BUILD: ssl: use OPENSSL_NO_OCSP to detect OCSP support
Since commit 656c5fa7e859 ("BUILD: ssl: disable OCSP when using
boringssl) the OCSP code is bypassed when OPENSSL_IS_BORINGSSL
is defined. The correct thing to do here is to use OPENSSL_NO_OCSP
instead, which is defined for this exact purpose in
openssl/opensslfeatures.h.
This makes haproxy forward compatible if boringssl ever introduces
full OCSP support with the additional benefit that it links fine
against a OCSP-disabled openssl.
Signed-off-by: Lukas Tribus <luky-37@hotmail.com>
diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
index 217accc..6eb97eb 100644
--- a/include/proto/ssl_sock.h
+++ b/include/proto/ssl_sock.h
@@ -55,7 +55,7 @@
int ssl_sock_get_cert_used_conn(struct connection *conn);
int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk *out);
unsigned int ssl_sock_get_verify_result(struct connection *conn);
-#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
+#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
int ssl_sock_update_ocsp_response(struct chunk *ocsp_response, char **err);
#endif
diff --git a/src/dumpstats.c b/src/dumpstats.c
index 26b0a9f..b8968f1 100644
--- a/src/dumpstats.c
+++ b/src/dumpstats.c
@@ -1795,7 +1795,7 @@
#ifdef USE_OPENSSL
else if (strcmp(args[1], "ssl") == 0) {
if (strcmp(args[2], "ocsp-response") == 0) {
-#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
+#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
char *err = NULL;
/* Expect one parameter: the new response in base64 encoding */
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index a8b4ea8..6edc149 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -44,7 +44,7 @@
#include <openssl/x509.h>
#include <openssl/err.h>
#include <openssl/rand.h>
-#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
+#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
#include <openssl/ocsp.h>
#endif
@@ -113,7 +113,7 @@
static DH *local_dh_8192 = NULL;
#endif /* OPENSSL_NO_DH */
-#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
+#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
struct certificate_ocsp {
struct ebmb_node key;
unsigned char key_data[OCSP_MAX_CERTID_ASN1_LENGTH];
@@ -1283,7 +1283,7 @@
}
#endif
-#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
+#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
ret = ssl_sock_load_ocsp(ctx, path);
if (ret < 0) {
if (err)