Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dnsdist: Load an openssl configuration file, if any, during startup #8733

Merged
merged 2 commits into from
Jan 22, 2020

Conversation

rgacogne
Copy link
Member

Short description

This way dnsdist will load the default OpenSSL configuration, or a custom one specified via the OPENSSL_CONF environment variable.
It allows loading an engine or configuration various options supported by OpenSSL.
This requires OpenSSL >= 1.1.0.

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)

This way dnsdist will load the default OpenSSL configuration, or a
custom one specified via the OPENSSL_CONF environment variable.
It allows loading an engine or configuration various options supported
by OpenSSL.
This requires OpenSSL >= 1.1.0.
@pieterlexis
Copy link
Contributor

Should the #if perhaps be centralized and do a #define PDNS_OPENSSL_RECENT_ENOUGH but a better name?

@rgacogne
Copy link
Member Author

Should the #if perhaps be centralized and do a #define PDNS_OPENSSL_RECENT_ENOUGH but a better name?

I don't really see what you mean by that, we have several checks referring to different versions of OpenSSL and LibreSSL, with only one of thel being used twice?

@omoerbeek
Copy link
Member

omoerbeek commented Jan 22, 2020

Maybe, but not all version nummbers are the same, though I also could live with "libressl must be new enough" test.

Additionally, SSL_CTX_set_min_proto_version is available as well with libressl >= 2.7, but SSL_CTX_get0_privatekeyis not at all.

@omoerbeek
Copy link
Member

Current version of PR compiles and links fine on OpenBSD.

@rgacogne
Copy link
Member Author

Additionally, SSL_CTX_set_min_proto_version is available as well with libressl >= 2.7, but SSL_CTX_get0_privatekey is not at all.

I guess we could try to properly detect if these functions are present during configure, but it's a bit out-of-scope for this PR that I would like to be able to merge quickly.

@rgacogne rgacogne merged commit a0afc49 into PowerDNS:master Jan 22, 2020
@rgacogne rgacogne deleted the ddist-openssl-init branch January 22, 2020 14:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants