MINOR: ssl: rework smp_fetch_ssl_fc_cl_str without internal ssl use

smp_fetch_ssl_fc_cl_str as very limited usage (only work with openssl == 1.0.2
compiled with the option enable-ssl-trace). It use internal cipher.algorithm_ssl
attribut and SSL_CIPHER_standard_name (available with ssl-trace).
This patch implement this (debug) function in a standard way. It used common
SSL_CIPHER_get_name to display cipher name. It work with openssl >= 1.0.2
and boringssl.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 7c5c437cee68806528c15f805b943e48ff6f29a0..b55bb0628222727ffac0276d120c79595991e155 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -14173,9 +14173,8 @@ ssl_fc_cipherlist_str : string
   Returns the decoded text form of the client hello cipher list. The maximum
   number of ciphers returned is according with the value of
   "tune.ssl.capture-cipherlist-size". Note that this sample-fetch is only
-  avaible with OpenSSL > 1.0.2 compiled with the option enable-ssl-trace.
-  If the function is not enabled, this sample-fetch returns the hash
-  like "ssl_fc_cipherlist_xxh".
+  avaible with OpenSSL >= 1.0.2. If the function is not enabled, this
+  sample-fetch returns the hash like "ssl_fc_cipherlist_xxh".
 
 ssl_fc_cipherlist_xxh : integer
   Returns a xxh64 of the cipher list. This hash can be return only is the value

diff --git a/include/proto/openssl-compat.h b/include/proto/openssl-compat.h
index ea92072e559e0fbd61c82d1724d905c2a5350efe..8fe1c183c47d00c841909f8ba53944b925d4bba9 100644 (file)
--- a/include/proto/openssl-compat.h
+++ b/include/proto/openssl-compat.h
@@ -152,11 +152,6 @@ static inline X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x)
 #define __OPENSSL_110_CONST__
 #endif
 
-#if defined(OPENSSL_IS_BORINGSSL) || defined(LIBRESSL_VERSION_NUMBER)
-#undef OPENSSL_NO_SSL_TRACE
-#define OPENSSL_NO_SSL_TRACE
-#endif
-
 #ifdef OPENSSL_IS_BORINGSSL
 #define SSL_NO_GENERATE_CERTIFICATES
 

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index de1dd9a23cd19be689b8415d5fd1cfa1e5b6eeea..2241a36e89a998df723e5877784f01c04dfc86d0 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6308,32 +6308,28 @@ smp_fetch_ssl_fc_cl_xxh64(const struct arg *args, struct sample *smp, const char
 static int
 smp_fetch_ssl_fc_cl_str(const struct arg *args, struct sample *smp, const char *kw, void *private)
 {
-#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL) && !defined(OPENSSL_NO_SSL_TRACE)
+#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL) && !defined(LIBRESSL_VERSION_NUMBER)
        struct chunk *data;
-       SSL_CIPHER cipher;
        int i;
-       const char *str;
-       unsigned char *bin;
 
        if (!smp_fetch_ssl_fc_cl_bin(args, smp, kw, private))
                return 0;
 
-       /* The cipher algorith must not be SSL_SSLV2, because this
-        * SSL version seems to not have the same cipher encoding,
-        * and it is not supported by OpenSSL. Unfortunately, the
-        * #define SSL_SSLV2, SSL_SSLV3 and others are not available
-        * with standard defines. We just set the variable to 0,
-        * ensure that the match with SSL_SSLV2 fails.
-        */
-       cipher.algorithm_ssl = 0;
-
        data = get_trash_chunk();
        for (i = 0; i + 1 < smp->data.u.str.len; i += 2) {
-               bin = (unsigned char *)smp->data.u.str.str + i;
-               cipher.id = (unsigned int)(bin[0] << 8) | bin[1];
-               str = SSL_CIPHER_standard_name(&cipher);
-               if (!str || strcmp(str, "UNKNOWN") == 0)
-                       chunk_appendf(data, "%sUNKNOWN(%04x)", i == 0 ? "" : ",", (unsigned int)cipher.id);
+               const char *str;
+               const SSL_CIPHER *cipher;
+               const unsigned char *bin = (const unsigned char *)smp->data.u.str.str + i;
+               uint16_t id = (bin[0] << 8) | bin[1];
+#if defined(OPENSSL_IS_BORINGSSL)
+               cipher = SSL_get_cipher_by_value(id);
+#else
+               struct connection *conn = objt_conn(smp->sess->origin);
+               cipher = SSL_CIPHER_find(conn->xprt_ctx, bin);
+#endif
+               str = SSL_CIPHER_get_name(cipher);
+               if (!str || strcmp(str, "(NONE)") == 0)
+                       chunk_appendf(data, "%sUNKNOWN(%04x)", i == 0 ? "" : ",", id);
                else
                        chunk_appendf(data, "%s%s", i == 0 ? "" : ",", str);
        }