git.ipfire.org Git - thirdparty/haproxy.git/commit

author	William Lallemand <wlallemand@haproxy.com>
	Thu, 13 Jun 2024 17:11:52 +0000 (19:11 +0200)
committer	William Lallemand <wlallemand@haproxy.com>
	Thu, 13 Jun 2024 17:36:40 +0000 (19:36 +0200)
commit	7120c77b14133d5d9eb94c35bff9ccca45586a6b
tree	3a95851b0f8eed59bed13c036ed5f40c635a229b	tree \| snapshot
parent	935b3bd1b7e7975c15ecd4f3c1d1d57c9a745102	commit \| diff

MEDIUM: ssl: support for ECDA+RSA certificate selection with AWS-LC

AWS-LC does not support the SSL_CTX_set_client_hello_cb() function from
OpenSSL which allows to analyze ciphers and signatures algorithm of the
ClientHello. However it supports the SSL_CTX_set_select_certificate_cb()
which allows the same thing but was the implementation from the
boringSSL side.

This patch uses the SSL_CTX_set_select_certificate_cb() as well as the
SSL_early_callback_ctx_extension_get() function to get the signature
algorithms.

This was successfully tested with openssl s_client as well as
testssl.sh.

This should allow to enable more reg-tests that depend on certificate
selection.

Require at least AWS-LC 1.22.0.

include/haproxy/openssl-compat.h		diff \| blob \| blame \| history
include/haproxy/ssl_sock.h		diff \| blob \| blame \| history
src/quic_ssl.c		diff \| blob \| blame \| history
src/ssl_clienthello.c		diff \| blob \| blame \| history
src/ssl_sock.c		diff \| blob \| blame \| history