git.ipfire.org Git - thirdparty/haproxy.git/commit

author	Lukas Tribus <luky-37@hotmail.com>
	Sun, 17 Aug 2014 22:56:33 +0000 (00:56 +0200)
committer	Willy Tarreau <w@1wt.eu>
	Mon, 18 Aug 2014 12:33:48 +0000 (14:33 +0200)
commit	90132726c5aedd70fa6da5836dd6c4664fc2de9c
tree	0fb1f3ef7a7fbc57e6b8b61289a08b8cf009685a	tree \| snapshot
parent	4c0d45a861e296fc78b77a65d79d5e6e927260e7	commit \| diff

MINOR: ssl: don't use boringssl's cipher_list

Google's boringssl has a different cipher_list, we cannot use it as
in OpenSSL. This is due to the "Equal preference cipher groups" feature:

https://boringssl.googlesource.com/boringssl/+/858a88daf27975f67d9f63e18f95645be2886bfb^!/

also see:
https://www.imperialviolet.org/2014/02/27/tlssymmetriccrypto.html

cipher_list is used in haproxy since commit f46cd6e4ec3a ("MEDIUM: ssl:
Add the option to use standardized DH parameters >= 1024 bits") to
check if DHE ciphers are used.

So, if boringssl is used, the patch just assumes that there is some
DHE cipher enabled. This will lead to false positives, but thats better
than compiler warnings and crashes.

This may be replaced one day by properly implementing the the new style
cipher_list, in the meantime this workaround allows to build and use
boringssl.

Signed-off-by: Lukas Tribus <luky-37@hotmail.com>