RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-04-04 23:29:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUILD: ssl: disable OCSP when using boringssl

Browse Source 
Google's boringssl doesn't currently support OCSP, so
disable it if detected.

OCSP support may be reintroduced as per:
https://code.google.com/p/chromium/issues/detail?id=398677

In that case we can simply revert this commit.

Signed-off-by: Lukas Tribus <luky-37@hotmail.com>
This commit is contained in:
Lukas Tribus 2014-08-18 00:56:31 +02:00 committed by Willy Tarreau
parent 581cc8d2b8
commit 656c5fa7e8
3 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/proto/ssl_sock.h
View File

@ -54,7 +54,7 @@ char *ssl_sock_get_version(struct connection *conn);
int ssl_sock_get_cert_used(struct connection *conn); int ssl_sock_get_cert_used(struct connection *conn);
int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk *out); int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk *out);
unsigned int ssl_sock_get_verify_result(struct connection *conn); unsigned int ssl_sock_get_verify_result(struct connection *conn);
#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB #if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
int ssl_sock_update_ocsp_response(struct chunk *ocsp_response, char **err); int ssl_sock_update_ocsp_response(struct chunk *ocsp_response, char **err);
#endif #endif

2
src/dumpstats.c
View File

@ -1794,7 +1794,7 @@ static int stats_sock_parse_request(struct stream_interface *si, char *line)
#ifdef USE_OPENSSL #ifdef USE_OPENSSL
else if (strcmp(args[1], "ssl") == 0) { else if (strcmp(args[1], "ssl") == 0) {
if (strcmp(args[2], "ocsp-response") == 0) { if (strcmp(args[2], "ocsp-response") == 0) {
#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB #if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
char *err = NULL; char *err = NULL;
/* Expect one parameter: the new response in base64 encoding */ /* Expect one parameter: the new response in base64 encoding */

6
src/ssl_sock.c
View File

@ -44,7 +44,7 @@
#include <openssl/x509.h> #include <openssl/x509.h>
#include <openssl/err.h> #include <openssl/err.h>
#include <openssl/rand.h> #include <openssl/rand.h>
#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB #if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
#include <openssl/ocsp.h> #include <openssl/ocsp.h>
#endif #endif
@ -112,7 +112,7 @@ static DH *local_dh_4096 = NULL;
static DH *local_dh_8192 = NULL; static DH *local_dh_8192 = NULL;
#endif /* OPENSSL_NO_DH */ #endif /* OPENSSL_NO_DH */
#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB #if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
struct certificate_ocsp { struct certificate_ocsp {
struct ebmb_node key; struct ebmb_node key;
unsigned char key_data[OCSP_MAX_CERTID_ASN1_LENGTH]; unsigned char key_data[OCSP_MAX_CERTID_ASN1_LENGTH];
@ -1282,7 +1282,7 @@ static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf
} }
#endif #endif
#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB #if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
ret = ssl_sock_load_ocsp(ctx, path); ret = ssl_sock_load_ocsp(ctx, path);
if (ret < 0) { if (ret < 0) {
if (err) if (err)