MINOR: ssl: rework smp_fetch_ssl_fc_cl_str without internal ssl use
smp_fetch_ssl_fc_cl_str as very limited usage (only work with openssl == 1.0.2
compiled with the option enable-ssl-trace). It use internal cipher.algorithm_ssl
attribut and SSL_CIPHER_standard_name (available with ssl-trace).
This patch implement this (debug) function in a standard way. It used common
SSL_CIPHER_get_name to display cipher name. It work with openssl >= 1.0.2
and boringssl.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 7c5c437..b55bb06 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -14173,9 +14173,8 @@
Returns the decoded text form of the client hello cipher list. The maximum
number of ciphers returned is according with the value of
"tune.ssl.capture-cipherlist-size". Note that this sample-fetch is only
- avaible with OpenSSL > 1.0.2 compiled with the option enable-ssl-trace.
- If the function is not enabled, this sample-fetch returns the hash
- like "ssl_fc_cipherlist_xxh".
+ avaible with OpenSSL >= 1.0.2. If the function is not enabled, this
+ sample-fetch returns the hash like "ssl_fc_cipherlist_xxh".
ssl_fc_cipherlist_xxh : integer
Returns a xxh64 of the cipher list. This hash can be return only is the value
diff --git a/include/proto/openssl-compat.h b/include/proto/openssl-compat.h
index ea92072..8fe1c18 100644
--- a/include/proto/openssl-compat.h
+++ b/include/proto/openssl-compat.h
@@ -152,11 +152,6 @@
#define __OPENSSL_110_CONST__
#endif
-#if defined(OPENSSL_IS_BORINGSSL) || defined(LIBRESSL_VERSION_NUMBER)
-#undef OPENSSL_NO_SSL_TRACE
-#define OPENSSL_NO_SSL_TRACE
-#endif
-
#ifdef OPENSSL_IS_BORINGSSL
#define SSL_NO_GENERATE_CERTIFICATES
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index de1dd9a..2241a36 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6308,32 +6308,28 @@
static int
smp_fetch_ssl_fc_cl_str(const struct arg *args, struct sample *smp, const char *kw, void *private)
{
-#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL) && !defined(OPENSSL_NO_SSL_TRACE)
+#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL) && !defined(LIBRESSL_VERSION_NUMBER)
struct chunk *data;
- SSL_CIPHER cipher;
int i;
- const char *str;
- unsigned char *bin;
if (!smp_fetch_ssl_fc_cl_bin(args, smp, kw, private))
return 0;
- /* The cipher algorith must not be SSL_SSLV2, because this
- * SSL version seems to not have the same cipher encoding,
- * and it is not supported by OpenSSL. Unfortunately, the
- * #define SSL_SSLV2, SSL_SSLV3 and others are not available
- * with standard defines. We just set the variable to 0,
- * ensure that the match with SSL_SSLV2 fails.
- */
- cipher.algorithm_ssl = 0;
-
data = get_trash_chunk();
for (i = 0; i + 1 < smp->data.u.str.len; i += 2) {
- bin = (unsigned char *)smp->data.u.str.str + i;
- cipher.id = (unsigned int)(bin[0] << 8) | bin[1];
- str = SSL_CIPHER_standard_name(&cipher);
- if (!str || strcmp(str, "UNKNOWN") == 0)
- chunk_appendf(data, "%sUNKNOWN(%04x)", i == 0 ? "" : ",", (unsigned int)cipher.id);
+ const char *str;
+ const SSL_CIPHER *cipher;
+ const unsigned char *bin = (const unsigned char *)smp->data.u.str.str + i;
+ uint16_t id = (bin[0] << 8) | bin[1];
+#if defined(OPENSSL_IS_BORINGSSL)
+ cipher = SSL_get_cipher_by_value(id);
+#else
+ struct connection *conn = objt_conn(smp->sess->origin);
+ cipher = SSL_CIPHER_find(conn->xprt_ctx, bin);
+#endif
+ str = SSL_CIPHER_get_name(cipher);
+ if (!str || strcmp(str, "(NONE)") == 0)
+ chunk_appendf(data, "%sUNKNOWN(%04x)", i == 0 ? "" : ",", id);
else
chunk_appendf(data, "%s%s", i == 0 ? "" : ",", str);
}