git.ipfire.org Git - thirdparty/haproxy.git/commit

author	Hyeonggeun Oh <hyeonggeun.oh@plaintexting.com>
	Mon, 23 Feb 2026 03:49:37 +0000 (12:49 +0900)
committer	William Lallemand <wlallemand@haproxy.com>
	Mon, 23 Feb 2026 08:40:18 +0000 (09:40 +0100)
commit	ca5c07b67777c63fd44ae8214c3cedd04d18d46d
tree	736a96ef283dd58e8d091dde6e5155a2e16b1fae	tree
parent	8d54cda0af691c8f2089be909716b509c3d8f42e	commit \| diff

MINOR: ssl: clarify error reporting for unsupported keywords

This patch changes the registration of the following keywords to be
unconditional:
  - ssl-dh-param-file
  - ssl-engine
  - ssl-propquery, ssl-provider, ssl-provider-path
  - ssl-default-bind-curves, ssl-default-server-curves
  - ssl-default-bind-sigalgs, ssl-default-server-sigalgs
  - ssl-default-bind-client-sigalgs, ssl-default-server-client-sigalgs

Instead of excluding them at compile time via #ifdef guards in the keyword
registration table, their parsing functions now check feature availability
at runtime and return a descriptive error when the feature is missing.

For features controlled by the SSL library (providers, curves, sigalgs,
DH), the error message includes the actual OpenSSL version string via
OpenSSL_version(OPENSSL_VERSION), so users can immediately identify which
library they are running rather than seeing cryptic internal macro names.

For ssl-dh-param-file, the message also includes "(no DH support)" as a
hint, since OPENSSL_NO_DH can be set either by an OpenSSL build or by
HAProxy itself in certain configurations.

For ssl-engine, which depends on a HAProxy build-time flag (USE_ENGINE),
the message retains the flag name as it is more actionable for the user.

This addresses issue https://github.com/haproxy/haproxy/issues/3246.