From: Alex Rousskov Date: Fri, 20 May 2016 17:19:44 +0000 (-0600) Subject: Never enable OPENSSL_HELLO_OVERWRITE_HACK automatically. X-Git-Tag: SQUID_4_0_11~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=88a300c;p=thirdparty%2Fsquid.git Never enable OPENSSL_HELLO_OVERWRITE_HACK automatically. OPENSSL_HELLO_OVERWRITE_HACK, a.k.a adjustSSL(), a.k.a. "splice after stare and bump after peek" hack requires updating internal/private OpenSSL structures. The hack also relies on SSL client making SSL negotiation decisions that are similar to our OpenSSL version decisions. Squid used to enable this hack if it could compile the sources, but: * The hack works well in fewer and fewer cases. * Making its behavior reliable is virtually impossible. * Maintaining this hack is increasingly difficult, especially after OpenSSL has changed its internal structures in v1.1. * The combination of other bugs (fixed in r14670) and TLS extensions in popular browsers effectively disabled this hack for a while, and nobody (that we know of) noticed. This temporary change disables the hack even if it can be compiled. If an admin is willing to take the risks, they may enable it manually by setting SQUID_USE_OPENSSL_HELLO_OVERWRITE_HACK macro value to 1 during the build. If, after this experimental change, we get no complaints (that we can address), the hack will be completely removed from Squid sources. --- diff --git a/acinclude/lib-checks.m4 b/acinclude/lib-checks.m4 index 6f7d6ec686..4b45934012 100644 --- a/acinclude/lib-checks.m4 +++ b/acinclude/lib-checks.m4 @@ -302,8 +302,7 @@ AC_DEFUN([SQUID_CHECK_OPENSSL_HELLO_OVERWRITE_HACK],[ ]) ], [ - AC_DEFINE(SQUID_USE_OPENSSL_HELLO_OVERWRITE_HACK, 1) - AC_MSG_RESULT([yes]) + AC_MSG_RESULT([possibly; to try, set SQUID_USE_OPENSSL_HELLO_OVERWRITE_HACK macro value to 1]) ], [ AC_MSG_RESULT([no])