Never enable OPENSSL_HELLO_OVERWRITE_HACK automatically.

OPENSSL_HELLO_OVERWRITE_HACK, a.k.a adjustSSL(), a.k.a. "splice after
stare and bump after peek" hack requires updating internal/private
OpenSSL structures. The hack also relies on SSL client making SSL
negotiation decisions that are similar to our OpenSSL version decisions.
Squid used to enable this hack if it could compile the sources, but:

* The hack works well in fewer and fewer cases.
* Making its behavior reliable is virtually impossible.
* Maintaining this hack is increasingly difficult, especially after
  OpenSSL has changed its internal structures in v1.1.
* The combination of other bugs (fixed in r14670) and TLS extensions in
  popular browsers effectively disabled this hack for a while, and
  nobody (that we know of) noticed.

This temporary change disables the hack even if it can be compiled. If
an admin is willing to take the risks, they may enable it manually by
setting SQUID_USE_OPENSSL_HELLO_OVERWRITE_HACK macro value to 1 during
the build.

If, after this experimental change, we get no complaints (that we can
address), the hack will be completely removed from Squid sources.

diff --git a/acinclude/lib-checks.m4 b/acinclude/lib-checks.m4
index 6f7d6ec6862dd89a2626a8f7d5cd497dc72c7c3d..4b459340128de7374948b244f3960ef62728840a 100644 (file)
--- a/acinclude/lib-checks.m4
+++ b/acinclude/lib-checks.m4
@@ -302,8 +302,7 @@ AC_DEFUN([SQUID_CHECK_OPENSSL_HELLO_OVERWRITE_HACK],[
     ])
   ],
   [
-   AC_DEFINE(SQUID_USE_OPENSSL_HELLO_OVERWRITE_HACK, 1)
-   AC_MSG_RESULT([yes])
+   AC_MSG_RESULT([possibly; to try, set SQUID_USE_OPENSSL_HELLO_OVERWRITE_HACK macro value to 1])
   ],
   [
    AC_MSG_RESULT([no])