BUILD: ssl: ssl_c_r_dn fetches uses functiosn only available since 1.1.1

Fix the openssl build with older openssl version by disabling the new
ssl_c_r_dn fetch.

This also disable the ssl_client_samples.vtc file for OpenSSL version
older than 1.1.1

diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h
index b857e108c168bbd02186de48f98fe1c989f39d46..6a8a62a034c7243bc8bbaa96160f676fab19ccc5 100644 (file)
--- a/include/haproxy/openssl-compat.h
+++ b/include/haproxy/openssl-compat.h
@@ -90,6 +90,7 @@
 
 #if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
 #define HAVE_SSL_KEYLOG
+#define HAVE_SSL_get0_verified_chain
 #endif
 
 

diff --git a/reg-tests/ssl/ssl_client_samples.vtc b/reg-tests/ssl/ssl_client_samples.vtc
index 62956f1f74699bb968e0201fb09d333408adb1ef..5a84e4b254825b1356026190fe859591c4219180 100644 (file)
--- a/reg-tests/ssl/ssl_client_samples.vtc
+++ b/reg-tests/ssl/ssl_client_samples.vtc
@@ -1,8 +1,8 @@
 #REGTEST_TYPE=devel
 
 varnishtest "Test the ssl_c_* sample fetches"
-#REQUIRE_VERSION=2.2
-#REQUIRE_OPTIONS=OPENSSL
+feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.8-dev11)'"
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && openssl_version_atleast(1.1.1)'"
 feature ignore_unknown_macro
 
 server s1 -repeat 3 {

diff --git a/src/ssl_sample.c b/src/ssl_sample.c
index 582b7134c393c41d0be2ec9d31e5c6b56e3ad5a2..5aec97fef18b61d8633499e8a5e2d68a3b163b0c 100644 (file)
--- a/src/ssl_sample.c
+++ b/src/ssl_sample.c
@@ -541,6 +541,7 @@ smp_fetch_ssl_fc_has_crt(const struct arg *args, struct sample *smp, const char
 /* string, returns a string of a formatted full dn \C=..\O=..\OU=.. \CN=.. of the
  * client certificate's root CA.
  */
+#ifdef HAVE_SSL_get0_verified_chain
 static int
 smp_fetch_ssl_r_dn(const struct arg *args, struct sample *smp, const char *kw, void *private)
 {
@@ -593,6 +594,7 @@ smp_fetch_ssl_r_dn(const struct arg *args, struct sample *smp, const char *kw, v
 out:
        return ret;
 }
+#endif
 
 /* binary, returns a certificate in a binary chunk (der/raw).
  * The 5th keyword char is used to know if SSL_get_certificate or SSL_get_peer_certificate
@@ -2198,7 +2200,9 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, {
        { "ssl_c_key_alg",          smp_fetch_ssl_x_key_alg,      0,                   NULL,    SMP_T_STR,  SMP_USE_L5CLI },
        { "ssl_c_notafter",         smp_fetch_ssl_x_notafter,     0,                   NULL,    SMP_T_STR,  SMP_USE_L5CLI },
        { "ssl_c_notbefore",        smp_fetch_ssl_x_notbefore,    0,                   NULL,    SMP_T_STR,  SMP_USE_L5CLI },
+#ifdef HAVE_SSL_get0_verified_chain
        { "ssl_c_r_dn",             smp_fetch_ssl_r_dn,           ARG3(0,STR,SINT,STR),val_dnfmt,    SMP_T_STR,  SMP_USE_L5CLI },
+#endif
        { "ssl_c_sig_alg",          smp_fetch_ssl_x_sig_alg,      0,                   NULL,    SMP_T_STR,  SMP_USE_L5CLI },
        { "ssl_c_s_dn",             smp_fetch_ssl_x_s_dn,         ARG3(0,STR,SINT,STR),val_dnfmt,    SMP_T_STR,  SMP_USE_L5CLI },
        { "ssl_c_serial",           smp_fetch_ssl_x_serial,       0,                   NULL,    SMP_T_BIN,  SMP_USE_L5CLI },

diff --git a/src/ssl_utils.c b/src/ssl_utils.c
index 03d43410a6c220bf47e75fe7703b247b9e24bb8e..4a85b89187ea05b71a29a5e9fce5a823a4056ca7 100644 (file)
--- a/src/ssl_utils.c
+++ b/src/ssl_utils.c
@@ -324,6 +324,7 @@ X509* ssl_sock_get_peer_certificate(SSL *ssl)
  *
  * Returns NULL in case of failure.
 */
+#ifdef HAVE_SSL_get0_verified_chain
 X509* ssl_sock_get_verified_chain_root(SSL *ssl)
 {
        STACK_OF(X509) *chain = NULL;
@@ -343,6 +344,7 @@ X509* ssl_sock_get_verified_chain_root(SSL *ssl)
 
        return crt;
 }
+#endif
 
 /*
  * Take an OpenSSL version in text format and return a numeric openssl version