MINOR: ssl: rework smp_fetch_ssl_fc_cl_str without internal ssl use

smp_fetch_ssl_fc_cl_str as very limited usage (only work with openssl == 1.0.2
compiled with the option enable-ssl-trace). It use internal cipher.algorithm_ssl
attribut and SSL_CIPHER_standard_name (available with ssl-trace).
This patch implement this (debug) function in a standard way. It used common
SSL_CIPHER_get_name to display cipher name. It work with openssl >= 1.0.2
and boringssl.

doc/configuration.txt

@@ -14173,9 +14173,8 @@ ssl_fc_cipherlist_str : string
   Returns the decoded text form of the client hello cipher list. The maximum
   number of ciphers returned is according with the value of
   "tune.ssl.capture-cipherlist-size". Note that this sample-fetch is only
-  avaible with OpenSSL > 1.0.2 compiled with the option enable-ssl-trace.
+  avaible with OpenSSL >= 1.0.2. If the function is not enabled, this
-  If the function is not enabled, this sample-fetch returns the hash
+  sample-fetch returns the hash like "ssl_fc_cipherlist_xxh".
-  like "ssl_fc_cipherlist_xxh".
 
 ssl_fc_cipherlist_xxh : integer
   Returns a xxh64 of the cipher list. This hash can be return only is the value

include/proto/openssl-compat.h

@@ -152,11 +152,6 @@ static inline X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x)
 #define __OPENSSL_110_CONST__
 #endif
 
-#if defined(OPENSSL_IS_BORINGSSL) || defined(LIBRESSL_VERSION_NUMBER)
-#undef OPENSSL_NO_SSL_TRACE
-#define OPENSSL_NO_SSL_TRACE
-#endif
-
 #ifdef OPENSSL_IS_BORINGSSL
 #define SSL_NO_GENERATE_CERTIFICATES
 

src/ssl_sock.c

@@ -6308,32 +6308,28 @@ smp_fetch_ssl_fc_cl_xxh64(const struct arg *args, struct sample *smp, const char
 static int
 smp_fetch_ssl_fc_cl_str(const struct arg *args, struct sample *smp, const char *kw, void *private)
 {
-#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL) && !defined(OPENSSL_NO_SSL_TRACE)
+#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL) && !defined(LIBRESSL_VERSION_NUMBER)
 	struct chunk *data;
-	SSL_CIPHER cipher;
 	int i;
-	const char *str;
-	unsigned char *bin;
 
 	if (!smp_fetch_ssl_fc_cl_bin(args, smp, kw, private))
 		return 0;
 
-	/* The cipher algorith must not be SSL_SSLV2, because this
-	 * SSL version seems to not have the same cipher encoding,
-	 * and it is not supported by OpenSSL. Unfortunately, the
-	 * #define SSL_SSLV2, SSL_SSLV3 and others are not available
-	 * with standard defines. We just set the variable to 0,
-	 * ensure that the match with SSL_SSLV2 fails.
-	 */
-	cipher.algorithm_ssl = 0;
-
 	data = get_trash_chunk();
 	for (i = 0; i + 1 < smp->data.u.str.len; i += 2) {
-		bin = (unsigned char *)smp->data.u.str.str + i;
+		const char *str;
-		cipher.id = (unsigned int)(bin[0] << 8) | bin[1];
+		const SSL_CIPHER *cipher;
-		str = SSL_CIPHER_standard_name(&cipher);
+		const unsigned char *bin = (const unsigned char *)smp->data.u.str.str + i;
-		if (!str || strcmp(str, "UNKNOWN") == 0)
+		uint16_t id = (bin[0] << 8) | bin[1];
-			chunk_appendf(data, "%sUNKNOWN(%04x)", i == 0 ? "" : ",", (unsigned int)cipher.id);
+#if defined(OPENSSL_IS_BORINGSSL)
+		cipher = SSL_get_cipher_by_value(id);
+#else
+		struct connection *conn = objt_conn(smp->sess->origin);
+		cipher = SSL_CIPHER_find(conn->xprt_ctx, bin);
+#endif
+		str = SSL_CIPHER_get_name(cipher);
+		if (!str || strcmp(str, "(NONE)") == 0)
+			chunk_appendf(data, "%sUNKNOWN(%04x)", i == 0 ? "" : ",", id);
 		else
 			chunk_appendf(data, "%s%s", i == 0 ? "" : ",", str);
 	}