER * cipher = NULL;
 	char cipher_description[128];
@@ -1488,6 +1489,10 @@
 	const char dhe_export_description[] = " Kx=DH(";
 	int idx = 0;
 	int dhe_found = 0;
+#else /* OPENSSL_IS_BORINGSSL */
+	/* assume dhe_found if boringssl is detected */
+	int dhe_found = 1;
+#endif
 
 	/* Make sure openssl opens /dev/urandom before the chroot */
 	if (!ssl_initialize_random()) {
@@ -1579,6 +1584,8 @@
 	/* If tune.ssl.default-dh-param has not been set and
 	   no static DH params were in the certificate file. */
 	if (global.tune.ssl_default_dh_param == 0) {
+
+#ifndef OPENSSL_IS_BORINGSSL
 		ciphers = ctx->cipher_list;
 
 		if (ciphers) {
@@ -1592,10 +1599,11 @@
 					}
 				}
 			}
+		}
+#endif /* OPENSSL_IS_BORINGSSL */
 
-			if (dhe_found) {
-				Warning("Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.\n");
-			}
+		if (dhe_found) {
+			Warning("Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.\n");
 		}
 
 		global.tune.ssl_default_dh_param = 1024;