From 4cd2af4e5d785c42d2924492df987a7cd5832e23 Mon Sep 17 00:00:00 2001 From: Olivier Houchard Date: Mon, 6 May 2019 15:18:27 +0200 Subject: [PATCH] BUG/MEDIUM: ssl: Don't attempt to use early data with libressl. Libressl doesn't yet provide early data, so don't put the CO_FL_EARLY_SSL_HS on the connection if we're building with libressl, or the handshake will never be done. --- src/backend.c | 4 +++- src/ssl_sock.c | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/src/backend.c b/src/backend.c index ae704decf7..5807a2e96a 100644 --- a/src/backend.c +++ b/src/backend.c @@ -1582,7 +1582,9 @@ int connect_server(struct stream *s) } -#ifdef USE_OPENSSL +#if USE_OPENSSL && (defined(OPENSSL_IS_BORINGSSL) || \ + ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER))) + if (!reuse && cli_conn && srv && (srv->ssl_ctx.options & SRV_SSL_O_EARLY_DATA) && /* Only attempt to use early data if either the client sent diff --git a/src/ssl_sock.c b/src/ssl_sock.c index e11ddb53cf..cf1b860f76 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -5336,7 +5336,8 @@ static int ssl_sock_init(struct connection *conn, void **xprt_ctx) /* leave init state and start handshake */ conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN; -#if OPENSSL_VERSION_NUMBER >= 0x10101000L || defined(OPENSSL_IS_BORINGSSL) +#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)) || \ + defined(OPENSSL_IS_BORINGSSL) conn->flags |= CO_FL_EARLY_SSL_HS; #endif -- 2.47.3