BUILD: ssl: improve SSL_CTX_set_ecdh_auto compatibility

SSL_CTX_set_ecdh_auto() is not defined when OpenSSL 1.1.1 is compiled
with the no-deprecated option. Remove existing, incomplete guards and
add a compatibility macro in openssl-compat.h, just as OpenSSL does:

https://github.com/openssl/openssl/blob/bf4006a6f9be691ba6eef0e8629e63369a033ccf/include/openssl/ssl.h#L1486

This should be backported as far as 2.0 and probably even 1.9.

diff --git a/include/common/openssl-compat.h b/include/common/openssl-compat.h
index 31971bd9e8d353818a6d6339ed742585a6a34333..72b4e2fe2db7d86f1c4a0bcb490d8bdae392245b 100644 (file)
--- a/include/common/openssl-compat.h
+++ b/include/common/openssl-compat.h
@@ -374,5 +374,9 @@ static inline void EVP_PKEY_up_ref(EVP_PKEY *pkey)
 #define BIO_meth_set_destroy(m, f) do { (m)->destroy = (f); } while (0)
 #endif
 
+#ifndef SSL_CTX_set_ecdh_auto
+#define SSL_CTX_set_ecdh_auto(dummy, onoff)      ((onoff) != 0)
+#endif
+
 #endif /* USE_OPENSSL */
 #endif /* _COMMON_OPENSSL_COMPAT_H */

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 00258b19a510709c0e9b2403f2905db42dc2e428..e4dd913a4c01a524937c1ad84e4b9ab20604e0dd 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5178,9 +5178,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_
                                  err && *err ? *err : "", curproxy->id, conf_curves, bind_conf->arg, bind_conf->file, bind_conf->line);
                        cfgerr |= ERR_ALERT | ERR_FATAL;
                }
-#if defined(SSL_CTX_set_ecdh_auto)
                (void)SSL_CTX_set_ecdh_auto(ctx, 1);
-#endif
        }
 #endif
 #if defined(SSL_CTX_set_tmp_ecdh) && !defined(OPENSSL_NO_ECDH)