BUG/MINOR: ssl: fix curve setup with LibreSSL

Since commit 9a1ab08 ("CLEANUP: ssl-sock: use HA_OPENSSL_VERSION_NUMBER
instead of OPENSSL_VERSION_NUMBER") we restrict LibreSSL to the OpenSSL
1.0.1 API, to avoid breaking LibreSSL every minute. We set
HA_OPENSSL_VERSION_NUMBER to 0x1000107fL if LibreSSL is detected and
only allow curves to be configured if HA_OPENSSL_VERSION_NUMBER is at
least 0x1000200fL.

However all relevant LibreSSL releases actually support settings curves,
which is now broken. Fix this by always allowing curve configuration when
using LibreSSL.

Reported on GitHub in issue #366.

Fixes: 9a1ab08 ("CLEANUP: ssl-sock: use HA_OPENSSL_VERSION_NUMBER instead
of OPENSSL_VERSION_NUMBER").

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index bcfa3e712a5f4c59caed037fd56341339e18bbaf..91725a955d620b13d0010d5f563448089045aa68 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5031,7 +5031,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_
        if (ssl_conf_cur)
                SSL_CTX_set_alpn_select_cb(ctx, ssl_sock_advertise_alpn_protos, ssl_conf_cur);
 #endif
-#if HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL
+#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || defined(LIBRESSL_VERSION_NUMBER))
        conf_curves = (ssl_conf && ssl_conf->curves) ? ssl_conf->curves : bind_conf->ssl_conf.curves;
        if (conf_curves) {
                if (!SSL_CTX_set1_curves_list(ctx, conf_curves)) {
@@ -8476,7 +8476,7 @@ static int bind_parse_crl_file(char **args, int cur_arg, struct proxy *px, struc
 /* parse the "curves" bind keyword keyword */
 static int ssl_bind_parse_curves(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
 {
-#if HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL
+#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || defined(LIBRESSL_VERSION_NUMBER))
        if (!*args[cur_arg + 1]) {
                if (err)
                        memprintf(err, "'%s' : missing curve suite", args[cur_arg]);