CLEANUP: listeners: do not include openssl-compat
Listeners only include openssl-compat to provide the SSL_CTX type to
use as two pointers to contexts, and to detect if NPN, ALPN, and cipher
suites are supported, and save up to 5 pointers in the ssl_bind_conf
struct if not supported. This is pointless, as these ones have all been
supported for about a decade, and including this file comes with a long
dependency chain that impacts lots of other files. The initial_ctx and
default_ctx can perfectly remain void* instead of SSL_CTX*.
diff --git a/include/haproxy/listener-t.h b/include/haproxy/listener-t.h
index 959f3e8..70839ee 100644
--- a/include/haproxy/listener-t.h
+++ b/include/haproxy/listener-t.h
@@ -33,9 +33,6 @@
#include <haproxy/stats-t.h>
#include <haproxy/thread.h>
-#ifdef USE_OPENSSL
-#include <haproxy/openssl-compat.h>
-#endif
#include <haproxy/xprt_quic-t.h>
/* Some pointer types reference below */
@@ -131,14 +128,10 @@
/* ssl "bind" settings */
struct ssl_bind_conf {
#ifdef USE_OPENSSL
-#ifdef OPENSSL_NPN_NEGOTIATED
char *npn_str; /* NPN protocol string */
int npn_len; /* NPN protocol string length */
-#endif
-#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
char *alpn_str; /* ALPN protocol string */
int alpn_len; /* ALPN protocol string length */
-#endif
unsigned int verify:3; /* verify method (set of SSL_VERIFY_* flags) */
unsigned int no_ca_names:1;/* do not send ca names to clients (ca_file related) */
unsigned int early_data:1; /* early data allowed */
@@ -146,9 +139,7 @@
char *ca_verify_file; /* CAverify file to use on verify only */
char *crl_file; /* CRLfile to use on verify */
char *ciphers; /* cipher suite to use if non-null */
-#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
char *ciphersuites; /* TLS 1.3 cipher suite to use if non-null */
-#endif
char *curves; /* curves suite to use for ECDHE */
char *ecdhe; /* named curve to use for ECDHE */
struct tls_version_filter ssl_methods_cfg; /* original ssl methods found in configuration */
@@ -162,8 +153,8 @@
struct ssl_bind_conf ssl_conf; /* ssl conf for ctx setting */
unsigned long long ca_ignerr; /* ignored verify errors in handshake if depth > 0 */
unsigned long long crt_ignerr; /* ignored verify errors in handshake if depth == 0 */
- SSL_CTX *initial_ctx; /* SSL context for initial negotiation */
- SSL_CTX *default_ctx; /* SSL context of first/default certificate */
+ void *initial_ctx; /* SSL context for initial negotiation */
+ void *default_ctx; /* SSL context of first/default certificate */
struct ckch_inst *default_inst;
struct ssl_bind_conf *default_ssl_conf; /* custom SSL conf of default_ctx */
int strict_sni; /* refuse negotiation if sni doesn't match a certificate */