MINOR: ssl: don't use boringssl's cipher_list

Google's boringssl has a different cipher_list, we cannot use it as
in OpenSSL. This is due to the "Equal preference cipher groups" feature:

https://boringssl.googlesource.com/boringssl/+/858a88daf27975f67d9f63e18f95645be2886bfb^!/

also see:
https://www.imperialviolet.org/2014/02/27/tlssymmetriccrypto.html

cipher_list is used in haproxy since commit f46cd6e4ec3a ("MEDIUM: ssl:
Add the option to use standardized DH parameters >= 1024 bits") to
check if DHE ciphers are used.

So, if boringssl is used, the patch just assumes that there is some
DHE cipher enabled. This will lead to false positives, but thats better
than compiler warnings and crashes.

This may be replaced one day by properly implementing the the new style
cipher_list, in the meantime this workaround allows to build and use
boringssl.

Signed-off-by: Lukas Tribus <luky-37@hotmail.com>

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 99c2b728011216ede6e599783eede8cf22797233..f1d604d0a2e66ee088e4ef45c39ef6118df60b49 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1478,6 +1478,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
                SSL_MODE_ENABLE_PARTIAL_WRITE |
                SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
                SSL_MODE_RELEASE_BUFFERS;
+#ifndef OPENSSL_IS_BORINGSSL
        STACK_OF(SSL_CIPHER) * ciphers = NULL;
        SSL_CIPHER * cipher = NULL;
        char cipher_description[128];
@@ -1488,6 +1489,10 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
        const char dhe_export_description[] = " Kx=DH(";
        int idx = 0;
        int dhe_found = 0;
+#else /* OPENSSL_IS_BORINGSSL */
+       /* assume dhe_found if boringssl is detected */
+       int dhe_found = 1;
+#endif
 
        /* Make sure openssl opens /dev/urandom before the chroot */
        if (!ssl_initialize_random()) {
@@ -1579,6 +1584,8 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
        /* If tune.ssl.default-dh-param has not been set and
           no static DH params were in the certificate file. */
        if (global.tune.ssl_default_dh_param == 0) {
+
+#ifndef OPENSSL_IS_BORINGSSL
                ciphers = ctx->cipher_list;
 
                if (ciphers) {
@@ -1592,10 +1599,11 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
                                        }
                                }
                        }
+               }
+#endif /* OPENSSL_IS_BORINGSSL */
 
-                       if (dhe_found) {
-                               Warning("Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.\n");
-                       }
+               if (dhe_found) {
+                       Warning("Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.\n");
                }
 
                global.tune.ssl_default_dh_param = 1024;