From 90132726c5aedd70fa6da5836dd6c4664fc2de9c Mon Sep 17 00:00:00 2001 From: Lukas Tribus Date: Mon, 18 Aug 2014 00:56:33 +0200 Subject: [PATCH] MINOR: ssl: don't use boringssl's cipher_list Google's boringssl has a different cipher_list, we cannot use it as in OpenSSL. This is due to the "Equal preference cipher groups" feature: https://boringssl.googlesource.com/boringssl/+/858a88daf27975f67d9f63e18f95645be2886bfb^!/ also see: https://www.imperialviolet.org/2014/02/27/tlssymmetriccrypto.html cipher_list is used in haproxy since commit f46cd6e4ec3a ("MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits") to check if DHE ciphers are used. So, if boringssl is used, the patch just assumes that there is some DHE cipher enabled. This will lead to false positives, but thats better than compiler warnings and crashes. This may be replaced one day by properly implementing the the new style cipher_list, in the meantime this workaround allows to build and use boringssl. Signed-off-by: Lukas Tribus --- src/ssl_sock.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 99c2b7280..f1d604d0a 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1478,6 +1478,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_RELEASE_BUFFERS; +#ifndef OPENSSL_IS_BORINGSSL STACK_OF(SSL_CIPHER) * ciphers = NULL; SSL_CIPHER * cipher = NULL; char cipher_description[128]; @@ -1488,6 +1489,10 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy const char dhe_export_description[] = " Kx=DH("; int idx = 0; int dhe_found = 0; +#else /* OPENSSL_IS_BORINGSSL */ + /* assume dhe_found if boringssl is detected */ + int dhe_found = 1; +#endif /* Make sure openssl opens /dev/urandom before the chroot */ if (!ssl_initialize_random()) { @@ -1579,6 +1584,8 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy /* If tune.ssl.default-dh-param has not been set and no static DH params were in the certificate file. */ if (global.tune.ssl_default_dh_param == 0) { + +#ifndef OPENSSL_IS_BORINGSSL ciphers = ctx->cipher_list; if (ciphers) { @@ -1592,10 +1599,11 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy } } } + } +#endif /* OPENSSL_IS_BORINGSSL */ - if (dhe_found) { - Warning("Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.\n"); - } + if (dhe_found) { + Warning("Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.\n"); } global.tune.ssl_default_dh_param = 1024;