Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dnsdist: Load an openssl configuration file, if any, during startup #8733

Merged
merged 2 commits into from Jan 22, 2020
Merged

dnsdist: Load an openssl configuration file, if any, during startup #8733

merged 2 commits into from Jan 22, 2020

Conversation

rgacogne
Copy link
Member

@rgacogne rgacogne commented Jan 21, 2020

Short description

This way dnsdist will load the default OpenSSL configuration, or a custom one specified via the OPENSSL_CONF environment variable.
It allows loading an engine or configuration various options supported by OpenSSL.
This requires OpenSSL >= 1.1.0.

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)

@rgacogne
dnsdist: Load an openssl configuration file, if any, during startup
81fe636 
This way dnsdist will load the default OpenSSL configuration, or a
custom one specified via the OPENSSL_CONF environment variable.
It allows loading an engine or configuration various options supported
by OpenSSL.
This requires OpenSSL >= 1.1.0.
@rgacogne rgacogne added this to the dnsdist-1.5.0 milestone Jan 21, 2020
omoerbeek
omoerbeek reviewed Jan 22, 2020
View changes
pdns/dnsdistdist/libssl.cc Outdated Show resolved Hide resolved
@pieterlexis
Copy link
Contributor

@pieterlexis pieterlexis commented Jan 22, 2020

Should the #if perhaps be centralized and do a #define PDNS_OPENSSL_RECENT_ENOUGH but a better name?

@rgacogne
Copy link
Member Author

@rgacogne rgacogne commented Jan 22, 2020

Should the #if perhaps be centralized and do a #define PDNS_OPENSSL_RECENT_ENOUGH but a better name?

I don't really see what you mean by that, we have several checks referring to different versions of OpenSSL and LibreSSL, with only one of thel being used twice?

@omoerbeek
Copy link
Member

@omoerbeek omoerbeek commented Jan 22, 2020
edited

Maybe, but not all version nummbers are the same, though I also could live with "libressl must be new enough" test.

Additionally, SSL_CTX_set_min_proto_version is available as well with libressl >= 2.7, but SSL_CTX_get0_privatekeyis not at all.

@omoerbeek
Copy link
Member

@omoerbeek omoerbeek commented Jan 22, 2020

Current version of PR compiles and links fine on OpenBSD.

@rgacogne
Copy link
Member Author

@rgacogne rgacogne commented Jan 22, 2020

Additionally, SSL_CTX_set_min_proto_version is available as well with libressl >= 2.7, but SSL_CTX_get0_privatekey is not at all.

I guess we could try to properly detect if these functions are present during configure, but it's a bit out-of-scope for this PR that I would like to be able to merge quickly.

@rgacogne rgacogne mentioned this pull request Jan 22, 2020
Closed
@rgacogne rgacogne merged commit a0afc49 into PowerDNS:master Jan 22, 2020
28 checks passed
@rgacogne rgacogne deleted the ddist-openssl-init branch Jan 22, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@omoerbeek omoerbeek

Assignees
No one assigned
Labels
dnsdist enhancement
Projects
None yet
Milestone
dnsdist-1.5.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@rgacogne @pieterlexis @omoerbeek