BUG/MEDIUM: ssl: Don't attempt to use early data with libressl.

Libressl doesn't yet provide early data, so don't put the CO_FL_EARLY_SSL_HS
on the connection if we're building with libressl, or the handshake will
never be done.

diff --git a/src/backend.c b/src/backend.c
index ae704decf7df5d21564a8d3212d83c2c3e9ea3b2..5807a2e96a038b50d027f6fd397f549a34879382 100644 (file)
--- a/src/backend.c
+++ b/src/backend.c
@@ -1582,7 +1582,9 @@ int connect_server(struct stream *s)
        }
 
 
-#ifdef USE_OPENSSL
+#if USE_OPENSSL && (defined(OPENSSL_IS_BORINGSSL) || \
+    ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)))
+
        if (!reuse && cli_conn && srv &&
            (srv->ssl_ctx.options & SRV_SSL_O_EARLY_DATA) &&
            /* Only attempt to use early data if either the client sent

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index e11ddb53cf47b8a9323b949a0963d57c11f19d67..cf1b860f76e906bbf81057d8c196bac3137048c4 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5336,7 +5336,8 @@ static int ssl_sock_init(struct connection *conn, void **xprt_ctx)
 
                /* leave init state and start handshake */
                conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L || defined(OPENSSL_IS_BORINGSSL)
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)) || \
+    defined(OPENSSL_IS_BORINGSSL)
                conn->flags |= CO_FL_EARLY_SSL_HS;
 #endif